1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-19 04:07:25 +01:00

Created CiscoIOSExample (markdown)

This commit is contained in:
dn42 wiki 2014-07-20 04:22:35 +02:00
parent 44e0ca19dd
commit f903089765

View File

@ -0,0 +1,132 @@
# IPsec with public key authentication on Cisco IOS
## Setup
### Generate an RSA keypair
_Note: You may already have completed this step, since it's required to enable SSH._
1. Configure a hostname and domain name.
Router#conf t
Router(config)#hostname foo
foo(config)#ip domain-name bar
2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
foo(config)#crypto key generate rsa general-keys modulus 2048
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
foo(config)#exit
### Exchange public keys with your peer
1. Display the public key. Send the key data portion to your peer.
foo#show crypto key mypubkey rsa foo.bar
% Key pair was generated at: 19:24:02 UTC Jul 19 2014
Key name: foo.bar
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
8F020301 0001
2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
## Configuration
### Configure the phase 1 IKE parameters
In this example, we'll use the following settings:
| Key | Value |
| :------------ | :------------ |
| Encryption | AES-128 |
| Hash | HMAC-SHA1 |
| DH Group | 5 (modp1536) |
| Lifetime | 28800 seconds |
| Peer address | 192.0.2.2 |
| Local address | 192.0.2.1 |
1. Add your peer's public key
foo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo(config)#crypto key pubkey-chain rsa
foo(config-pubkey-chain)#addressed-key 192.0.2.2
foo(config-pubkey-key)#key
foo(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
foo(config-pubkey)#D5020301 0001
foo(config-pubkey)#quit
foo(config-pubkey-key)#exit
foo(config-pubkey-chain)#exit
2. Configure an ISAKMP policy
foo(config)#crypto isakmp policy 10
foo(config-isakmp)#encryption aes
foo(config-isakmp)#hash sha
foo(config-isakmp)#group 5
foo(config-isakmp)#lifetime 28800
foo(config-isakmp)#authentication rsa-sig
foo(config-isakmp)#exit
3. All done! Configure the phase 2 parameters as you otherwise would.
## Full GRE/IPsec example
crypto key pubkey-chain rsa
addressed-key 192.0.2.2
address 192.0.2.2
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
D5020301 0001
quit
!
crypto isakmp policy 10
encr aes
group 5
lifetime 28800
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile FOO
set transform-set tset
set pfs group5
!
interface Tunnel0
ip address 10.1.2.0 255.255.255.254
ip mtu 1400
tunnel source 192.0.2.1
tunnel destination 192.0.2.2
tunnel protection ipsec profile FOO
!
interface FastEthernet0/0
description WAN
ip address 192.0.2.1 255.255.255.0
duplex full