Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Authentication with rsa-enc and rsa-sign based on IKEv1 and IKEv2 examples
There are 3 ways regarding authentication within IKEv1 and IKEv2. So we have, pre shared keys, rsa-enc and rsa-sign. Each of them provides different level of security. In this article we will focus on RSA based methods and we lab them out.
The preshared key is definitely the weakest method of providing authentication between 2 peers. Rsa-enc is good solution if you have no opportunity to use 3rd party Certificate Authority and PKI, but if you have that opportunity then you should definitely choose rsa-sign.
RSA algorithm is an example of asymetric cryptography and uses the pair of 2 different keys Public and Private linked mathematically. Both keys can decrypt and encrypt the message but the public key can decrypt what the private key decrypted and vice versa. RSA algorithm ensures confidentiality, integrity and authenticition.
IKEv1 rsa-enc
Let’s create IKEv1 tunnel with ISAKMP rsa-encr authentication. I will show only configuration on the R1 but on the R3 looks very simmilar
Firstly we have to change hostnames of the peers on R1 and R2
We have to generate Private/Public keys pair for PKI
crypto key generate rsa general-keys label R1
let’s see our new generated Public Key
show crypto key mypubkey rsa R1
Now, we have to exchange keys between R1 and R2, we are doing this by copy and
paste the key from R3 to R1 and vice versa
crypto key pubkey-chain rsa
addressed-key 15.0.0.1 encryption
key-string
Enter a public key as a hexidecimal number ….
let’s check if the key from R2 has been imported
show crypto key pubkey-chain rsa address 35.0.0.3
Now we may proceed to IKEv1 IPSEc configuration that is almost the same as with
preshared key
crypto isakmp policy 10
encryption aes
hash sha
authentication rsa-encr
crypto ipsec transform-set MyTransformSet ah-sha-hmac esp-aes
crypto ipsec profile MyProfile
set transform-set MyTransformSet
interface Tunnel0
ip address 172.16.0.2 255.255.255.252
tunnel source 35.0.0.3
tunnel destination 15.0.0.1
tunnel protection ipsec profile MyProfile
IKEv2 and rsa-sign
Before we go over configuration VPN we have to configure ROOT-CA server and enroll R1 and R2 to obtain theirs certificates. We will use SCEP.
ROOT-CA:
ip http server
crypto key generate rsa general-keys label ROOT-CA-KEY modulus 1024 exportable
crypto pki trustpoint ROOT-CA
rsakeypair ROOT-CA-KEY
crypto pki server ROOT-CA
issuer-name CN=ROOT-CA, o=itbundle.net
database level complete
hash sha512
lifetime ca-certificate 3600
lifetime certificate 1825
lifetime crl 336
grant auto
no shutdown
R1:
crypto key generate rsa label R1keypair modulus 1024
crypto pki trustpoint ROOT-CA
enrollment url http://177.177.177.177
fqdn r1.itbundle.net
subject-name CN=R1, o=itbundle.net
rsakeypair R1keypair
revocation-check none
R2:
crypto key generate rsa label R2keypair modulus 1024
crypto pki trustpoint ROOT-CA
enrollment url http://177.177.177.177
fqdn r2.itbundle.net
subject-name CN=R2, o=itbundle.net
rsakeypair R2keypair
revocation-check none
Now, we have to run 2 commands on R1 and R2
crypto pki authenticate ROOT-CA
crypto pki enroll ROOT-CA
If certificates were granted you will se that on ROO-CA
show crypto pki server ROOT-CA requests
R1:
crypto pki certificate map CMAP 10
issuer-name co itbundle
crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint ROOT-CA
crypto ipsec transform-set T-SET esp-aes esp-sha-hmac
mode transport
crypto ipsec profile IPSec-Profile
set transform-set T-SET
set ikev2-profile IKEv2-Profile
interface tunnel 0
ip unnumbered loopback 0
tunnel source gigabitEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination 35.0.0.3
tunnel protection ipsec profile IPSec-Profile
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.0 0.0.0.255 area 0
R2
Configuration is the same only tunnel destination is changed to 15.0.0.1 and of course advertised networks in ospf
router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 10.3.3.0 0.0.0.255 area 0