Configuring IPsec to Cisco IOS using X.509 Authentication


#1

This guide covers configuration of IPsec between Peplink and Cisco IOS devices using X.509 authentication. The example configuration assumes the following settings:

IPsec VPN Settings

Peplink WAN1 IP Address: 210.211.10.5
Peplink LAN Network: 192.168.2.0/24
Cisco WAN IP Address: 66.80.3.1
Cisco LAN Network: 192.168.1.0/24
IPsec Phase 1 Authentication: SHA-1
ISPEC Phase 1 Encryption: AES-256
ISPEC Phase 1 DH Group: 2
IPsec Phase 2 Authentication: SHA-1
ISPEC Phase 2 Encryption: AES-256
ISPEC Phase 2 PFS Group: None

Configure Peplink device for X.509 authentication

The Peplink should have its own private key and certificate installed to use X.509 authentication. You can read Article to complete this process.

Configuring Cisco IOS

The following example configuration is based on Cisco IOS 12.4 and implements the example settings above. The configuration is color coded to aid in understanding

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
! Using X.509 authentication requires time and date are set correctly on all devices. You may set the time on Cisco as follows:
Router(config)#clock timezone UTC+8 8
Router(config)#exit
Router#clock set 19:12:00 3 apr 2014
Router#configure terminal
! Set static IP for interface 0/0 which is Cisco WAN
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 66.80.3.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
! Set default route
Router(config)#ip route 0.0.0.0 0.0.0.0 66.80.3.254
! Set static IP for interface 0/1, which is Cisco LAN
Router(config)#interface fastEthernet 0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
! Use the Distinguished Name from certificate as the local ID
Router(config)#crypto isakmp identity dn
! Configure ISAKMP policy (phase 1)
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encryption aes 256
Router(config-isakmp)#authentication rsa-sig
Router(config-isakmp)#group 2
Router(config-isakmp)#exit
! Create a transform-set with name = “aesset” (phase 2)
Router(config)#crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
Router(cfg-crypto-trans)#exit
! Create a crypto map with name = “peplink_map”
Router(config)#crypto map peplink_map 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#set peer 210.211.10.5
Router(config-crypto-map)#set transform-set aesset
! Assign access-list 100 to this crypto map
Router(config-crypto-map)#match address 100
Router(config-crypto-map)#exit
Router(config)#int fastEthernet 0/0
Router(config-if)#crypto map peplink_map
Router(config-if)#exit
! Create the access-list 100
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config-ext-nacl)#exit
! The hostname cannot be default (Router) and must set a domain-name before generating rsa keys
Router(config)#hostname cisco
cisco(config)#ip domain-name company.com
cisco(config)#crypto key generate rsa general-keys
The name for the keys will be: cisco.company.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys …[OK]

cisco(config)#
Apr 3 10:41:10.207: %SSH-5-ENABLED: SSH 1.5 has been enabled
! Setup the details of CA Server with name = “myca”
cisco(config)#crypto ca trustpoint myca
cisco(ca-trustpoint)#enrollment terminal
cisco(ca-trustpoint)#crl optional
cisco(ca-trustpoint)#exit
! Import the CA Certificate
! Simply copy and paste the entire cert content to the terminal
cisco(config)#crypto ca authenticate myca

Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself

—–BEGIN CERTIFICATE—–
MIIC/jCCAmegAwIBAgIJAN53Gf2mW1+mMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD
VQQGEwJISzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
MRUwEwYDVQQKDAxTb21lLUNvbXBhbnkxEjAQBgNVBAsMCVNvbWUtVW5pdDESMBAG
A1UEAwwJU29tZS1OYW1lMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBjb21wYW55LmNv
bTAeFw0xMjA0MDMwOTE5NDhaFw0xMzA0MDMwOTE5NDhaMIGXMQswCQYDVQQGEwJI
SzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5MRUwEwYD
VQQKDAxTb21lLUNvbXBhbnkxEjAQBgNVBAsMCVNvbWUtVW5pdDESMBAGA1UEAwwJ
U29tZS1OYW1lMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBjb21wYW55LmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA314syHki+ZghcUgCOHhknXLLcWjkoTVt
6QcBDTmvqHpU93NF6r1Fs2avC9DLwBBOFxhKSDhyGmSgehoG3+Tt7nCfL5ZSWNrO
R0PVP9f8LKsGZkbzZ4r3h+Lxf4r8uVPRN/UkPCmesITikHF76vu/a8MUSh7LSLAh
mcvNm/DUwuECAwEAAaNQME4wHQYDVR0OBBYEFCAMQ/WlL0fjc2idcSiJAc9TDcwO
MB8GA1UdIwQYMBaAFCAMQ/WlL0fjc2idcSiJAc9TDcwOMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADgYEAvUcIBruovs/BmR3EI3kvJKfEOqh6RRxneb40QBVK
5FA7/TKEbe0H9wr9mWEebT/CMcI+gB649sHvHJpAPCLJMRqrO7zMliWZCmrY3Eso
/V63A3yZy84R0aavZCWTeWGgM9ba2iwAodY/PPfTjaGTyK09i0YWi6nSAreC3kO7
KSY=
—–END CERTIFICATE—–

Certificate has the following attributes:
Fingerprint: 1E7D5589 17ABCF4B B11B1E49 9EAFABB2

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

! Enroll cisco itself to CA Server
cisco(config)#crypto ca enroll myca
% Start certificate enrollment …

% The fully-qualified domain name in the certificate will be: cisco.company.com
% The subject name in the certificate will include: cisco.company.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 13A594C9
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIBkzCB/QIBADAzMTEwDwYDVQQFEwgxM0E1OTRDOTAeBgkqhkiG9w0BCQIWEWNp
c2NvLmNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC88ik0
+vPXIpyYRblWl9DBk4MTpZ5weJm6Yj2Tlm8eQb+bVjgIaSqBynImJTOyXLo2VPj0
WCMY4FIGGnJMxD1rIzDRmn+EL+tbGZ0jRcvqx8ZYNcxGpldl9XL1+wom40pNvynA
8KvlgDEJsQ0uB9Ggotw86k2uMXZ6wVB6kpYI0wIDAQABoCEwHwYJKoZIhvcNAQkO
MRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEABPBHgHOC1nN3
o0PlagqiYaVSmvj4C+H6M8qimA02XFwU/HOv5wlfupNBebHYqrgvvzaIrfknmpCy
PZuOmgjEuqQrz68Sm5ybaeSBnnNS8s34le1gKNb7W0YLxfHSLS33HVUfGrgSlNxI
sdHxeJkU4jMILCs7dPzkzPPDpJID9NU=

—End – This line not part of the certificate request—

Redisplay enrollment request? [yes/no]: no

! Copy the above Certificate Request and save it to a file using this format:
!
! —–BEGIN CERTIFICATE REQUEST—–
! MIIBkzCB/QIBADAzMTEwDwYDVQQFEwgxM0E1OTRDOTAeBgkqhkiG9w0BCQIWEWNp
! c2NvLmNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC88ik0
! +vPXIpyYRblWl9DBk4MTpZ5weJm6Yj2Tlm8eQb+bVjgIaSqBynImJTOyXLo2VPj0
! WCMY4FIGGnJMxD1rIzDRmn+EL+tbGZ0jRcvqx8ZYNcxGpldl9XL1+wom40pNvynA
! 8KvlgDEJsQ0uB9Ggotw86k2uMXZ6wVB6kpYI0wIDAQABoCEwHwYJKoZIhvcNAQkO
! MRIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEEBQADgYEABPBHgHOC1nN3
! o0PlagqiYaVSmvj4C+H6M8qimA02XFwU/HOv5wlfupNBebHYqrgvvzaIrfknmpCy
! PZuOmgjEuqQrz68Sm5ybaeSBnnNS8s34le1gKNb7W0YLxfHSLS33HVUfGrgSlNxI
! sdHxeJkU4jMILCs7dPzkzPPDpJID9NU=
! —–END CERTIFICATE REQUEST—–
!
! Then send the file to your CA and get the signed certificate
!
! After you have your signed certificate received, you can continue
! with the following command…
cisco(config)#crypto ca import myca certificate
% The fully-qualified domain name in the certificate will be: cisco.company.com

