Module 5
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Module 5 as PDF for free.
More details
- Words: 5,047
- Pages: 48
Module 5: Configure Site-to-Site VPNs Using Digital Certificates
PDF created with pdfFactory trial version www.pdffactory.com
Overview
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Steps to configure CA support Configuring Cisco IOS software certificate authority (CA) support is complicated. Having a detailed plan lessens the chances of configuration errors. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 1 – manage the non-volatile RAM (NVRAM) Certificates and certificate revocation lists (CRLs) are used by the router when a CA is used. Normally certain certificates and all CRLs are stored locally in the NVRAM of the router, and each certificate and CRL uses a moderate amount of memory. The following certificates are normally stored at the router : – The certificate of the router – The certificate of the CA – Root certificates obtained from CA servers. All root certificates are saved in RAM after the router has been initialized. – Two RA certificates, if the CA supports an RA Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
•
Step 1 (continue)– manage the non-volatile RAM (NVRAM) In some cases, storing certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue if a large number of certificates and CRLs end up being stored on the router. These certificates and CRLs can consume a large amount of NVRAM space. To save NVRAM space, the router can be configured so that certificates and CRLs should not be stored locally, but should be retrieved from the CA when needed. This will save NVRAM space but could have a slight performance impact. To specify that certificates and CRLs should not be stored locally on the router, but should be retrieved when required, turn on query mode by using the crypto ca certificate query command in global configuration mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 1 (continue)– manage the non-volatile RAM (NVRAM) If query mode is not turned on initially, it can be turned on later even if certificates and CRLs have already been stored on the router. In this case, when query mode is turned on, the stored certificates and CRLs will be deleted from the router after the configuration is saved. If the configuration is copied to a TFTP site prior to turning on query mode, stored certificates and CRLs will be saved at the TFTP site. If query mode is turned on initially, it can turned off later. If query mode is turned off later, the copy system:running-config nvram:startupconfig command can be issued beforehand to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot and would need to be retrieved the next time they were needed by the router.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 2 – set the router time and date Ensure that the time zone, time, and date has been accurately set with the show clock commands in privileged exec mode. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because certificates are time-sensitive. On certificates, there is a valid from and to date and time. When the certificate is validated by the router, the router determines if its system clock falls within the validity range. If it does, the certificate is valid. If not, the certificate is deemed invalid or expired. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 2 (continue)– set the router time and date To specify the time zone of the router, use the clock timezone global configuration command. The command sets the time zone and an offset from Universal Time Code (UTC) . The router can optionally be set to automatically update the calendar and time from a Network Time Protocol (NTP) server with the ntp series of commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 3 – add a CA server entry to the router host table The host name and IP domain name of the router must be configured if this has not already been done. This is required because the router assigns a fully qualified domain name (FQDN) to the keys and certificates used by IPSec, and the FQDN is based on the host name and IP domain name assigned to the router. To specify or modify the hostname for the network server, use the hostname global configuration command . The setup command facility also prompts for a hostname at startup.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 3 (continue) – add a CA server entry to the router host table To define a default domain name that the Cisco IOS software uses to complete unqualified hostnames use the ip domain-name global configuration command. Unqualified names are names without a dotteddecimal domain name. To disable use of the DNS, use the no form of this command. Use the ip host global configuration command to define a static hostname-toaddress mapping in the host cache . To remove the name-to-address mapping, use the no form of this command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • • •
Step 4 – generate an RSA key pair RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the router. Use the crypto key generate rsa global configuration command to generate RSA key pairs . By default, RSA key pairs do not exist. If the usage-keys option is not used in the command, general-purpose keys are generated. RSA keys are generated in pairs consisting of one public RSA key and one private RSA key. If the router already has RSA keys when this command is issued, the router warns and prompts the administrator to replace the existing keys with new keys. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 4 (continue)– generate an RSA key pair Special-usage Keys If special-usage keys are generated, two pairs of RSA keys are created. One pair is used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair is used with any IKE policy that specifies RSA encrypted nonces as the authentication method. If both types of RSA authentication methods are present in the IKE policies, specialusage keys may be the proffered option. With special-usage keys, each key is not unnecessarily exposed. Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 4 (continue)– generate an RSA key pair General-purpose Keys If general-purpose keys are generated, only one pair of RSA keys is created. This pair is used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general-purpose key pair might get used more frequently than a specialusage key pair. When RSA keys are generated, the administrator is prompted to enter a modulus length, as shown in Figure . A longer modulus could offer stronger security, but takes longer to generate and also takes longer to use. A modulus below 512 is normally not recommended. Cisco recommends using a minimum modulus of 1024. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 5 – declare a CA Note that in 12.3(7)T, crypto pki trustpoint replaces the crypto ca trustpoint command from previous Cisco IOS software releases. The crypto ca trustpoint command can be entered, but the command will be written in the configuration as crypto pki trustpoint. Use the crypto pki trustpoint global configuration command to declare what CA the router will use . The crypto pki trustpoint command will allow the router to re-enroll to the CA server automatically when its certificates expire. Use the no form of this command to delete all identity information and certificates associated with the CA. