Pages

Thursday, January 28, 2016

RSA-Sig authentication of IKEv2


FlexVPN site to site with RSA-Sig authentication of IKEv2
keyring is only used if we are using pre-shared keys in ikev2

! R1
conf t

no crypto pki trustpoint Trusted-CA
yes

crypto key zeroize rsa
yes

crypto key generate rsa modulus 1024 label r1.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r1.cbtnuggets.com
fqdn r1.cbtnuggets.com
subject-name CN=r1,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit

crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit

crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit

crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport

crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit

interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 25.0.0.2
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end

! R2
conf t

no crypto pki trustpoint Trusted-CA
yes

crypto key zeroize rsa
yes

crypto key generate rsa modulus 1024 label r2.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r2.cbtnuggets.com
fqdn r2.cbtnuggets.com
subject-name CN=r2,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit

crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit

crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit

crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport
exit

crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit

interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end

show crypto ikev2 sa

show crypto ikev2 sa detail

show crypto engine connections active

show ip route ospf

ping 10.1.1.1 source 10.2.2.2



No comments:

Post a Comment