Escolar Documentos
Profissional Documentos
Cultura Documentos
Contents
Introduction
Prerequisites
Requirements
Components Used
Background Information
Configure
NTP
Network Diagram
Configurations
Verify
Troubleshoot
Introduction
This document describes how to set up a Easy VPN tunnel between a Cisco Adaptive Security Appliance (ASA) and a router that runs Cisco
IOS?? software using main mode with self signed certificate.
Prerequisites
The sample configuration of the router-to-router Easy VPN Solution is based on the assumptions that the IP address at the Cisco Easy VPN
Server is static and that the IP address at the Cisco Easy VPN Client is static.
Requirements
Cisco recommends that you have knowledge of these topics:
Internet Key Exchange (IKE)
Certificates and Public Key Infrastructure (PKI)
Components Used
The information in this document is based on these software and hardware versions:
Cisco ASA 5510 Adaptive Security Appliance that runs software version 8.4(7)
Cisco 2821 Series Integrated Services Router (ISR) that runs Cisco IOS software version 15.2(4)M2
Related Products
This document can also be used with these hardware and software versions:
Cisco ASA that runs software version 8.4 or later
Cisco ISR Generation router that runs Cisco IOS software version 15.0 or later
Background Information
The document talks about using EzVPN on main mode which is not supported with pre-shared key. However, we can use main mode with
Certificate authentication to overcome the vulnerabilities associated with aggressive mode: CVE-2002-1623.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
NTP
Certificate authentication requires that the clocks on all participating devices be synchronized to a common source. While the clock can be set
manually on each device, this is not very accurate and can be cumbersome. The easiest method to synchronize the clocks on all devices is to use
NTP. NTP synchronizes timekeeping among a set of distributed time servers and clients. This synchronization allows events to be correlated
when system logs are created and when other time-specific events occur. For more information on how to configure NTP, refer to Network Time
Protocol: Best Practices White Paper.
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/19643-ntpm.html
Network Diagram
Configurations
Router:
Current configuration : 6024 bytes
!
!
hostname CISCO_LAB_ROUTER
!
----------CA Server configuration
crypto pki server ASA
issuer-name cn=ASA, ou=VPN, o=cisco, c=US
grant auto
lifetime ca-certificate 300
!
-----------PKI Trustpoint configuration
crypto pki trustpoint router
enrollment url http://11.11.11.11:80
revocation-check none
!
!
crypto pki certificate chain router
certificate 03
30820225 3082018E A0030201 02020103
39310B30 09060355 04061302 5553310E
300A0603 55040B13 0356504E 310C300A
31313234 31383034 32365A17 0D313630
06092A86 4886F70D 01090216 1642474C
73636F30 819F300D 06092A86 4886F70D
D7423408 DAEDB119 5E1D6F9B F627F80B
300D0609
300C0603
06035504
39313931
2E532E31
01010105
28F6691F
2A864886
55040A13
03130341
38303130
362D3238
0003818D
799AFCC5
F70D0101
05636973
5341301E
395A3027
30302D31
00308189
ECBF5FAA
05050030
636F310C
170D3135
31253023
342E6369
02818100
23D4D890
905A4935
C3518E53
C4AB29AE
04040302
DD4FD606
C0D8ADD8
BFE17248
E9A5C1C9
80B481C4
B253B3C5
37873935
E23E5076
EA1FF522
05A0301F
268A1E30
2B1A300D
F1777B78
9CF77C9D
A3AB3408
