Creating A Router-To-Router VPN With RSA Keys

Recipe 12.8.
Creating a Router-to-Router VPN with RSA Keys

Problem You want to create an encrypted VPN between two routers using RSA keys. Solution As in Recipe 12.3, we will use IPSec Transport mode and a GRE tunnel for this encrypted router-to-router connection:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto key pubkey-chain rsa Router1(config-pubkey-chain)#addressed-key 172.16.2.1 Router1(config-pubkey-key)#address 172.16.2.1 Router1(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router1(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 Router1(config-pubkey)#EA33B519 0CD95EFF EDFD4723 BED73640 97981CC0 Router1(config-pubkey)#C5FE959D 1E055002 83B92EF4 35B69545 C3217E5F Router1(config-pubkey)#75598BE0 B4A4E7B2 3C318C2D 3BF3B192 8B71D8C9 Router1(config-pubkey)#BC425170 400BD26A 319E632F 4E9649F5 BA7ADA40 Router1(config-pubkey)#quit Router1(config-pubkey-key)#exit Router1(config-pubkey-chain)#exit
8D003081 1FC83FBF E0C32A73 A1E0F929 5A94B09C
89028181 5C6DF97C 44FD2373 0E84BDAD 05F8414E
00EB0AB2 8CB8CE0A 15979E77 EC909833 33020301 0001
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2 Router1(config-isakmp)#exit Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router1(cfg-crypto-trans)#mode transport Router1(cfg-crypto-trans)#exit Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router1(config-crypto-map)#set peer 172.16.2.1 Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router1(config-crypto-map)#match address 102 Router1(config-crypto-map)#exit Router1(config)#access-list 102 permit gre host 172.16.1.1 host 172.16.2.1 Router1(config)#interface Tunnel1 Router1(config-if)#ip address 192.168.1.1 255.255.255.252 Router1(config-if)#tunnel source 172.16.1.1 Router1(config-if)#tunnel destination 172.16.2.1 Router1(config-if)#exit Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip address 172.16.1.1 255.255.255.0 Router1(config-if)#ip access-group 101 in Router1(config-if)#crypto map TUNNEL-RSA Router1(config-if)#exit Router1(config)#access-list 101 permit gre host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit esp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 permit udp host 172.16.2.1 host 172.16.1.1 eq isakmp Router1(config)#access-list 101 permit ahp host 172.16.2.1 host 172.16.1.1 Router1(config)#access-list 101 deny ip any any log Router1(config)#end Router1#
And here is the corresponding configuration for the other router:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.16.1.1 Router2(config-pubkey-key)#address 172.16.1.1 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A0830E Router2(config-pubkey)#01E4B6E1 08823E41 8A98A7F4 DB0E6277 1E7AA500 F7B620CA 49BCBEBA B0A0455A Router2(config-pubkey)#114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 01C83E08 7305ED3C 71F04B44 31A1C574 Router2(config-pubkey)#C0E6ACA2 C191DB07 3D347F88 2D2884BF 99C2AF80 45BC1BE9 6D2BF684 B60C04E6 Router2(config-pubkey)#0F3D5C09 7C26694F 8FB75F90 2FA1DF46 94401D54 82ACA366 E621DD04 4B020301 0001 Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit Router2(config)#crypto isakmp policy 100 Router2(config-isakmp)#encryption aes 256 Router2(config-isakmp)#authentication rsa-encr Router2(config-isakmp)#group 2 Router2(config-isakmp)#exit Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-aes 256 Router2(cfg-crypto-trans)#mode transport Router2(cfg-crypto-trans)#exit Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp Router2(config-crypto-map)#set peer 172.16.1.1 Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router2(config-crypto-map)#match address 102 Router2(config-crypto-map)#exit Router2(config)#access-list 102 permit gre host 172.16.2.1 host 172.16.1.1 Router2(config)#interface Tunnel1 Router2(config-if)#ip address 192.168.1.2 255.255.255.252 Router2(config-if)#tunnel source 172.16.2.1 Router2(config-if)#tunnel destination 172.16.1.1 Router2(config-if)#exit Router2(config)#interface FastEthernet0/0 Router2(config-if)#ip address 172.16.1.1 255.255.255.0 Router2(config-if)#ip access-group 101 in Router2(config-if)#crypto map TUNNEL-RSA Router2(config-if)#exit Router2(config)#access-list 101 permit gre host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.2.1 eq isakmp Router2(config)#access-list 101 permit ahp host 172.16.1.1 host 172.16.2.1 Router2(config)#access-list 101 deny ip any any log Router2(config)#end Router2#
