Escolar Documentos
Profissional Documentos
Cultura Documentos
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2 Router1(config-isakmp)#exit Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#mode transport Router1(cfg-crypto-trans)#exit Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router1(config-crypto-map)#set peer 172.16.2.1 Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router1(config-crypto-map)#match address 102 Router1(config-crypto-map)#exit Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1 Router1(config)#interface Tunnel1 Router1(config-if)#ip address 192.168.1.1 255.255.255.252 Router1(config-if)#tunnel source 172.16.1.1 Router1(config-if)#tunnel destination 172.16.2.1 Router1(config-if)#exit Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#ip access-group 101 in Router1(config-if)#crypto map TUNNEL-RSA Router1(config-if)#exit Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 deny ip any any log Router1(config)#end Router1#
Discussion This recipe is similar to 12.5, except that here we use RSA keys for authentication and encryption instead of preshared keys. This technique is more secure but more time-consuming to configure. The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.5. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the
05000381 8D003081 1E7AA500 F7B620CA 01C83E08 7305ED3C 99C2AF80 45BC1BE9 94401D54 82ACA366 UTC Jul 20 2006
Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024 or more bit keys. Then we took the general purpose key from this output and entered it into the other router as follows:
Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.16.1.1 Router2(config-pubkey-key)#address 172.16.1.1 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#30819F30 0D06092A Router2(config-pubkey)#01E4B6E1 08823E41 Router2(config-pubkey)#114BA6B9 5ADE0D2E Router2(config-pubkey)#C0E6ACA2 C191DB07 Router2(config-pubkey)#0F3D5C09 7C26694F Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit
864886F7 8A98A7F4 7DC3EFC1 3D347F88 8FB75F90 0D010101 DB0E6277 D7D07015 2D2884BF 2FA1DF46 05000381 1E7AA500 01C83E08 99C2AF80 94401D54 8D003081 F7B620CA 7305ED3C 45BC1BE9 82ACA366 89028181 49BCBEBA 71F04B44 6D2BF684 E621DD04 00A0830E B0A0455A 31A1C574 B60C04E6 4B020301 0001
And then we repeated the procedure on the other router. With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even
though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2
After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3. So it is also relatively straightforward to combine this recipe with Recipe 12.4 to use RSA authentication keys for a LANto-LAN IPSec tunnel. See Also Recipe 12.3; Recipe 12.4; Recipe 12.5