Problem
You want to create an encrypted VPN between two routers using RSA keys.
Solution
As in Recipe 12.3, we will use IPSec Transport mode and a GRE tunnel for this encrypted router-to-router connection:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto key pubkey-chain rsa Router1(config-pubkey-chain)#addressed-key 172.16.2.1 Router1(config-pubkey-key)#address 172.16.2.1 Router1(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router1(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00EB0AB2 Router1(config-pubkey)#EA33B519 0CD95EFF EDFD4723 BED73640 97981CC0 1FC83FBF 5C6DF97C 8CB8CE0A Router1(config-pubkey)#C5FE959D 1E055002 83B92EF4 35B69545 C3217E5F E0C32A73 44FD2373 15979E77 Router1(config-pubkey)#75598BE0 B4A4E7B2 3C318C2D 3BF3B192 8B71D8C9 A1E0F929 0E84BDAD EC909833 Router1(config-pubkey)#BC425170 400BD26A 319E632F 4E9649F5 BA7ADA40 5A94B09C 05F8414E 33020301 0001 Router1(config-pubkey)#quit Router1(config-pubkey-key)#exit Router1(config-pubkey-chain)#exit Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2 Router1(config-isakmp)#exit Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#mode transport Router1(cfg-crypto-trans)#exit Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router1(config-crypto-map)#set peer 172.16.2.1 Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router1(config-crypto-map)#match address 102 Router1(config-crypto-map)#exit Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1 Router1(config)#interface Tunnel1 Router1(config-if)#ip address 192.168.1.1 255.255.255.252 Router1(config-if)#tunnel source 172.16.1.1 Router1(config-if)#tunnel destination 172.16.2.1 Router1(config-if)#exit Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#ip access-group 101 in Router1(config-if)#crypto map TUNNEL-RSA Router1(config-if)#exit Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 deny ip any any log Router1(config)#end Router1#
And here is the corresponding configuration for the other router:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.16.1.1 Router2(config-pubkey-key)#address 172.16.1.1 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E Router2(config-pubkey)#01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A Router2(config-pubkey)#114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574 Router2(config-pubkey)#C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6 Router2(config-pubkey)#0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001 Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit Router2(config)#crypto isakmp policy 100 Router2(config-isakmp)#encryption aes 256 Router2(config-isakmp)#authentication rsa-encr Router2(config-isakmp)#group 2 Router2(config-isakmp)#exit Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router2(cfg-crypto-trans)#mode transport Router2(cfg-crypto-trans)#exit Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp Router2(config-crypto-map)#set peer 172.16.1.1 Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router2(config-crypto-map)#match address 102 Router2(config-crypto-map)#exit Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1 Router2(config)#interface Tunnel1 Router2(config-if)#ip address 192.168.1.2 255.255.255.252 Router2(config-if)#tunnel source 172.16.2.1 Router2(config-if)#tunnel destination 172.16.1.1 Router2(config-if)#exit Router2(config)#interface FastEthernet0/0 Router2(config-if)#ip address 172.16.1.1 255.255.255.0 Router2(config-if)#ip access-group 101 in Router2(config-if)#crypto map TUNNEL-RSA Router2(config-if)#exit Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 deny ip any any log Router2(config)#end Router2#
Discussion
This recipe is similar to 12.5, except that here we use RSA keys for authentication and encryption instead of pre-shared keys. This technique is more secure but more time-consuming to configure.
The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.5. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the key on Router1 as follows:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto key generate rsa % You already have RSA keys defined named Router1.oreilly.com. % Do you really want to replace them? [yes/no]: yes Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] Router1(config)#exit Router1#show crypto key mypubkey rsa % Key pair was generated at: 14:59:44 UTC Jul 20 2006 Key name: Router1.oreilly.com Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E 01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A 114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574 C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6 0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001 % Key pair was generated at: 14:59:51 UTC Jul 20 2006 Key name: Router1.oreilly.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 009ED5E0 43DAC50E 6866A933 07690DB6 BA02B4E2 4CF331AA D1818C34 5B8482B1 8174A365 80EBC4CC E4C88354 261C2FE8 C20DC047 621DB954 9294FD68 6B2A3C16 250402ED EFFE2A48 9FCDB94B 72AB8D1A A45CD06A D2495940 EB7FACE8 AFA3886F 3F020301 0001 Router1#
Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024 or more bit keys.
Then we took the general purpose key from this output and entered it into the other router as follows:
Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.16.1.1 Router2(config-pubkey-key)#address 172.16.1.1 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E Router2(config-pubkey)#01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A Router2(config-pubkey)#114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574 Router2(config-pubkey)#C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6 Router2(config-pubkey)#0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001 Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit
And then we repeated the procedure on the other router.
With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2
After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3. So it is also relatively straightforward to combine this recipe with Recipe 12.4 to use RSA authentication keys for a LAN-to-LAN IPSec tunnel.
See Also
Recipe 12.3; Recipe 12.4; Recipe 12.5
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index