Saturday, January 9, 2016

Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment

Digital certificates as an authentication method for IPSec VPNs is becoming increasingly popular for both remote access and site-to-site deployments. The use of digital certificates requires some form of PKI infrastructure such as a CA server. In this post, Symantec public CA will be used as an example to authenticate certificates used between two IPSec VPN gateways. There are some other posts in this blog relating to this topics, please check them using following list:

This post is mainly used to document the steps how to built a Third Party Based Certificates IPSec VPN, including how to submit gateway's CSR to Symantec and get your certs signed by Symantec CA and how to install those signed certs on your gateways. The first 8 steps are same for both for standalone deployment and high availability implementation. Only difference will be at step 9 for only used in high availability configuration.



Here are all steps:

1. Create RSA key:

M-16th(config)#crypto key generate rsa general-keys label M-16th.test.com modulus 2048 exportable
The name for the keys will be: M-16th.test.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)
note: Please always use 2048 or higher key. Most of public certificates companies do not support any key less than 2048 bits now.

M-16th#show crypto key mypubkey all

% Key pair was generated at: 14:57:23 EDT Jul 24 2012
Key name: TP-self-signed-3560658343
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 0098EA03 
  0D5BD6B5 6EBDA599 28071B27 40A162FB 247927AB 3834F338 A36CE905 3E6A0AD2 
  BFB1F9CA BBF4E6A2 91C839B1 374CEA0F FEF63026 90AD641C 1674066F 2A7A92FF 
  3C28D56B 3E022446 B7CA5F1F DD9AD7A1 BFF96C6E 6B4F6F5A D1EE5541 3CDC0090 
  82B3545C 052A483C CB201EA4 50000035 5A15C29C 2B359EDA 7C5EE5C0 39020301 0001
% Key pair was generated at: 13:02:18 EST Dec 15 2014
Key name: TP-self-signed-3560658343.server
Key type: RSA KEYS
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DB7517 9CF9611C 
  AC80D3E6 69132768 9F5B0304 78B045FC F5A977F3 0526520C 64C60BA4 FCCA8C63 
  3DFC2552 36204A58 64F68227 5F3940E3 68287B47 1D9B1769 8E4AB4CD 7CDF21DD 
  0C43251F A36E956F 57A0769C A4395572 1111E008 46C09AE5 23020301 0001
% Key pair was generated at: 14:01:03 EST Dec 15 2014
Key name: M-16th.test.com
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
  00BD5C8B 863706DC E787D3CD 298E8DF9 00A7C9F6 49B4E0E2 76D1AC0C DEA184D2 
  8929AC9E 2A15A5E8 70A3898B 769CF6DA 60464B7D BB30A468 188AFE7E A747DA9F  
  C792D643 F2015AAE 9F991278 8BF16BE2 71020FE3 5275C651 A02B26B7 3D128FFE 
  7030567F 86029725 3711CF8B 76089C0E 1E607829 346BD5A2 4E0B3F2A B2618673 
  11020301 0001

2. Create Trustpoint on Your Routers


M-16th(config)#crypto pki trustpoint Verisign2014
M-16th(ca-trustpoint)#enrollment terminal
M-16th(ca-trustpoint)#subject-name CN=M-16th.test.com,OU=IT,O=TT,C=CA,ST=Ontario,L=Markham
M-16th(ca-trustpoint)#rsakeypair M-16th.test.com
M-16th(ca-trustpoint)#fqdn M-16th.test.com
M-16th(ca-trustpoint)#revocation-check none 
M-16th(ca-trustpoint)#exit