Enter the base 64 encoded certificate.
End with a blank line or the word “quit” on a line by itself

—–BEGIN CERTIFICATE—–
MIICOjCCAaMCARIwDQYJKoZIhvcNAQEFBQAwgZcxCzAJBgNVBAYTAkhLMRMwEQYD
VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxFTATBgNVBAoMDFNv
bWUtQ29tcGFueTESMBAGA1UECwwJU29tZS1Vbml0MRIwEAYDVQQDDAlTb21lLU5h
bWUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGNvbXBhbnkuY29tMB4XDTEyMDQwMzEw
NDgzNloXDTEzMDQwMzEwNDgzNlowMzExMA8GA1UEBRMIMTNBNTk0QzkwHgYJKoZI
hvcNAQkCFhFjaXNjby5jb21wYW55LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAvPIpNPrz1yKcmEW5VpfQwZODE6WecHiZumI9k5ZvHkG/m1Y4CGkqgcpy
JiUzsly6NlT49FgjGOBSBhpyTMQ9ayMw0Zp/hC/rWxmdI0XL6sfGWDXMRqZXZfVy
9fsKJuNKTb8pwPCr5YAxCbENLgfRoKLcPOpNrjF2esFQepKWCNMCAwEAATANBgkq
hkiG9w0BAQUFAAOBgQAAHBIl0Se+ndWQKE38LFMSmhbt2eEtB7bV9GspEXpFlsL5
sLa9FggPNirbeQ485NHlXF9gfM7AqiGbrw99IykCgVKWeh+IRlBq8n43ELCncYdu
YMuonZHrkjafajogOU11SHlNoF9dByvhFKncBlUGzQSJ1+RxQsWhszTqnPIfGw==
—–END CERTIFICATE—–

