Configuring IPSec Site-to-Site Tunnels Using Certificates

In Chapter 15, "Site-to-Site IPSec VPNs," you learned how to configure an IPSec site-to-site tunnel using preshared keys. This section shows you how to configure an IPSec site-to-site tunnel between two Cisco ASAs using certificates. In this example, a branch office in London needs to create an IPSec site-to-site tunnel to SecureMe's headquarters office in Chicago. Figure 17-6 illustrates a high-level network topology of SecureMe's implementation.

Figure 17-6. IPSec Site-to-Site Tunnel Using Certificates

The Cisco ASAs in both locations successfully enroll with the CA server and build the IPSec site-to-site tunnel using its corresponding certificates for authentication. Example 17-17 includes Chicago's ASA trustpoint configuration.

Example 17-17. Chicago ASA Trustpoint Configuration

crypto ca trustpoint chicago

 enrollment retry period 5

 enrollment retry count 5

 enrollment url http://209.165.202.130/certsrv/mscep/mscep.dll

 fqdn Chicago.securemeinc.com

 subject-name O=secureme, OU=Chicago

The Cisco ASA is configured to enroll to the CA server 209.165.202.130. The certificate distinguished name information will contain O=secureme and OU=Chicago in this example. The O represents the organization name and OU represents the organizational unit. After the certificates are successfully retrieved from the CA server, you will see the certificate chain information in the configuration, as shown in Example 17-18.

Example 17-18. Certificate Chain Information

Chicago# show running-config | begin crypto ca certificate

crypto ca certificate chain chicago

 certificate 03

 30820211 308201bb a0030201 02020103 300d0609 2a864886 f70d0101 04050030

 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a

 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130

 quit

certificate ca 01

 308201d0 3082017a a0030201 02020101 300d0609 2a864886 f70d0101 04050030

 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a

quit

Note

Hexadecimal certificate information has been shortened for brevity in Example 17-18.

Example 17-19 demonstrates how the ISAKMP policy is configured in Chicago's Cisco ASA. The isakmp identity auto command is configured in this example. Usually, the IP address identity is used for preshared key authentication. The keyword hostname is generally used for certificate-based connections. The auto keyword automatically determines the ISAKMP identity. This is recommended if you have a combination of some IPSec tunnels using preshared keys and others using certificates for authentication.

Example 17-19. ISAKMP Policy Configuration

isakmp identity auto

isakmp enable outside

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

The second shaded line in Example 17-19 shows that the Cisco ASA is configured for RSA signature authentication.

Example 17-20 includes Chicago's ASA crypto map configuration.

Example 17-20. Crypto Map Configuration

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto map chicago 10 match address 100

crypto map chicago 10 set peer 209.165.201.1

crypto map chicago 10 set transform-set myset

crypto map chicago 10 set trustpoint Chicago

crypto map chicago interface outside

The crypto map configuration is similar to the configuration examples in Chapter 15. The shaded line in Example 17-20 associates the crypto map with the trustpoint that defines the certificate used while negotiating the IPSec connection.

Example 17-21 includes the tunnel group configuration for Chicago's ASA.

Example 17-21. Tunnel Group Configuration

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 peer-id-validate cert

!used to validate the identity of the peer using the peer's certificate>

 chain

! Enables sending certificate chain

 trust-point Chicago

! used to configure the name of the trustpoint that identifies the

! certificate to be used for this tunnel

Note the differences in the configuration in Example 17-21 in comparison to the configuration of an IPSec site-to-site tunnel using preshared keys. The peer-id-validate cert command is used to validate the identity of the IPSec peer using its certificate. The chain command enables the Cisco ASA to send the complete certificate chain to its peer. The trust-point command associates the trustpoint that identifies the certificate to be used for this tunnel.

Example 17-22 shows London's Cisco ASA site-to-site IPSec configuration.

