Cisco IOS IPSec VPN with External Trusted PKI Certs - Verisign - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, September 16, 2013

Cisco IOS IPSec VPN with External Trusted PKI Certs - Verisign

Topology:

using IOU Rack v3 from post

My Cisco IOU Racks - from flyxj IOUv3


It looks like following screenshot:
The goal is to achieve ipsec with third party trusted PKI certs - verisign. This lab will use verisign trial version  to demonstrate procedures.



Enabled R6 and R7 as PC to do testing. Logical topology looks like following:

1. Delete all existing configuration then reload those four routers:


R2#delete nvram:startup-config
Delete filename [startup-config]?
Delete nvram:startup-config? [confirm]
[OK]
R2#reload


2. Make vpn up using pre-share key:

@R1
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco1234 address 10.94.200.47
!
crypto ipsec transform-set VPN1 ah-sha-hmac esp-3des esp-sha-hmac 
!
crypto map VPN-MAP 10 ipsec-isakmp 
 set peer 10.94.200.47
 set transform-set VPN1 
 match address ACL-VPN
!
interface Ethernet0/0
 ip address 10.94.200.37 255.255.255.0
 crypto map VPN-MAP

ip route 0.0.0.0 0.0.0.0 10.94.200.37
ip access-list extended ACL-VPN
 permit ip 192.168.177.0 0.0.0.255 192.168.99.0 0.0.0.255

@R2:
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco1234 address 10.94.200.37
!
crypto ipsec transform-set VPN1 ah-sha-hmac esp-3des esp-sha-hmac 
!
crypto map VPN-MAP 10 ipsec-isakmp 
 set peer 10.94.200.37
 set transform-set VPN1 
 match address ACL-VPN
!
interface Ethernet0/0
 ip address 10.94.200.47 255.255.255.0
 crypto map VPN-MAP
ip route 0.0.0.0 0.0.0.0 10.94.200.37
!
ip access-list extended ACL-VPN
 permit ip 192.168.99.0 0.0.0.255 192.168.177.0 0.0.0.255

Test Result by ping  R7's ip 192.168.99.1 from R6
R6#ping 192.168.99.1  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.99.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/12 ms

Debug Crypto Isakmp Output @R1:

R1(config)#
*Mar 11 02:14:55.159: ISAKMP:(0): SA request profile is (NULL)
*Mar 11 02:14:55.159: ISAKMP: Created a peer struct for 10.94.200.47, peer port 500
*Mar 11 02:14:55.159: ISAKMP: New peer created peer = 0xB6803C58 peer_handle = 0x80000002
*Mar 11 02:14:55.159: ISAKMP: Locking peer struct 0xB6803C58, refcount 1 for isakmp_initiator
*Mar 11 02:14:55.159: ISAKMP: local port 500, remote port 500
*Mar 11 02:14:55.159: ISAKMP: set new node 0 to QM_IDLE      
*Mar 11 02:14:55.159: ISAKMP:(0):insert sa successfully sa = B6803240
*Mar 11 02:14:55.159: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 11 02:14:55.159: ISAKMP:(0):found peer pre-shared key matching 10.94.200.47
*Mar 11 02:14:55.159: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 11 02:14:55.159: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 11 02:14:55.159: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 11 02:14:55.159: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 11 02:14:55.159: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 11 02:14:55.159: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

*Mar 11 02:14:55.159: ISAKMP:(0): beginning Main Mode exchange
*Mar 11 02:14:55.159: ISAKMP:(0): sending packet to 10.94.200.47 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 02:14:55.159: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 02:14:55.163: ISAKMP (0): received packet from 10.94.200.47 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 11 02:14:55.163: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 11 02:14:55.163: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

*Mar 11 02:14:55.183: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 11 02:14:55.183: ISAKMP:(0): processing vendor id payload
*Mar 11 02:14:55.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 11 02:14:55.183: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 11 02:14:55.183: ISAKMP:(0):found peer pre-shared key matching 10.94.200.47
*Mar 11 02:14:55.183: ISAKMP:(0): local preshared key found
*Mar 11 02:14:55.183: ISAKMP : Scanning profiles for xauth ...
*Mar 11 02:14:55.183: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 11 02:14:55.183: ISAKMP:      encryption DES-CBC
*Mar 11 02:14:55.183: ISAKMP:      hash SHA
*Mar 11 02:14:55.183: ISAKMP:      default group 2
*Mar 11 02:14:55.183: ISAKMP:      auth pre-share
*Mar 11 02:14:55.183: ISAKMP:      life type in seconds
*Mar 11 02:14:55.183: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
*Mar 11 02:14:55.183: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 11 02:14:55.183: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 11 02:14:55.183: ISAKMP:(0):Acceptable atts:life: 0
*Mar 11 02:14:55.183: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 11 02:14:55.183: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 11 02:14:55.183: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 11 02:14:55.183: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar 11 02:14:55.183: ISAKMP:(0): processing vendor id payload
*Mar 11 02:14:55.183: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 11 02:14:55.183: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 11 02:14:55.183: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 11 02:14:55.183: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

