Configuring IPSec Site-to-Site Tunnels Using Certificates
In Chapter 15, "Site-to-Site IPSec VPNs," you learned how to configure an IPSec site-to-site tunnel using preshared keys. This section shows you how to configure an IPSec site-to-site tunnel between two Cisco ASAs using certificates. In this example, a branch office in London needs to create an IPSec site-to-site tunnel to SecureMe's headquarters office in Chicago. Figure 17-6 illustrates a high-level network topology of SecureMe's implementation.
Figure 17-6. IPSec Site-to-Site Tunnel Using Certificates
The Cisco ASAs in both locations successfully enroll with the CA server and build the IPSec site-to-site tunnel using its corresponding certificates for authentication. Example 17-17 includes Chicago's ASA trustpoint configuration.
Example 17-17. Chicago ASA Trustpoint Configuration
crypto ca trustpoint chicago enrollment retry period 5 enrollment retry count 5 enrollment url http://209.165.202.130/certsrv/mscep/mscep.dll fqdn Chicago.securemeinc.com subject-name O=secureme, OU=Chicago
The Cisco ASA is configured to enroll to the CA server 209.165.202.130. The certificate distinguished name information will contain O=secureme and OU=Chicago in this example. The O represents the organization name and OU represents the organizational unit. After the certificates are successfully retrieved from the CA server, you will see the certificate chain information in the configuration, as shown in Example 17-18.
Example 17-18. Certificate Chain Information
Chicago# show running-config | begin crypto ca certificate crypto ca certificate chain chicago certificate 03 30820211 308201bb a0030201 02020103 300d0609 2a864886 f70d0101 04050030 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130 quit certificate ca 01 308201d0 3082017a a0030201 02020101 300d0609 2a864886 f70d0101 04050030 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a quit
Note
Hexadecimal certificate information has been shortened for brevity in Example 17-18.
Example 17-19 demonstrates how the ISAKMP policy is configured in Chicago's Cisco ASA. The isakmp identity auto command is configured in this example. Usually, the IP address identity is used for preshared key authentication. The keyword hostname is generally used for certificate-based connections. The auto keyword automatically determines the ISAKMP identity. This is recommended if you have a combination of some IPSec tunnels using preshared keys and others using certificates for authentication.
Example 17-19. ISAKMP Policy Configuration
isakmp identity auto isakmp enable outside isakmp policy 1 authentication rsa-sig isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 1 isakmp policy 1 lifetime 86400
The second shaded line in Example 17-19 shows that the Cisco ASA is configured for RSA signature authentication.
Example 17-20 includes Chicago's ASA crypto map configuration.
Example 17-20. Crypto Map Configuration
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto map chicago 10 match address 100 crypto map chicago 10 set peer 209.165.201.1 crypto map chicago 10 set transform-set myset crypto map chicago 10 set trustpoint Chicago crypto map chicago interface outside
The crypto map configuration is similar to the configuration examples in Chapter 15. The shaded line in Example 17-20 associates the crypto map with the trustpoint that defines the certificate used while negotiating the IPSec connection.
Example 17-21 includes the tunnel group configuration for Chicago's ASA.
Example 17-21. Tunnel Group Configuration
tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes peer-id-validate cert !used to validate the identity of the peer using the peer's certificate> chain ! Enables sending certificate chain trust-point Chicago ! used to configure the name of the trustpoint that identifies the ! certificate to be used for this tunnel
Note the differences in the configuration in Example 17-21 in comparison to the configuration of an IPSec site-to-site tunnel using preshared keys. The peer-id-validate cert command is used to validate the identity of the IPSec peer using its certificate. The chain command enables the Cisco ASA to send the complete certificate chain to its peer. The trust-point command associates the trustpoint that identifies the certificate to be used for this tunnel.
Example 17-22 shows London's Cisco ASA site-to-site IPSec configuration.