3. Create CSR (certificate service request)
M-16th(config)#crypto pki enroll Verisign2014
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=M-16th.test.com,OU=IT,O=TT,C=CA,ST=Ontario
% The subject name in the certificate will include: M-16th.test.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIC6TCCAdECAQAwgYIxEDAOBgNVBAgTB0udGFyaW8xCzAJBgNVBAYTAkNBMQww
CgYDVQQKDANHJkQxCzAJBgNVBAsTAklUMR8HQYDVQQDExZNYXJraGFtLTE2dGgu
Z2ktZGUuY29tMSUwIwYJKoZIhvcNAQkCFhZNYXJraGFtLTE2dGguZ2ktZGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIICgKCAQEA0jql8eHa4JSOAsOATxHo
Jj89HgioOCA5gsvJeFoHcKlwMUq1hG285ITuauAjUzOfpNIR1ZHbcBnPslGVWjq
7Q4TN/aY3w5zGDoyeMiIs93q+QUwA4G4TqjNPHMbw6ze9GJSdGH1QlExmisUv3KX
qvB4W4TQJH7i3Gg0mko+J913KpedmmGcHYju0cffitVrAMRqIE6NRlYWIcTQFVw
JNS8LQBGvKb9RhDTH35dscGlcPos3nIcA66u3B8=

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

This csr is the one you will submit it to your CA, which is Symantec in this case. They will verify the information your provides in the CSR, then sign it and return a signed certificate to you.You can import it into the gateway by following steps below:

4. Submit CSR to Verisign and Retreive Signed Certificates
Use "copy and paste" to send the CSR to your CA, in this case, it is Symantec Verisign. If your CA asks for a server type, select Other.

You may get a email with instruction where to download the intermediate / root CA certs.
Note: you may also get a different type email to ask you go on-line to download certificates. In that case, you may go through different steps as shown below:

Your download certificates package should include intermediateCA.cer, ssl_certificate.cer and some other getting_started documents.

5. Install Intermediate / Root Certificate(s)

If you did not get your Intermediate CA certificate from previous steps, you will need to go to Symantec Intermediate CA Certificates Web page to download it. You will see all kinds of different CA certificates for Symantec different SSL products. Choose one which is matching what you ordered. For this post, Secure Site is the right one.

Tricky part is in this Intermediate CA Certificates page. There are two different RSA Intermediate CA Certificates, one is primary, and another is secondary. Which one should we choose? Let me try first one which is primary. (Unfortunately I got error message during installing actual signed device SSL certificate. The error message is "% Failed to parse or verify imported certificate". You will see that later. In next screenshot, I have marked which one is right one for this post.

M-16th(config)#crypto pki authenticate Verisign2014

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7aGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----

Trustpoint 'Verisign2014' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
       Fingerprint MD5: F91FFEE6 A36B9988 41D467DD E5F8977A
      Fingerprint SHA1: 32F30882 622B87CF 8856C63D B873DF08 53B4DD27

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Note: Actually we are still not sure if we imported right CA certificate. It happened to me before. Symantec mailed me a wrong intermediate certificate. (Please check my previous post : Troubleshooting Symantec Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)) It will wait until next step to see if your SSL certificate matches with your intermediate certificate when you try to install your signed SSL certificate.
Now it is the step to install the certs sent from Verisign by email. This certs is signed by Verisign based on CSR you submitted at step 4.
M-16th(config)#crypto pki import Verisign2014 certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIIFgTCCBGmgAwIBAgIQKjCOdOIFbDkbDAxmz+KJjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTsOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY9tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cgU2VydmVyIENBIC0gRzMwHhcNMTQwMzEw
MDAwMDAwWhcNMTcwMzA5MjM1OT5WjCBuDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM
B09udGFyaW8xEDAOBgNVBAcMB01hcmtoYW0xLzAtBgNVBAoMJkdpZXNlY2tlICYg
hOfPbPdr7dX/ep5JELJUDaAl5AFiON75PYJBtUcrnYuduzqdpY51MV0lUXsa7GP
0kR0ngAfTotDmE76iV5Uno/FiJtVTTM0ZqidPWihJprmtNUjH8BnLO8jA3Kwqw
qvKgAXbJnBOrYb7gGVlPC6r4LPhX7B6dwDaoRDpliSvGBpGAEx6POIW5tD8lvUW
RCZisxlco3oFnxJj6V7hm17dzfnELz49Nisa4vcgfW9eI3Z+2gtM0fT5/oVGDKb
4zRQ+2tLUF72B1WlfFZ4YFl7/m7

% Failed to parse or verify imported certificate

The installation failed. The CA certificate imported at Step 5 could not verify this signed SSL certificate. It means the CA certificate is wrong one.

