mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2024-11-27 11:23:37 +01:00
5.5 KiB
5.5 KiB
IPsec with public key authentication on Cisco IOS
Setup
Generate an RSA keypair
Note: You may already have completed this step, since it's required to enable SSH.
-
Configure a hostname and domain name.
Router#conf t Router(config)#hostname foo foo(config)#ip domain-name bar
-
Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
foo(config)#crypto key generate rsa general-keys modulus 2048 % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... foo(config)#exit
Exchange public keys with your peer
-
Display the public key. Send the key data portion to your peer.
foo#show crypto key mypubkey rsa foo.bar % Key pair was generated at: 19:24:02 UTC Jul 19 2014 Key name: foo.bar Storage Device: not specified Usage: General Purpose Key Key is not exportable. Key Data: 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27 FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130 CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99 C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2 F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044 8F020301 0001
-
Convert your peer's public key to the hexadecimal DER format using the pubkey-converter script, if necessary.
Configuration
Configure the phase 1 IKE parameters
In this example, we'll use the following settings:
Key | Value |
---|---|
Encryption | AES-128 |
Hash | HMAC-SHA1 |
DH Group | 5 (modp1536) |
Lifetime | 28800 seconds |
Peer address | 192.0.2.2 |
Local address | 192.0.2.1 |
-
Add your peer's public key
foo#conf t Enter configuration commands, one per line. End with CNTL/Z. foo(config)#crypto key pubkey-chain rsa foo(config-pubkey-chain)#addressed-key 192.0.2.2 foo(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0 foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7 foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1 foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324 foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008 foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2 foo(config-pubkey)#D5020301 0001 foo(config-pubkey)#quit foo(config-pubkey-key)#exit foo(config-pubkey-chain)#exit
-
Configure an ISAKMP policy
foo(config)#crypto isakmp policy 10 foo(config-isakmp)#encryption aes foo(config-isakmp)#hash sha foo(config-isakmp)#group 5 foo(config-isakmp)#lifetime 28800 foo(config-isakmp)#authentication rsa-sig foo(config-isakmp)#exit
-
All done! Configure the phase 2 parameters as you otherwise would.
Full GRE/IPsec example
crypto key pubkey-chain rsa
addressed-key 192.0.2.2
address 192.0.2.2
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
D5020301 0001
quit
!
crypto isakmp policy 10
encr aes
group 5
lifetime 28800
!
crypto ipsec transform-set tset esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile FOO
set transform-set tset
set pfs group5
!
interface Tunnel0
ip address 10.1.2.0 255.255.255.254
ip mtu 1400
tunnel source 192.0.2.1
tunnel destination 192.0.2.2
tunnel protection ipsec profile FOO
!
interface FastEthernet0/0
description WAN
ip address 192.0.2.1 255.255.255.0
duplex full