Discussion This recipe is similar to 12.5, except that here we use RSA keys for authentication and encryption instead of preshared keys. This technique is more secure but more time-consuming to configure. The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.5. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the
key on Router1 as follows:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto key generate rsa % You already have RSA keys defined named Router1.oreilly.com. % Do you really want to replace them? [yes/no]: yes Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] Router1(config)#exit Router1#show crypto key mypubkey rsa % Key pair was generated at: 14:59:44 Key name: Router1.oreilly.com Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 01E4B6E1 08823E41 8A98A7F4 DB0E6277 114BA6B9 5ADE0D2E 7DC3EFC1 D7D07015 C0E6ACA2 C191DB07 3D347F88 2D2884BF 0F3D5C09 7C26694F 8FB75F90 2FA1DF46 % Key pair was generated at: 14:59:51 Key name: Router1.oreilly.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 6866A933 07690DB6 BA02B4E2 4CF331AA E4C88354 261C2FE8 C20DC047 621DB954 9FCDB94B 72AB8D1A A45CD06A D2495940 Router1#
UTC Jul 20 2006
05000381 8D003081 1E7AA500 F7B620CA 01C83E08 7305ED3C 99C2AF80 45BC1BE9 94401D54 82ACA366 UTC Jul 20 2006
89028181 49BCBEBA 71F04B44 6D2BF684 E621DD04
00A0830E B0A0455A 31A1C574 B60C04E6 4B020301 0001
00036B00 D1818C34 9294FD68 EB7FACE8
30680261 5B8482B1 6B2A3C16 AFA3886F
009ED5E0 8174A365 250402ED 3F020301
43DAC50E 80EBC4CC EFFE2A48 0001
Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024 or more bit keys. Then we took the general purpose key from this output and entered it into the other router as follows:
Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.16.1.1 Router2(config-pubkey-key)#address 172.16.1.1 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#30819F30 0D06092A Router2(config-pubkey)#01E4B6E1 08823E41 Router2(config-pubkey)#114BA6B9 5ADE0D2E Router2(config-pubkey)#C0E6ACA2 C191DB07 Router2(config-pubkey)#0F3D5C09 7C26694F Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit
864886F7 8A98A7F4 7DC3EFC1 3D347F88 8FB75F90 0D010101 DB0E6277 D7D07015 2D2884BF 2FA1DF46 05000381 1E7AA500 01C83E08 99C2AF80 94401D54 8D003081 F7B620CA 7305ED3C 45BC1BE9 82ACA366 89028181 49BCBEBA 71F04B44 6D2BF684 E621DD04 00A0830E B0A0455A 31A1C574 B60C04E6 4B020301 0001
And then we repeated the procedure on the other router. With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even
though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption aes 256 Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2
After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3. So it is also relatively straightforward to combine this recipe with Recipe 12.4 to use RSA authentication keys for a LANto-LAN IPSec tunnel. See Also Recipe 12.3; Recipe 12.4; Recipe 12.5

Creating A Router-To-Router VPN With RSA Keys

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Creating A Router-To-Router VPN With RSA Keys

Enviado por

Direitos autorais:

Formatos disponíveis

Recipe 12.8.

Creating a Router-to-Router VPN with RSA Keys

8D003081 1FC83FBF E0C32A73 A1E0F929 5A94B09C

89028181 5C6DF97C 44FD2373 0E84BDAD 05F8414E

00EB0AB2 8CB8CE0A 15979E77 EC909833 33020301 0001

And here is the corresponding configuration for the other router:

key on Router1 as follows:

UTC Jul 20 2006

89028181 49BCBEBA 71F04B44 6D2BF684 E621DD04

00A0830E B0A0455A 31A1C574 B60C04E6 4B020301 0001

00036B00 D1818C34 9294FD68 EB7FACE8

30680261 5B8482B1 6B2A3C16 AFA3886F

009ED5E0 8174A365 250402ED 3F020301

43DAC50E 80EBC4CC EFFE2A48 0001

Você também pode gostar