VPN Study Guide – DMVPN with RSA-Signature Authentication

VPN Study Guide – DMVPN with RSA-Signature Authentication

Proctor Labs Configurations (POD 108):

 

Configuration Tasks

  • Configure R6 as DMVPN Hub, and R2/R4 as DMVPN Spokes. Tunnel network is 44.44.200.0/24
  • Use certificates as authentication method
  • Spokes are allowed to communicate directly with each other.
  • R5 will be NTP server for the topology. Configure NTP authentication using “cisco” as a key.
  • R5 will act as local CA server. Configure it according to output shown below:
R5#show crypto pki server 
Certificate Server ca.cisco.com:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=ca.cisco.com,L=RTP,C=US
    CA cert fingerprint: 89A6D2E4 02DE3427 C1C3D318 EC2A5710 
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 21:52:07 EST Apr 19 2011
    CRL NextUpdate timer: 21:52:07 EST Jun 24 2010
    Current primary storage dir: nvram:
    Database Level: Minimum - no cert data written to storage
R5#


  • For DMVPN configure Phase 1 as per output shown below:
R6#show crypto isakmp policy 

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
R6#

 

Configuration Solution

R5 needs to be configured as NTP server, so certificates will have valid date, etc:

R5#conf t
R5(config)#clock timezone EST -5
R5(config)#clock summer-time EST recurring 
R5(config)#ntp authentication-key 1 md5 cisco 0 
R5(config)#ntp logging 
R5(config)#ntp master 3 
R5(config)#ntp trusted-key 1 
R5(config)#exit
R5#    
R5#show ntp status 
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9906 Hz, precision is 2**24
reference time is 00000000.00000000 (19:00:00.000 EST Thu Dec 31 1899)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000037655 s/s
system poll interval is 64, never updated.
R5#    
R5#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~127.127.1.1     .LOCL.           2      -     16     0  0.000   0.000 16000.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R5#
R5#

Give it 5 minutes, and then:

R5#show ntp status 
Clock is synchronized, stratum 3, reference is 127.127.1.1   
nominal freq is 250.0000 Hz, actual freq is 249.9906 Hz, precision is 2**24
reference time is CFCD3138.F8A0C6E2 (21:19:52.971 EST Wed Jun 23 2010)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000037655 s/s
system poll interval is 16, last update was 15 sec ago.
R5#
R5#
R5#
R5#show ntp ass
R5#show ntp associations 

  address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           2      2     16   377  0.000   0.000  0.241
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R5#

R5 Configuration (CA Server):

crypto key generate rsa label ca.cisco.com modulus 768 general-keys
crypto pki server ca.cisco.com
 issuer-name CN=ca.cisco.com,L=RTP,C=US
 grant auto
 lifetime crl 24
 lifetime certificate 100
 lifetime ca-certificate 300
 cdp-url http://44.44.4.5/ca.cisco.com.crl
 shutdown
!
crypto pki trustpoint ca.cisco.com
 revocation-check none
crypto ca trustpoint ca.cisco.com

 

R2/R4/R6 Configuration:

clock timezone EST -5
clock summer-time EST recurring 
ntp logging
ntp authentication-key 1 md5 0822455D0A16 7
ntp authenticate
ntp trusted-key 1
ntp server 44.44.4.5

R6 Configuration:

crypto isakmp policy 1
 authentication rsa-sig
 hash md5
 encryption 3des
 group 2
 exit
 
crypto ipsec transform-set TS1 esp-des esp-md5-hmac
 exit
crypto ipsec profile VPNPROF1
 set transform-set TS1
 exit
 
interface Tunnel0
 bandwidth 1000
 ip address 44.44.200.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 300
 no ip split-horizon eigrp 1
 no ip next-hop-self eigrp 1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source F0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile VPNPROF1
 exit
router eigrp 1
 no auto-summary
 network 44.44.200.0 0.0.0.255 
 network 66.66.66.0 0.0.0.255 
 exit

Certificate Enrollment:

crypto key generate rsa label r6.cisco.com modulus 768 general-keys
crypto pki trustpoint ca.cisco.com
 enrollment url http://44.44.4.5:80
 subject-name CN=r6.cisco.com,L=RTP,C=US
 revocation-check none
 rsakeypair r6.cisco.com
 exit
crypto ca authenticate ca.cisco.com
crypto ca enroll ca.cisco.com

R2 Configuration (Spoke):

crypto key generate rsa label r2.cisco.com modulus 768 general-keys
crypto pki trustpoint ca.cisco.com
 enrollment url http://44.44.4.5:80
 subject-name CN=r2.cisco.com,L=RTP,C=US
 revocation-check none
 rsakeypair r2.cisco.com
 exit
crypto ca authenticate ca.cisco.com
crypto ca enroll ca.cisco.com
R2#conf t
R2(config)#crypto ca authenticate ca.cisco.com 
Certificate has the following attributes:
       Fingerprint MD5: 89A6D2E4 02DE3427 C1C3D318 EC2A5710 
      Fingerprint SHA1: C9857E08 AF1A006E 38FCF0E8 342B5F27 28802499 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R2(config)#                  
R2(config)#crypto ca enroll ca.cisco.com
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: 
Re-enter password: 

% The subject name in the certificate will include: CN=r2.cisco.com,L=RTP,C=US
% The subject name in the certificate will include: R2
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose ca.cisco.com' commandwill show the fingerprint.