Example 17-22. London's ASA Site-to-Site IPSec Configuration

access-list 100 extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0

255.255.255.0

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

! crypto transform-set and crypto map configuration matching the IPSec Policies

! from its peer

crypto map London 10 match address 100

crypto map London 10 set peer 209.165.200.225

crypto map London 10 set transform-set myset

crypto map London 10 set trustpoint London

! The trustpoint configured below is applied to the crypto map.

crypto map London interface outside

crypto ca trustpoint London

 enrollment retry period 5

 enrollment retry count 3

 enrollment url http://209.165.202.130/certsrv/mscep/mscep.dll

 fqdn London.securemeinc.com

 subject-name O=secureme, OU=London

! The certificate subject name information is defined

 crl configure

crypto ca certificate map 1

! The following is the certificate information appended to the configuration

! after enrollment

crypto ca certificate chain London

 certificate 02

 30820210 308201ba a0030201 02020102 300d0609 2a864886 f70d0101 04050030

 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a

 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130

 1e170d30 34303931 30313332 3230375a 170d3035 30393130 31333232 30375a30

 56311030 0e060355 040b1307 41746c61 6e746131 10300e06 0355040a 13074765

 6f726769 61313030 0e060355 04051307 34343436 37303830 1e06092a 864886f7

 0d010902 16114174 6c616e74 612e6369 73636f2e 636f6d30 5c300d06 092a8648

 86f70d01 01010500 034b0030 48024100 be06c890 637c426c 5c1e431e c6247567

 c0b7c279 86f87c1f 5c01a305 cdaf699a 84dd872d 7b45b0ba 4bf7f28c 2097fe6f

 5f07926a 9bfcdc03 0a383e9f 4b32d0b3 02030100 01a3818a 30818730 39060355

 1d1f0432 3030302e a02ca02a 86286874 74703a2f 2f63726c 73657276 65722e63

 6973636f 2e636f6d 2f43524c 2f636973 636f2e63 726c301c 0603551d 11041530

 13821141 746c616e 74612e63 6973636f 2e636f6d 300b0603 551d0f04 04030205

 a0301f06 03551d23 04183016 80142ff7 332973b2 4d6ddb0d 711bd3fb b033359a

 6981300d 06092a86 4886f70d 01010405 00034100 abe66626 4d58e0d6 25fa809d

 c30bfaed 4cae7ef3 e4f6a120 206ba892 faa81224 1497ea80 f9e28bf6 4a73037f

 570c7e19 f56a05ca a6942805 508e9b37 61dac8c3

 quit

 certificate ca 01

 308201d0 3082017a a0030201 02020101 300d0609 2a864886 f70d0101 04050030

 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a

 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130

 1e170d30 34303931 30313332 3035365a 170d3037 30393130 31333230 35365a30

 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a

 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130

 5c300d06 092a8648 86f70d01 01010500 034b0030 48024100 dc7d0b35 1bfa7577

 99cbab8b 69c32a44 47ecd0ae 7cb13fc0 808e7520 9d5e6132 1bc4565a 1ede26a4

 fc01650e 240aa737 824e07c3 c92f9796 5dd10ac7 4e1a5b75 02030100 01a36330

 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302

 0186301d 0603551d 0e041604 142ff733 2973b24d 6ddb0d71 1bd3fbb0 33359a69

 81301f06 03551d23 04183016 80142ff7 332973b2 4d6ddb0d 711bd3fb b033359a

 6981300d 06092a86 4886f70d 01010405 00034100 7982764a c82daaf0 ed3b0a6e

 25df09b2 4caa7ce8 b27098f1 982085bc 0fda9bcf 86dedda6 84c30abc 48c43fc8

 692386ad 595e2b1e aafd3388 9d711b3c 6314cb5e

 quit

! ISAKMP identity is set to auto

isakmp identity auto

isakmp enable outside

! ISAKMP authentication is set to rsa-sig

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption aes-256

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

! Tunnel group configuration for the site to site tunnel

tunnel-group 209.165.200.225 type ipsec-l2l

tunnel-group 209.165.200.225 ipsec-attributes

! The ASA will validate the identity of the peer using the peer's certificate

 peer-id-validate cert

! The chain subcommand enables the ASA to send the complete certificate chain

! the previously configured trust point is applied to the tunnel group

trust-point London

The shaded lines in Example 17-22 explain the relevant configuration parameters in London's ASA.





Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net