Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Authentication with rsa-enc and rsa-sign based on IKEv1 and IKEv2 examples

Security-Researchers-Able-to-Crack-1024-bit-RSA-EncryptionThere are 3 ways regarding authentication within IKEv1 and IKEv2. So we have,  pre shared keys, rsa-enc and rsa-sign. Each of them provides different level of security. In this article we will focus on RSA based methods and we lab them out.

The preshared key is definitely the weakest method of providing authentication between 2 peers. Rsa-enc is good solution if you have no opportunity to use 3rd party Certificate Authority and PKI, but if you have that opportunity then you should definitely choose rsa-sign.

RSA algorithm is an example of asymetric cryptography and uses the pair of 2 different  keys Public and Private linked mathematically. Both keys can decrypt and encrypt the message but the public key can decrypt what the private key decrypted and vice versa. RSA algorithm ensures confidentiality, integrity and authenticition.

IKEv1 rsa-enc

Let’s create IKEv1 tunnel with ISAKMP rsa-encr authentication. I will show only configuration on the R1 but on the R3 looks very simmilar


Firstly we have to change hostnames of the peers on R1 and R2

We have to generate Private/Public keys pair for PKI 

crypto key generate rsa general-keys label R1

let’s see our new generated Public Key
show crypto key mypubkey rsa R1

Now, we have to exchange keys between R1 and R2, we are doing this by copy and
paste the key from R3 to R1 and vice versa

crypto key pubkey-chain rsa
addressed-key encryption
Enter a public key as a hexidecimal number ….

let’s check if the key from R2 has been imported

show crypto key pubkey-chain rsa address

Now we may proceed to IKEv1 IPSEc configuration that is almost the same as with
preshared key

crypto isakmp policy 10
encryption aes
hash sha
authentication rsa-encr

crypto ipsec transform-set MyTransformSet ah-sha-hmac esp-aes

crypto ipsec profile MyProfile
set transform-set MyTransformSet

interface Tunnel0
ip address
tunnel source
tunnel destination
tunnel protection ipsec profile MyProfile

IKEv2 and rsa-sign


Before we go over configuration VPN we have to configure ROOT-CA server and enroll R1 and R2 to obtain theirs certificates. We will use SCEP.


ip http server
crypto key generate rsa general-keys label ROOT-CA-KEY modulus 1024 exportable
crypto pki trustpoint ROOT-CA
rsakeypair ROOT-CA-KEY

crypto pki server ROOT-CA
issuer-name CN=ROOT-CA, o=itbundle.net
database level complete
hash sha512
lifetime ca-certificate 3600
lifetime certificate 1825
lifetime crl 336
grant auto
no shutdown


crypto key generate rsa label R1keypair modulus 1024
crypto pki trustpoint ROOT-CA
enrollment url
fqdn r1.itbundle.net
subject-name CN=R1, o=itbundle.net
rsakeypair R1keypair
revocation-check none


crypto key generate rsa label R2keypair modulus 1024
crypto pki trustpoint ROOT-CA
enrollment url
fqdn r2.itbundle.net
subject-name CN=R2, o=itbundle.net
rsakeypair R2keypair
revocation-check none

Now, we have to run 2 commands on R1 and R2 

crypto pki authenticate ROOT-CA
crypto pki enroll ROOT-CA

If certificates were granted you will se that on ROO-CA

show crypto pki server ROOT-CA requests





crypto pki certificate map CMAP 10
issuer-name co itbundle

crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5

crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP

authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint ROOT-CA

crypto ipsec transform-set T-SET esp-aes esp-sha-hmac
mode transport

crypto ipsec profile IPSec-Profile
set transform-set T-SET
set ikev2-profile IKEv2-Profile

interface tunnel 0
ip unnumbered loopback 0
tunnel source gigabitEthernet 0/0
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile IPSec-Profile

router ospf 1
network area 0
network area 0


Configuration is the same only tunnel destination is changed to and of course advertised networks in ospf

router ospf 1
network area 0
network area 0


Onlain bookmaker bet365.com - the best bokie