*Mar 11 02:14:55.183: ISAKMP:(0): sending packet to 10.94.200.47 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 11 02:14:55.183: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 02:14:55.183: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 11 02:14:55.183: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

*Mar 11 02:14:55.191: ISAKMP (0): received packet from 10.94.200.47 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 11 02:14:55.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 11 02:14:55.191: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

*Mar 11 02:14:55.191: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 11 02:14:55.195: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 11 02:14:55.195: ISAKMP:(0):found peer pre-shared key matching 10.94.200.47
*Mar 11 02:14:55.195: ISAKMP:(1001): processing vendor id payload
*Mar 11 02:14:55.195: ISAKMP:(1001): vendor ID is Unity
*Mar 11 02:14:55.195: ISAKMP:(1001): processing vendor id payload
*Mar 11 02:14:55.195: ISAKMP:(1001): vendor ID is DPD
*Mar 11 02:14:55.195: ISAKMP:(1001): processing vendor id payload
*Mar 11 02:14:55.195: ISAKMP:(1001): speaking to another IOS box!
*Mar 11 02:14:55.195: ISAKMP:received payload type 20
*Mar 11 02:14:55.195: ISAKMP (1001): His hash no match - this node outside NAT
*Mar 11 02:14:55.195: ISAKMP:received payload type 20
*Mar 11 02:14:55.195: ISAKMP (1001): No NAT Found for self or peer
*Mar 11 02:14:55.195: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 11 02:14:55.195: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Mar 11 02:14:55.199: ISAKMP:(1001):Send initial contact
*Mar 11 02:14:55.199: ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 11 02:14:55.199: ISAKMP (1001): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.94.200.37 
        protocol     : 17 
        port         : 500 
        length       : 12
*Mar 11 02:14:55.199: ISAKMP:(1001):Total payload length: 12
*Mar 11 02:14:55.199: ISAKMP:(1001): sending packet to 10.94.200.47 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 11 02:14:55.199: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 11 02:14:55.199: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 11 02:14:55.199: ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5 

*Mar 11 02:14:55.199: ISAKMP (1001): received packet from 10.94.200.47 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 11 02:14:55.199: ISAKMP:(1001): processing ID payload. message ID = 0
*Mar 11 02:14:55.199: ISAKMP (1001): ID payload 
        next-payload : 8
        type         : 1 
        address      : 10.94.200.47 
        protocol     : 17 
        port         : 500 
        length       : 12
*Mar 11 02:14:55.199: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 11 02:14:55.199: ISAKMP:(1001): processing HASH payload. message ID = 0
*Mar 11 02:14:55.199: ISAKMP:(1001):SA authentication status:
        authenticated
*Mar 11 02:14:55.199: ISAKMP:(1001):SA has been authenticated with 10.94.200.47
*Mar 11 02:14:55.199: ISAKMP: Trying to insert a peer 10.94.200.37/10.94.200.47/500/,  and inserted successfully B6803C58.
*Mar 11 02:14:55.199: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 11 02:14:55.199: ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6 

*Mar 11 02:14:55.199: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 11 02:14:55.199: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6 