R2(config)#
R2(config)#
Jun 24 02:01:47.054: CRYPTO_PKI:  Certificate Request Fingerprint MD5: E86F56EF B4ECBD5D 6CAC8E8C 3A7330A0 
Jun 24 02:01:47.054: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 0D537177 58778C78 F450DA7E E2F8FBA2 0D533047 
R2(config)#
R2(config)#
R2(config)#
Jun 24 02:01:50.010: %PKI-6-CERTRET: Certificate received from Certificate Authority
R2(config)#
R2(config)#do show crypto pki certificate verbose ca.cisco.com
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer: 
    cn=ca.cisco.com
    l=RTP
    c=US
  Subject:
    Name: R2
    hostname=R2
    cn=r2.cisco.com
    l=RTP
    c=US
  CRL Distribution Points: 
    http://44.44.4.5/ca.cisco.com.crl
  Validity Date: 
    start date: 22:01:47 EST Jun 23 2010
    end   date: 22:01:47 EST Oct 1 2010
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (768 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: 6BCB8285 AD68252C 7454D072 795315EB 
  Fingerprint SHA1: 5E0D1C8A 4F2BC8A2 AEF47401 A396B34E 6FEB5C73 
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 313B34F8 E1F44C55 BBD346E7 929AFC96 1D8195C6 
    X509v3 Authority Key ID: D5CED4AA 7B631C56 24521506 969F65CC 2FAE731E 
    Authority Info Access:
  Associated Trustpoints: ca.cisco.com 
  Key Label: r2.cisco.com

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=ca.cisco.com
    l=RTP
    c=US
  Subject: 
    cn=ca.cisco.com
    l=RTP
    c=US
  Validity Date: 
    start date: 21:52:07 EST Jun 23 2010
    end   date: 21:52:07 EST Apr 19 2011
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (768 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: 89A6D2E4 02DE3427 C1C3D318 EC2A5710 
  Fingerprint SHA1: C9857E08 AF1A006E 38FCF0E8 342B5F27 28802499 
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: D5CED4AA 7B631C56 24521506 969F65CC 2FAE731E 
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: D5CED4AA 7B631C56 24521506 969F65CC 2FAE731E 
    Authority Info Access:
  Associated Trustpoints: ca.cisco.com 
          

R2(config)#
crypto isakmp policy 1
 authentication rsa-sig
 hash md5
 encryption 3des
 group 2
 exit
crypto ipsec transform-set TS1 esp-des esp-md5-hmac
 exit
crypto ipsec profile VPNPROF1
 set transform-set TS1
 exit
interface Tunnel0
 bandwidth 1000
 ip address 44.44.200.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 44.44.200.1 44.44.2.6
 ip nhrp map multicast 44.44.2.6
 ip nhrp network-id 99 
 ip nhrp holdtime 300
 ip nhrp nhs 44.44.200.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source G0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile VPNPROF1
 exit
router eigrp 1
 no auto-summary
 network 44.44.200.0 0.0.0.255 
 network 44.44.5.0 0.0.0.255 
 exit

 

R4 Configuration (Spoke):

crypto key generate rsa label r4.cisco.com modulus 768 general-keys
crypto pki trustpoint ca.cisco.com
 enrollment url http://44.44.4.5:80
 subject-name CN=r4.cisco.com,L=RTP,C=US
 revocation-check none
 rsakeypair r4.cisco.com
 exit
crypto ca authenticate ca.cisco.com
crypto ca enroll ca.cisco.com

crypto isakmp policy 1
 authentication rsa-sig
 hash md5
 encryption 3des
 group 2
 exit
crypto ipsec transform-set TS1 esp-des esp-md5-hmac
 exit
crypto ipsec profile VPNPROF1
 set transform-set TS1
 exit
interface Tunnel0
 bandwidth 1000
 ip address 44.44.200.4 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 44.44.200.1 44.44.2.6
 ip nhrp map multicast 44.44.2.6
 ip nhrp network-id 99 
 ip nhrp holdtime 300
 ip nhrp nhs 44.44.200.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source F0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile VPNPROF1
 exit
router eigrp 1
 no auto-summary
 network 44.44.200.0 0.0.0.255 
 network 44.44.44.0 0.0.0.255 
 exit

 

 

 

 

 

 

 

CCIE Security – VPN Study Guide – DMVPN with RSA-Signature Authentication.

This entry was posted in Cisco and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s