481B3E54
9D7406F8
06C73C5A
DBCDFEE8
0603551D
1D060355
06092A86
EBF49CA3
2EC71C81
C3F6F1A6
1FB7CEA9
D6986395
C83CC2F3
8A9E40A5
23041830
1D0E0416
4886F70D
F967C986
ABB1A64C
E42E4585
97A01C50
300D0609
300C0603
06035504
39313931
040A1305
13034153
8100BAFF
65301232
97388937
05C3FA73
C41D0203
551D0F01
FFD69E8E
D69E8EF7
34F5327C
937E4CD7
C9F2E0BF
79CBBF0B
2A864886
55040A13
03130341
38303130
63697363
4130819F
C15ABB3D
163FFCD0
193BCD22
E50A7DE9
010001A3
01FF0404
F705DD4F
05DD4FD6
95DD6B24
DF24944E
D65CB235
75E507B5
F70D0101
05636973
5341301E
395A3039
6F310C30
300D0609
78778733
1CCCCF07
729D3F61
CC2BBF15
63306130
03020186
D606268A
06268A1E
09E5F485
35482A00
2FFA5301
9A75344E
04050030
636F310C
170D3135
310B3009
0A060355
2A864886
762F71A7
6CAEABD8
5712E71A
F21E8615
0F060355
301F0603
1E301D06
300D0609
7B2B9918
ED28FB5B
705ECD56
206551B5
300D0609
300C0603
06035504
39313931
040A1305
13034153
8100BAFF
65301232
97388937
05C3FA73
C41D0203
551D0F01
FFD69E8E
D69E8EF7
34F5327C
937E4CD7
C9F2E0BF
79CBBF0B
2A864886
55040A13
03130341
38303130
63697363
4130819F
C15ABB3D
163FFCD0
193BCD22
E50A7DE9
010001A3
01FF0404
F705DD4F
05DD4FD6
95DD6B24
DF24944E
D65CB235
75E507B5
F70D0101
05636973
5341301E
395A3039
6F310C30
300D0609
78778733
1CCCCF07
729D3F61
CC2BBF15
63306130
03020186
D606268A
06268A1E
09E5F485
35482A00
2FFA5301
9A75344E
04050030
636F310C
170D3135
310B3009
0A060355
2A864886
762F71A7
6CAEABD8
5712E71A
F21E8615
0F060355
301F0603
1E301D06
300D0609
7B2B9918
ED28FB5B
705ECD56
206551B5
!
!
--------------EzVPN client configurtaion
crypto ipsec client ezvpn VPN
connect auto
mode network-extension
peer 11.11.11.111
xauth userid mode interactive
!
!--------------IPSEC mapping on interfaces
interface GigabitEthernet0/0
ip address 11.11.11.11 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN
!
interface GigabitEthernet0/1
ip address 10.106.69.121 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
end
CISCO_LAB_ROUTER#
ASA:
ASA Version 8.4(7)
!
hostname CISCO_LAB_ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif CERT
security-level 0
ip address 11.11.11.111 255.255.255.0
!
interface Management0/0
nameif tftp
security-level 0
ip address 10.106.69.107 255.255.255.0
!-------------EZVPN Server configuration
crypto
crypto
crypto
crypto
crypto
crypto
308201ac
09060355
55040b13
31383033
4886f70d
06092a86
9c197870
a0030201
04061302
0356504e
32315a17
01090216
4886f70d
aa2b2a8c
02020102
5553310e
310c300a
0d313630
1262676c
01010105
cd6ea4ef
300d0609
300c0603
06035504
39313931
040a1305
13034153
8100baff
65301232
97388937
05c3fa73
c41d0203
551d0f01
ffd69e8e
d69e8ef7
34f5327c
937e4cd7
c9f2e0bf
79cbbf0b
2a864886
55040a13
03130341
38303130
63697363
4130819f
c15abb3d
163ffcd0
193bcd22
e50a7de9
010001a3
01ff0404
f705dd4f
05dd4fd6
95dd6b24
df24944e
d65cb235
75e507b5
f70d0101
05636973
5341301e
395a3039
6f310c30
300d0609
78778733
1ccccf07
729d3f61
cc2bbf15
63306130
03020186
d606268a
06268a1e
09e5f485
35482a00
2ffa5301
9a75344e
04050030
636f310c
170d3135
310b3009
0a060355
2a864886
762f71a7
6caeabd8
5712e71a
f21e8615
0f060355
301f0603
1e301d06
300d0609
7b2b9918
ed28fb5b
705ecd56
206551b5
300d0609
300c0603
06035504
39313931
2d532d31
0003818d
150bc5ed
2a864886
55040a13
03130341
38303130
362d4153
00308189
f38812a2
f70d0101
05636973
5341301e
395a3023
41353530
02818100
baad0929
04050030
636f310c
170d3135
3121301f
302d3130
efc22ac0
cde15a14
f5982e23
93b0e711
40e5cb9f
01a37130