*Mar 11 02:14:55.203: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 11 02:14:55.203: ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*Mar 11 02:14:55.203: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 1780039293
*Mar 11 02:14:55.203: ISAKMP:(1001):QM Initiator gets spi
*Mar 11 02:14:55.203: ISAKMP:(1001): sending packet to 10.94.200.47 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar 11 02:14:55.203: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 11 02:14:55.203: ISAKMP:(1001):Node 1780039293, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 11 02:14:55.203: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar 11 02:14:55.203: ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 11 02:14:55.203: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar 11 02:14:55.207: ISAKMP (1001): received packet from 10.94.200.47 dport 500 sport 500 Global (I) QM_IDLE      
*Mar 11 02:14:55.207: ISAKMP:(1001): processing HASH payload. message ID = 1780039293
*Mar 11 02:14:55.207: ISAKMP:(1001): processing SA payload. message ID = 1780039293
*Mar 11 02:14:55.207: ISAKMP:(1001):Checking IPSec proposal 1
*Mar 11 02:14:55.207: ISAKMP: transform 1, AH_SHA
*Mar 11 02:14:55.207: ISAKMP:   attributes in transform:
*Mar 11 02:14:55.207: ISAKMP:      encaps is 1 (Tunnel)
*Mar 11 02:14:55.207: ISAKMP:      SA life type in seconds
*Mar 11 02:14:55.207: ISAKMP:      SA life duration (basic) of 3600
*Mar 11 02:14:55.207: ISAKMP:      SA life type in kilobytes
*Mar 11 02:14:55.207: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*Mar 11 02:14:55.207: ISAKMP:      authenticator is HMAC-SHA
*Mar 11 02:14:55.207: ISAKMP:(1001):atts are acceptable.
*Mar 11 02:14:55.207: ISAKMP:(1001):Checking IPSec proposal 1
*Mar 11 02:14:55.207: ISAKMP: transform 1, ESP_3DES
*Mar 11 02:14:55.207: ISAKMP:   attributes in transform:
*Mar 11 02:14:55.207: ISAKMP:      encaps is 1 (Tunnel)
*Mar 11 02:14:55.207: ISAKMP:      SA life type in seconds
*Mar 11 02:14:55.207: ISAKMP:      SA life duration (basic) of 3600
*Mar 11 02:14:55.207: ISAKMP:      SA life type in kilobytes
*Mar 11 02:14:55.207: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
*Mar 11 02:14:55.207: ISAKMP:      authenticator is HMAC-SHA
*Mar 11 02:14:55.207: ISAKMP:(1001):atts are acceptable.
*Mar 11 02:14:55.207: ISAKMP:(1001): processing NONCE payload. message ID = 1780039293
*Mar 11 02:14:55.207: ISAKMP:(1001): processing ID payload. message ID = 1780039293
*Mar 11 02:14:55.207: ISAKMP:(1001): processing ID payload. message ID = 1780039293
*Mar 11 02:14:55.207: ISAKMP:(1001): Creating IPSec SAs
*Mar 11 02:14:55.207:         inbound SA from 10.94.200.47 to 10.94.200.37 (f/i)  0/ 0
        (proxy 192.168.99.0 to 192.168.177.0)
*Mar 11 02:14:55.207:         has spi 0xA14845AE and conn_id 0
*Mar 11 02:14:55.207:         lifetime of 3600 seconds
*Mar 11 02:14:55.207:         lifetime of 4608000 kilobytes
*Mar 11 02:14:55.207:         outbound SA from 10.94.200.37 to 10.94.200.47 (f/i) 0/0
        (proxy 192.168.177.0 to 192.168.99.0)
*Mar 11 02:14:55.207:         has spi  0x85C87ECF and conn_id 0
*Mar 11 02:14:55.207:         lifetime of 3600 seconds
*Mar 11 02:14:55.207:         lifetime of 4608000 kilobytes
*Mar 11 02:14:55.207: ISAKMP:(1001): Creating IPSec SAs
*Mar 11 02:14:55.207:         inbound SA from 10.94.200.47 to 10.94.200.37 (f/i)  0/ 0
        (proxy 192.168.99.0 to 192.168.177.0)
*Mar 11 02:14:55.207:         has spi 0x87C3AC12 and conn_id 0
*Mar 11 02:14:55.207:         lifetime of 3600 seconds
*Mar 11 02:14:55.207:         lifetime of 4608000 kilobytes
*Mar 11 02:14:55.207:         outbound SA from 10.94.200.37 to 10.94.200.47 (f/i) 0/0
        (proxy 192.168.177.0 to 192.168.99.0)
*Mar 11 02:14:55.207:         has spi  0xFD71F9A9 and conn_id 0
*Mar 11 02:14:55.207:         lifetime of 3600 seconds
*Mar 11 02:14:55.207:         lifetime of 4608000 kilobytes
*Mar 11 02:14:55.207: ISAKMP:(1001): sending packet to 10.94.200.47 my_port 500 peer_port 500 (I) QM_IDLE      
*Mar 11 02:14:55.207: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 11 02:14:55.207: ISAKMP:(1001):deleting node 1780039293 error FALSE reason "No Error"
*Mar 11 02:14:55.207: ISAKMP:(1001):Node 1780039293, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
R1(config)#
*Mar 11 02:14:55.207: ISAKMP:(1001):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

3. Next step is to install Certifications from Verisign Trial Site based on the steps on my previous post:



@R1 and @R2

crypto isakmp policy 5
 group 2

4. Last Step is to do testing:

clear crypto sa

16th-Markham#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.94.200.37      10.94.200.47      QM_IDLE           9031 ACTIVE


16th-Markham#show crypto isakmp sa  detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

10.94.200.37      10.94.200.47             ACTIVE des  sha    rsig 2  23:56:03     
       Engine-id:Conn-id =  SW:31

5. Notes:

a. We should note that ISAKMP Phase 1 policy is defined globally. This means that if we have five different remote sites and configured five different ISAKMP Phase 1 policies (one for each remote router), when our router tries to negotiate a VPN tunnel with each site it will send all five policies and use the first match that is accepted by both ends.

b. If your router does not have Internet Access to fetch CRL list, you will have to put following command into your trustpoint:
revocation-check none

c. Debug Commands
  • show crypto session
  • clear crypto sa
  • show crypto pki certificate



No comments:

Post a Comment