Example 17-22. London's ASA Site-to-Site IPSec Configuration
access-list 100 extended permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0 crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac ! crypto transform-set and crypto map configuration matching the IPSec Policies ! from its peer crypto map London 10 match address 100 crypto map London 10 set peer 209.165.200.225 crypto map London 10 set transform-set myset crypto map London 10 set trustpoint London ! The trustpoint configured below is applied to the crypto map. crypto map London interface outside crypto ca trustpoint London enrollment retry period 5 enrollment retry count 3 enrollment url http://209.165.202.130/certsrv/mscep/mscep.dll fqdn London.securemeinc.com subject-name O=secureme, OU=London ! The certificate subject name information is defined crl configure crypto ca certificate map 1 ! The following is the certificate information appended to the configuration ! after enrollment crypto ca certificate chain London certificate 02 30820210 308201ba a0030201 02020102 300d0609 2a864886 f70d0101 04050030 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130 1e170d30 34303931 30313332 3230375a 170d3035 30393130 31333232 30375a30 56311030 0e060355 040b1307 41746c61 6e746131 10300e06 0355040a 13074765 6f726769 61313030 0e060355 04051307 34343436 37303830 1e06092a 864886f7 0d010902 16114174 6c616e74 612e6369 73636f2e 636f6d30 5c300d06 092a8648 86f70d01 01010500 034b0030 48024100 be06c890 637c426c 5c1e431e c6247567 c0b7c279 86f87c1f 5c01a305 cdaf699a 84dd872d 7b45b0ba 4bf7f28c 2097fe6f 5f07926a 9bfcdc03 0a383e9f 4b32d0b3 02030100 01a3818a 30818730 39060355 1d1f0432 3030302e a02ca02a 86286874 74703a2f 2f63726c 73657276 65722e63 6973636f 2e636f6d 2f43524c 2f636973 636f2e63 726c301c 0603551d 11041530 13821141 746c616e 74612e63 6973636f 2e636f6d 300b0603 551d0f04 04030205 a0301f06 03551d23 04183016 80142ff7 332973b2 4d6ddb0d 711bd3fb b033359a 6981300d 06092a86 4886f70d 01010405 00034100 abe66626 4d58e0d6 25fa809d c30bfaed 4cae7ef3 e4f6a120 206ba892 faa81224 1497ea80 f9e28bf6 4a73037f 570c7e19 f56a05ca a6942805 508e9b37 61dac8c3 quit certificate ca 01 308201d0 3082017a a0030201 02020101 300d0609 2a864886 f70d0101 04050030 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130 1e170d30 34303931 30313332 3035365a 170d3037 30393130 31333230 35365a30 3e311430 12060355 040b130b 454e4749 4e454552 494e4731 16301406 0355040a 130d4369 73636f20 53797374 656d7331 0e300c06 03550403 1305696f 73636130 5c300d06 092a8648 86f70d01 01010500 034b0030 48024100 dc7d0b35 1bfa7577 99cbab8b 69c32a44 47ecd0ae 7cb13fc0 808e7520 9d5e6132 1bc4565a 1ede26a4 fc01650e 240aa737 824e07c3 c92f9796 5dd10ac7 4e1a5b75 02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d 0f0101ff 04040302 0186301d 0603551d 0e041604 142ff733 2973b24d 6ddb0d71 1bd3fbb0 33359a69 81301f06 03551d23 04183016 80142ff7 332973b2 4d6ddb0d 711bd3fb b033359a 6981300d 06092a86 4886f70d 01010405 00034100 7982764a c82daaf0 ed3b0a6e 25df09b2 4caa7ce8 b27098f1 982085bc 0fda9bcf 86dedda6 84c30abc 48c43fc8 692386ad 595e2b1e aafd3388 9d711b3c 6314cb5e quit ! ISAKMP identity is set to auto isakmp identity auto isakmp enable outside ! ISAKMP authentication is set to rsa-sig isakmp policy 1 authentication rsa-sig isakmp policy 1 encryption aes-256 isakmp policy 1 hash sha isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 ! Tunnel group configuration for the site to site tunnel tunnel-group 209.165.200.225 type ipsec-l2l tunnel-group 209.165.200.225 ipsec-attributes ! The ASA will validate the identity of the peer using the peer's certificate peer-id-validate cert ! The chain subcommand enables the ASA to send the complete certificate chain ! the previously configured trust point is applied to the tunnel group trust-point London
The shaded lines in Example 17-22 explain the relevant configuration parameters in London's ASA.