mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-11-19 04:07:25 +01:00
Created CiscoIOSExample (markdown)
This commit is contained in:
parent
44e0ca19dd
commit
f903089765
132
howto/IPsecWithPublicKeys/CiscoIOSExample.md
Normal file
132
howto/IPsecWithPublicKeys/CiscoIOSExample.md
Normal file
@ -0,0 +1,132 @@
|
||||
# IPsec with public key authentication on Cisco IOS
|
||||
## Setup
|
||||
### Generate an RSA keypair
|
||||
_Note: You may already have completed this step, since it's required to enable SSH._
|
||||
|
||||
1. Configure a hostname and domain name.
|
||||
|
||||
Router#conf t
|
||||
Router(config)#hostname foo
|
||||
foo(config)#ip domain-name bar
|
||||
|
||||
2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
|
||||
|
||||
foo(config)#crypto key generate rsa general-keys modulus 2048
|
||||
% The key modulus size is 2048 bits
|
||||
% Generating 2048 bit RSA keys, keys will be non-exportable...
|
||||
foo(config)#exit
|
||||
|
||||
### Exchange public keys with your peer
|
||||
1. Display the public key. Send the key data portion to your peer.
|
||||
|
||||
foo#show crypto key mypubkey rsa foo.bar
|
||||
% Key pair was generated at: 19:24:02 UTC Jul 19 2014
|
||||
Key name: foo.bar
|
||||
Storage Device: not specified
|
||||
Usage: General Purpose Key
|
||||
Key is not exportable.
|
||||
Key Data:
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
|
||||
83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
|
||||
FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
|
||||
CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
|
||||
D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
|
||||
1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
|
||||
C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
|
||||
F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
|
||||
8F020301 0001
|
||||
|
||||
2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
|
||||
|
||||
[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
|
||||
|
||||
## Configuration
|
||||
### Configure the phase 1 IKE parameters
|
||||
In this example, we'll use the following settings:
|
||||
|
||||
| Key | Value |
|
||||
| :------------ | :------------ |
|
||||
| Encryption | AES-128 |
|
||||
| Hash | HMAC-SHA1 |
|
||||
| DH Group | 5 (modp1536) |
|
||||
| Lifetime | 28800 seconds |
|
||||
| Peer address | 192.0.2.2 |
|
||||
| Local address | 192.0.2.1 |
|
||||
|
||||
1. Add your peer's public key
|
||||
|
||||
foo#conf t
|
||||
Enter configuration commands, one per line. End with CNTL/Z.
|
||||
foo(config)#crypto key pubkey-chain rsa
|
||||
foo(config-pubkey-chain)#addressed-key 192.0.2.2
|
||||
foo(config-pubkey-key)#key
|
||||
foo(config-pubkey-key)#key-string
|
||||
Enter a public key as a hexidecimal number ....
|
||||
|
||||
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
foo(config-pubkey)#D5020301 0001
|
||||
foo(config-pubkey)#quit
|
||||
foo(config-pubkey-key)#exit
|
||||
foo(config-pubkey-chain)#exit
|
||||
|
||||
2. Configure an ISAKMP policy
|
||||
|
||||
foo(config)#crypto isakmp policy 10
|
||||
foo(config-isakmp)#encryption aes
|
||||
foo(config-isakmp)#hash sha
|
||||
foo(config-isakmp)#group 5
|
||||
foo(config-isakmp)#lifetime 28800
|
||||
foo(config-isakmp)#authentication rsa-sig
|
||||
foo(config-isakmp)#exit
|
||||
|
||||
3. All done! Configure the phase 2 parameters as you otherwise would.
|
||||
|
||||
## Full GRE/IPsec example
|
||||
crypto key pubkey-chain rsa
|
||||
addressed-key 192.0.2.2
|
||||
address 192.0.2.2
|
||||
key-string
|
||||
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
|
||||
00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
|
||||
33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
|
||||
FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
|
||||
065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
|
||||
0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
|
||||
F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
|
||||
F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
|
||||
E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
|
||||
D5020301 0001
|
||||
quit
|
||||
!
|
||||
crypto isakmp policy 10
|
||||
encr aes
|
||||
group 5
|
||||
lifetime 28800
|
||||
!
|
||||
crypto ipsec transform-set tset esp-aes esp-sha-hmac
|
||||
mode transport
|
||||
!
|
||||
crypto ipsec profile FOO
|
||||
set transform-set tset
|
||||
set pfs group5
|
||||
!
|
||||
interface Tunnel0
|
||||
ip address 10.1.2.0 255.255.255.254
|
||||
ip mtu 1400
|
||||
tunnel source 192.0.2.1
|
||||
tunnel destination 192.0.2.2
|
||||
tunnel protection ipsec profile FOO
|
||||
!
|
||||
interface FastEthernet0/0
|
||||
description WAN
|
||||
ip address 192.0.2.1 255.255.255.0
|
||||
duplex full
|
Loading…
Reference in New Issue
Block a user