Based the TN 8530 - Why do I receive the error "Failed to parse or verify imported certificate" on a Cisco ASA?, this is the message to tell you the trustpoint certs you imported from previous step is a wrong one. To fix this error, you will have to delete whole trustpoint configuration by no command.


M-16th(config)#no crypto pki trustpoint Verisign2014
 % Removing an enrolled trustpoint will destroy all certificates
 received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]:yes

You will have to do step 2 and step 5 again to create a new trustpoint before you can import actual signed device SSL certificate using following command. As I mentioned before, I will have to use secondary Intermediate certs. After import secondary Intermediate CA certs into router as trustpoint, I were able to get right result as expected:

M-16th(config)#crypto pki import Verisign2014 certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQKjCOdOIFbDkbDAxmz+KJjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTsOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
LmNvbS9TVlJTZWN1cmVHMy5jmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2MCow
KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0g
qyX0AWPYvnmlMHYGCCsGAQUBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AudmVyaXNpZ24uY29tMEAGCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWFpYS52ZXJpc2lnbi5jb20vU1ZS2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUA
A4IBAQCpZzArqkr+wlVsmCpgCe5MPMUw/SpQj0gV3zIv5oeMvDfpJN+olwhqJI
hOfPbPdr7dX/ep5JELJUDaAl5AFiON75PYJBtUcrnYuduzqdpY51MV0lUXsa7GP
0kR0ngAfTotDmE76iV5Uno/FiJtVTTM0ZqidPWihJprmtNUjH8BnLO8jA3Kwqw
qvKgAXbJnBOrYb7gGVlPC6r4LPhX7B6dwDaoRDpliSvGBpGAEx6POIW5tD8lvUW
RCZisxlco3oFnxJj6V7hm17dzfnELz49Nisa4vcgfW9eI3Z+2gtM0fT5/oVGDKb
4zRQ+2tLUF72B1WlfFZ4YFl7/m7
-----END CERTIFICATE-----

% Router Certificate successfully imported

7. Verify Certificates



M-16th#show crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 2A308E74E2056C391B0C0C769B3F8A26
  Certificate Usage: General Purpose
  Issuer:
    cn=VeriSign Class 3 Secure Server CA - G3
    ou=Terms of use at https://www.verisign.com/rpa (c)10
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject:
    Name: M-16th.test.com
    cn=M-16th.test.com
    ou=Terms of use at www.verisign.com/rpa (c)05
    o=Giesecke & Devrient systems canada inc
    l=Markham
    st=Ontario
    c=CA
  CRL Distribution Points:
    http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl
  Validity Date:
    start date: 20:00:00 EDT Mar 9 2014
    end   date: 18:59:59 EST Mar 9 2017
  Associated Trustpoints: Verisign2014

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 6ECC7AA5A7032009B8CEBCF4E952D491
  Certificate Usage: Signature
  Issuer:
    cn=VeriSign Class 3 Public Primary Certification Authority - G5
    ou=(c) 2006 VeriSign
     Inc. - For authorized use only
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  Subject:
    cn=VeriSign Class 3 Secure Server CA - G3
    ou=Terms of use at https://www.verisign.com/rpa (c)10
    ou=VeriSign Trust Network
    o=VeriSign
     Inc.
    c=US
  CRL Distribution Points:
    http://crl.verisign.com/pca3-g5.crl
  Validity Date:
    start date: 19:00:00 EST Feb 7 2010
    end   date: 18:59:59 EST Feb 7 2020
  Associated Trustpoints: Verisign2014

Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-3775191276
  Subject:
    Name: IOS-Self-Signed-Certificate-3775191276
    cn=IOS-Self-Signed-Certificate-3775191276
  Validity Date:
    start date: 10:26:26 EST Jan 11 2012
    end   date: 19:00:00 EST Dec 31 2019
  Associated Trustpoints: TP-self-signed-3775191276
  Storage: nvram:IOS-Self-Sig#1.cer