30302d31
143ba9f1
be1953e2
04050003
edd49e5c
904814ec
d4149dc1
1cd98cc7
quit
9208b79e
05da2932
ee9a13e3
6f301d06
300e0603
006c39bc
579f9901
81810081
84f49a04
5b9bb2bf
a7f5417e
77fbb4
decb58ed
6621170e
8e2a63e8
03551d11
551d0f01
ffd69e8e
cbc6d4e4
68d44005
971a4d51
c5834a38
0617c566
04e1c552
93c0197d
96186be0
04163014
01ff0404
f705dd4f
1290451b
d2cfa98f
b23032c5
74f56df8
507cb91d
c352a7b7
4de3639e
9f1db880
82126267
030205a0
d606268a
e4bbcec0
c2575dcb
538f889d
8afc2588
0adddb77
0458c205
6b1ce677
0eb8b63a
6c2d532d
301f0603
1e301d06
300d0609
724387af
8f25ffae
9fe78e2a
192f727a
------------IKE configuration
crypto ikev1 enable CERT
crypto ikev1 policy 5
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
------------Group Policy Configuraiton
group-policy VPNPOLICY internal
group-policy VPNPOLICY attributes
re-xauth disable
split-tunnel-policy tunnelall
nem enable
username cisco password 3USUcOPFUiMCO4Jk encrypted
------------Tunnel Group configuration
tunnel-group DefaultRAGroup general-attributes
default-group-policy VPNPOLICY
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 trust-point ASA
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPNPOLICY
tunnel-group VPN ipsec-attributes
ikev1 trust-point ASA
tunnel-group-map enable rules
tunnel-group-map DefaultCertificateMap 1 VPN
!
: end
Verify
To verify that the devices are enrolled successfully with the CA:
Router
CISCO_LAB_ROUTER#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=ASA
ou=VPN
o=cisco
c=US
Subject:
Name: CISCO_LAB_ROUTER.cisco
hostname=CISCO_LAB_ROUTER.cisco
Validity Date:
start date: 18:04:26 UTC Nov 24 2015
end date: 18:01:09 UTC Sep 19 2016
Associated Trustpoints: router
Storage: nvram:ASA#3.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ASA
ou=VPN
a5548367
aac8c68e
0c17fe3d
31362d41
551d2304
03551d0e
2a864886
852628be
d605fc40
0e7ccbfe
6fbbb413
7a4ae377
d9e7d098
02030100
53413535
18301680
04160414
f70d0101
4fe1b27f
9d7d49f3
de339970
82e72b83
o=cisco
c=US
Subject:
cn=ASA
ou=VPN
o=cisco
c=US
Validity Date:
start date: 18:01:09 UTC Nov 24 2015
end date: 18:01:09 UTC Sep 19 2016
Associated Trustpoints: ASA router
Storage: nvram:ASA#1CA.cer
ASA
CISCO_LAB_ASA# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: MD5 with RSA Encryption
Issuer Name:
cn=ASA
ou=VPN
o=cisco
c=US
Subject Name:
hostname=CISCO_LAB_ASA
Validity Date:
start date: 18:03:21 UTC Nov 24 2015
end date: 18:01:09 UTC Sep 19 2016
Associated Trustpoints: ASA
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: MD5 with RSA Encryption
Issuer Name:
cn=ASA
ou=VPN
o=cisco
c=US
Subject Name:
cn=ASA
ou=VPN
o=cisco
c=US
Validity Date:
start date: 18:01:09 UTC Nov 24 2015
end date: 18:01:09 UTC Sep 19 2016
Associated Trustpoints: ASA
state
QM_IDLE
conn-id status
1114 ACTIVE
Phase 2 verification:
ASA
Phase 1 verification:
CISCO_LAB_ASA# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1
Role
State
: responder
: MM_ACTIVE
Phase 2 verification:
Troubleshoot
Debugs on the ASA
Caution: On the ASA, you can set various debug levels; by default, level 1 is used. If you change the debug level, the verbosity of the
debugs might increase.
It is recommended to use conditional debugs to view debugs only for the single peer:
debug crypto condition peer <peer ip address>
Debugs on Router
The router debugs for tunnel negotiation are:
debug crypto ikev1
debug crypto ikev1 error
debug crypto ikev1 internal