2. THE PING BOX .NET CCIE Security 4.0
1 | P a g e
IPSec VPN with RSA using NTP & CA Servers
CONFIGURATION:
STEP I: Configure NTP Server on R4 and NTP Client on R1 & R2
NTP SERVER (ROUTER R4)
To set clock, write on privilege mode,
CA_Server# clock set 12:10:08 26 july 2014
ntp authentication-key 1 md5 ciscoNTP
ntp authenticate
ntp trusted-key 1
ntp master 2
VERIFICATION:
CA_Server# sh ntp status
CA_Server# sh ntp associations
3. THE PING BOX .NET CCIE Security 4.0
2 | P a g e
NTP CLIENTS (ROUTER R1 & R2)
ntp authentication-key 1 md5 ciscoNTP
ntp authenticate
ntp trusted-key 1
ntp server 40.0.0.4 key 1
VERIFICATION:
R1# sh ntp status
R1# sh ntp associations
STEP II: Configure CA Server on R4 and CA Client on Router R1 & R2
CA SERVER (ROUTER R4)
ip http server
crypto pki server IOS_CA
database archive pem password cisco123
grant auto
lifetime certificate 300
lifetime ca-certificate 500
no shutdown
exit
VERIFICATION:
CA_Server# sh crypto pki server
CA CLIENTS (ROUTER R1 & R2)
ip domain name Mabison.com
crypto key generate rsa (To generate RSA key)
4. THE PING BOX .NET CCIE Security 4.0
3 | P a g e
crypto pki trustpoint IOS_CA
usage ike
enrollment url http://40.0.0.4
subject-name CN=R1 C=IN
exit
crypto ca authenticate IOS_CA (To get authenticate or to get signature certificate from CA)
crypto ca enroll IOS_CA (For getting enrol router in CA Server)
STEP III: Create IPSec VPN between Router R1 & R2 using “rsa-sig”
ROUTER R1
crypto isakmp policy 10
encr 3des
hash md5
group 2
auth rsa-sig
exit
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
crypto ipsec transform-set tset esp-3des esp-md5-hmac
exit
crypto map RSA_ENCRYPT 10 ipsec-isakmp
set peer 20.0.0.2
set transform-set tset
match address 101
5. THE PING BOX .NET CCIE Security 4.0
4 | P a g e
exit
interface FastEthernet0/0
crypto map RSA_ENCRYPT
exit
ROUTER R2
crypto isakmp policy 10
encr 3des
hash md5
group 2
auth rsa-sig
exit
access-list 101 permit ip host 2.2.2.2 host 1.1.1.1
crypto ipsec transform-set tset esp-3des esp-md5-hmac
exit
crypto map RSA_ENCRYPT 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set tset
match address 101
exit
interface FastEthernet0/0
crypto map RSA_ENCRYPT
exit
VERIFICATION:
6. THE PING BOX .NET CCIE Security 4.0
5 | P a g e
R1# sh crypto isakmp sa
R1# sh crypto ipsec sa
IPSec VPN with IKE V2
CONFIGURATION:
ON ROUTER R1
R1(config)#crypto ikev2 proposal prop1
R1(config-ikev2-proposal)# encryption 3des des
R1(config-ikev2-proposal)# integrity md5 sha1
R1(config-ikev2-proposal)# group 2 5
R1(config-ikev2-proposal)# exit
R1(config)#crypto ikev2 policy pol1
R1(config-ikev2-policy)# proposal prop1
R1(config-ikev2-policy)# exit
R1(config)#crypto ikev2 keyring kr1
R1(config-ikev2-keyring)# peer site1
R1(config-ikev2-keyring-peer)# address 30.0.0.3
R1(config-ikev2-keyring-peer)# pre-shared-key local cisco1
R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco2
7. THE PING BOX .NET CCIE Security 4.0
6 | P a g e
R1(config-ikev2-keyring-peer)# exit
R1(config-ikev2-keyring)# exit
R1(config)#crypto ikev2 profile prof1
R1(config-ikev2-profile)# match identity remote address 30.0.0.3 255.255.255.255
R1(config-ikev2-profile)# authentication remote pre-share
R1(config-ikev2-profile)# authentication local pre-share
R1(config-ikev2-profile)# keyring local kr1
R1(config-ikev2-profile)# exit
R1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
R1(config)#crypto map abc 10 ipsec-isakmp
R1(config-crypto-map)# set peer 30.0.0.3
R1(config-crypto-map)# set transform-set tset
R1(config-crypto-map)# set ikev2-profile prof1
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# exit
R1(config)#int fa 1/0
R1(config-if)#crypto map abc
R1(config-if)#exit
ON ROUTER R3
R3(config)#crypto ikev2 proposal prop1
R3(config-ikev2-proposal)# encryption 3des des
R3(config-ikev2-proposal)# integrity md5 sha1
R3(config-ikev2-proposal)# group 2 5
R3(config-ikev2-proposal)# exit
8. THE PING BOX .NET CCIE Security 4.0
7 | P a g e
R3(config)#crypto ikev2 policy pol1
R3(config-ikev2-policy)# proposal prop1
R3(config-ikev2-policy)# exit
R3(config)#crypto ikev2 keyring kr1
R3(config-ikev2-keyring)# peer site1
R3(config-ikev2-keyring-peer)# address 10.0.0.1
R3(config-ikev2-keyring-peer)# pre-shared-key local cisco2
R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco1
R3(config-ikev2-keyring-peer)# exit
R3(config-ikev2-keyring)# exit
R3(config)#crypto ikev2 profile prof1
R3(config-ikev2-profile)#$tity remote address 10.0.0.1 255.255.255.255
R3(config-ikev2-profile)# authentication remote pre-share
R3(config-ikev2-profile)# authentication local pre-share
R3(config-ikev2-profile)# keyring local kr1
R3(config-ikev2-profile)# exit
R3(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit
R3(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1
R3(config)#crypto map abc 10 ipsec-isakmp
R3(config-crypto-map)# set peer 10.0.0.1
R3(config-crypto-map)# set transform-set tset
R3(config-crypto-map)# set ikev2-profile prof1
R3(config-crypto-map)# match address 101
9. THE PING BOX .NET CCIE Security 4.0
8 | P a g e
R3(config-crypto-map)# exit
R3(config)#int fa 1/0
R3(config-if)#crypto map abc
R3(config-if)#exit
RESULT:
ON ROUTER R1
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 30.0.0.3/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/164 sec
IPv6 Crypto IKEv2 SA
ON ROUTER R3
R3#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 30.0.0.3/500 10.0.0.1/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/36 sec
IPv6 Crypto IKEv2 SA