% Router Certificate successfully imported

cisco(config)#exit
cisco#write
Building configuration…

[OK]
cisco#show run
Building configuration…

Current configuration : 4492 bytes
!
! Last configuration change at 18:58:25 UTC+8 Tue Apr 3 2014
! NVRAM config last updated at 18:52:51 UTC+8 Tue Apr 3 2014
!
version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
clock timezone UTC+8 8
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain name company.com
!
ip audit po max-events 100
!
crypto ca trustpoint myca
enrollment terminal
serial-number
crl optional
!
crypto ca certificate chain myca
certificate 12
3082023A 308201A3 02011230 0D06092A 864886F7 0D010105 05003081 97310B30
09060355 04061302 484B3113 30110603 5504080C 0A536F6D 652D5374 61746531
12301006 03550407 0C09536F 6D652D43 69747931 15301306 0355040A 0C0C536F
6D652D43 6F6D7061 6E793112 30100603 55040B0C 09536F6D 652D556E 69743112
30100603 5504030C 09536F6D 652D4E61 6D653120 301E0609 2A864886 F70D0109
01161161 646D696E 40636F6D 70616E79 2E636F6D 301E170D 31323034 30333130
34383336 5A170D31 33303430 33313034 3833365A 30333131 300F0603 55040513
08313341 35393443 39301E06 092A8648 86F70D01 09021611 63697363 6F2E636F
6D70616E 792E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030
81890281 8100BCF2 2934FAF3 D7229C98 45B95697 D0C19383 13A59E70 7899BA62
3D93966F 1E41BF9B 56380869 2A81CA72 262533B2 5CBA3654 F8F45823 18E05206
1A724CC4 3D6B2330 D19A7F84 2FEB5B19 9D2345CB EAC7C658 35CC46A6 5765F572
F5FB0A26 E34A4DBF 29C0F0AB E5803109 B10D2E07 D1A0A2DC 3CEA4DAE 31767AC1
507A9296 08D30203 01000130 0D06092A 864886F7 0D010105 05000381 8100001C
1225D127 BE9DD590 284DFC2C 53129A16 EDD9E12D 07B6D5F4 6B29117A 4596C2F9
B0B6BD16 080F362A DB790E3C E4D1E55C 5F607CCE C0AA219B AF0F7D23 29028152
967A1F88 46506AF2 7E3710B0 A771876E 60CBA89D 91EB9236 9F6A3A20 394D7548
794DA05F 5D072BE1 14A9DC06 5506CD04 89D7E471 42C5A1B3 34EA9CF2 1F1B
quit
certificate ca 00DE7719FDA65B5FA6
308202FE 30820267 A0030201 02020900 DE7719FD A65B5FA6 300D0609 2A864886
F70D0101 05050030 8197310B 30090603 55040613 02484B31 13301106 03550408
0C0A536F 6D652D53 74617465 31123010 06035504 070C0953 6F6D652D 43697479
31153013 06035504 0A0C0C53 6F6D652D 436F6D70 616E7931 12301006 0355040B
0C09536F 6D652D55 6E697431 12301006 03550403 0C09536F 6D652D4E 616D6531
20301E06 092A8648 86F70D01 09011611 61646D69 6E40636F 6D70616E 792E636F
6D301E17 0D313230 34303330 39313934 385A170D 31333034 30333039 31393438
5A308197 310B3009 06035504 06130248 4B311330 11060355 04080C0A 536F6D65
2D537461 74653112 30100603 5504070C 09536F6D 652D4369 74793115 30130603
55040A0C 0C536F6D 652D436F 6D70616E 79311230 10060355 040B0C09 536F6D65
2D556E69 74311230 10060355 04030C09 536F6D65 2D4E616D 65312030 1E06092A
864886F7 0D010901 16116164 6D696E40 636F6D70 616E792E 636F6D30 819F300D
06092A86 4886F70D 01010105 0003818D 00308189 02818100 DF5E2CC8 7922F998
21714802 3878649D 72CB7168 E4A1356D E907010D 39AFA87A 54F77345 EABD45B3
66AF0BD0 CBC0104E 17184A48 38721A64 A07A1A06 DFE4EDEE 709F2F96 5258DACE
4743D53F D7FC2CAB 066646F3 678AF787 E2F17F8A FCB953D1 37F5243C 299EB084
E290717B EAFBBF6B C3144A1E CB48B021 99CBCD9B F0D4C2E1 02030100 01A35030
4E301D06 03551D0E 04160414 200C43F5 A52F47E3 73689D71 288901CF 530DCC0E
301F0603 551D2304 18301680 14200C43 F5A52F47 E373689D 71288901 CF530DCC
0E300C06 03551D13 04053003 0101FF30 0D06092A 864886F7 0D010105 05000381
8100BD47 0806BBA8 BECFC199 1DC42379 2F24A7C4 3AA87A45 1C6779BE 3440154A
E4503BFD 32846DED 07F70AFD 99611E6D 3FC231C2 3E801EB8 F6C1EF1C 9A403C22
C9311AAB 3BBCCC96 25990A6A D8DC4B28 FD5EB703 7C99CBCE 11D1A6AF 64259379
61A033D6 DADA2C00 A1D63F3C F7D38DA1 93C8AD3D 8B46168B A9D202B7 82DE43BB 2926
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp identity dn
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map peplink_map 10 ipsec-isakmp
set peer 210.211.10.5
set transform-set aesset
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 66.80.3.1 255.255.255.0
duplex auto
speed auto
crypto map peplink_map
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 66.80.3.254
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

cisco#