M-16th#dir nvram:
Directory of nvram:/

  240  -rw-       10890                    <no date>  startup-config
  241  ----        3921                    <no date>  private-config
  242  -rw-       10890                    <no date>  underlying-config
    1  -rw-        2945                    <no date>  cwmp_inventory
    4  ----           0                    <no date>  rf_cold_starts
    5  ----         117                    <no date>  persistent-data
    6  -rw-         559                    <no date>  IOS-Self-Sig#1.cer
    7  -rw-           0                    <no date>  ifIndex-table
    8  -rw-        1413                    <no date>  VeriSignClas#8A26.cer
   10  -rw-        1520                    <no date>  VeriSignClas#D491CA.cer



8. Use Cert as Authentication Method in Cisco Router's IPSec Configuration
crypto pki trustpoint Verisign2014
 enrollment terminal
 fqdn 16th-M.test.com
 subject-name CN=16th-M.test.com,OU=IT,O=xx,C=CA,ST=Ontario
 revocation-check none
 rsakeypair 16th-M.test.com
!
!
crypto pki certificate chain Verisign2014
 certificate 04681FB41D03897F3C61766E1DD5C42F
  30820581 30820469 A0030201 02021004 681FB41D 03897F3C 61766E1D D5C42F30
  0D06092A 864886F7 0D010105 05003081 B5310B30 09060355 04061302 55533117
  30150603 55040A13 0E566572 69536967 6E2C2049 6E632E31 1F301D06 0355040B
  13165665 72695369 676E2054 72757374 204E6574 776F726B 313B3039 06035504
  0B133254 65726D73 206F6620 75736520 61742068 74747073 3A2F2F77 77772E76
......
  6C2527B9 DEB78458 C61F381E A4C4CB66
        quit
!
! Policy 5 is using default RSA-SIG authentication method.
crypto isakmp policy 5
 encr 3des
 hash md5
 group 2
!
Policy 10 is using Pre-share key authentication method
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key PASSWORDWRONG address 10.9.8.1    
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set Phase2 esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map VPN 10 ipsec-isakmp
 set peer 10.9.8.1
 no set security-association idle-time
 set transform-set Phase2
 match address protect
!
!
!
!
interface GigabitEthernet0/1
 ip address 10.9.8.2 255.255.255.200
 ip flow ingress
 duplex auto
 speed auto
 crypto map VPN
!
ip access-list extended protect
 permit ip 10.9.2.0 0.0.0.255 any
 permit ip 10.9.6.0 0.0.0.255 any
 permit ip 10.9.7.0 0.0.0.255 any
 permit ip 10.9.3.0 0.0.0.255 any
!
!
!


Router1#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

9023  10.9.8.2      10.9.8.1             ACTIVE 3des md5    rsig 2  05:37:02    
       Engine-id:Conn-id =  SW:23

IPv6 Crypto ISAKMP SA

Router1#




9. High Availability Configuration

9.1 Stateless Failover Configuration

interface GigabitEthernet0/0
 ip address 19.26.116.140 255.255.255.192
 standby 199 ip 19.26.116.141
 standby 199 preempt
 standby 199 name VPNHA
 standby 199 track 1 decrement 10
 duplex auto
 speed auto
 crypto map vpn redundancy VPNHA

9.2 Stateful Failover Configuration


redundancy inter-device
 scheme standby VPNHA


ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 19.26.116.139
    retransmit-timeout 300 10000
    path-retransmit 10
    assoc-retransmit 10
   remote-port 5000
    remote-ip 19.26.116.140
!

interface GigabitEthernet0/0
 ip address 19.26.116.139 255.255.255.192
 standby 199 ip 19.26.116.141
 standby 199 priority 105
 standby 199 preempt
 standby 199 name VPNHA
 standby 199 track 2 decrement 10
 duplex auto
 speed auto
 crypto map vpn redundancy VPNHA stateful




Notes: 
Some Other Useful Commands:
M-16th(config)#crypto pki export Verisign2014 pem terminal 3des cisco1234
% The specified trustpoint is not enrolled (VerisignCA1).
% Only export the CA certificate in PEM format.
% CA certificate:

-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----

router#show crypto pki certificates
router#show crypto key mypubkey rsa

Router(config)#crypto pki certificate validate Verisign2014
Chain has 2 certificates
Certificate chain for Verisign2014 is valid




Reference:

No comments:

Post a Comment