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 5 (continue)– declare a CA Performing the crypto pki trustpoint command puts the prompt into the ca-trustpoint configuration mode, where characteristics for the CA can be specified with the commands shown in Figure. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 5 (continue)– declare a CA The example shown in Figure declares an Entrust CA and identifies characteristics of the CA. In this example, the name vpnca is created for the CA, which is located at http://vpnca. The example also declares a CA using an RA. The scripts for the CA are stored in the default location, and the CA uses SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA. The example shown in Figure declares a Microsoft Windows 2000 CA. Note that the enrollment URL points to the MSCEP DLL. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 6 – authenticate the CA The router needs to authenticate the CA to verify that it is valid. The router does this by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA certificate is self-signed, meaning that the CA signs its own certificate, the public key of the CA should be manually authenticated. This is done by contacting the CA administrator to verify the fingerprint of the CA certificate. To get the public key of the CA, use the crypto pki authenticatename command in global configuration mode. Use the same name that was used when declaring the CA with the crypto pki trustpoint command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 6 (continue)– authenticate the CA If RA mode is used, using the enrollment mode ra command, when the crypto pki authenticate command is issued, the RA signing and encryption certificates are returned from the CA as well as the CA certificate. The following example shows a CA authentication: RouterA(config)# crypto pki authenticate VPNCA Certificate has the following attributes: Fingerprint: 93700C31 4853EC4A DED81400 43D3C82C % Do you accept this certificate? [yes/no]: y Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 7 – request a certificate for the router A signed certificate must be obtained from the CA for each RSA key pair on the router. If general-purpose RSA keys were generated, the router has only one RSA key pair and needs only one certificate. If special-usage RSA keys were generated, the router has two RSA key pairs and needs two certificates. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • • •
• •
Step 7 (continue)– request a certificate for the router To request signed certificates from the CA, use the crypto pki enroll name command in global configuration mode. During the enrollment process, a challenge password is created. This password can be used by the CA administrator to validate the identity of the individual that is requesting the certificate. This password is not saved with the configuration. This password is required in the event that the certificate needs to be revoked, so it must be remembered or stored in a manner consistent with the security policy of the organization. Technically, enrolling and obtaining certificates are two separate events, but they both occur when the crypto pki enroll command is issued. If a certificate for the keys already exists, this command cannot be completed. Instead, the administrator is prompted to remove the existing certificate first. Existing certificates can be removed with the no certificate command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 8 – save the configuration Use the copy system:running-config nvram:startup-config command to save the configuration. This command includes saving RSA keys to private NVRAM. RSA keys are not saved with the configuration when a copy system:running-config rcp: or copy system:running-config tftp: command is issued. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 9 – monitor and maintain CA interoperability The tasks are shown in Figure are optional, depending on the particular requirements of the VPN implementation. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • • • •
• • •
Step 9 (continue) – monitor and maintain CA interoperability Request a Certificate Revocation List A CRL can be requested only if the CA does not support an RA. The following information applies only when the CA does not support an RA. When the router receives a certificate from a peer, the router will download a CRL from the CA. The router then checks the CRL to make sure the certificate that the peer sent has not been revoked. If the certificate appears on the CRL, the router will not accept the certificate and will not authenticate the peer. With CA systems that support RAs, multiple CRLs exist and the certificate of the peer indicates which CRL applies and should be downloaded by the router. If the router does not have the applicable CRL and is unable to obtain one, the router rejects the certificate of the peer, unless the crl optional command is used in the configuration. If the crl optional command is used, the router will still try to obtain a CRL, but if it cannot obtain a CRL it can still accept the certificate of the peer. A CRL can be reused with subsequent certificates until the CRL expires if query mode is off. If the router receives a certificate from a peer after the applicable CRL has expired, the router will download the new CRL. When the router receives additional certificates from peers, the router continues to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a certificate of a peer outright. If the router has a CRL that has not yet expired, but it is suspected that the contents of the CRL are out of date, it is possible to request that the latest CRL be downloaded immediately to replace the old CRL. To request immediate download of the latest CRL, use the crypto pki crl request name command in global configuration mode. This command replaces the CRL currently stored on the router with the newest version of the CRL.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• Step 9 (continue) – monitor and maintain CA interoperability • Delete RSA Keys from the Router
•
Under certain circumstances it may be necessary to delete the RSA keys that were generated for the router. For example, if the RSA keys are believed to be compromised in some way and should no longer be used, the keys should be deleted. To delete all RSA keys from the router, use the crypto key zeroize rsa command in global configuration mode. After the RSA keys are deleted, the CA administrator should be asked to revoke certificates for the router at the CA. It will be necessary to supply the challenge password created when the certificated were obtained with the crypto pki enroll command. The certificates should also be manually removed from the router configuration.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • • •
Step 9 (continue) – monitor and maintain CA interoperability Delete Certificates from the Configuration If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates, the certificate of the CA, and any RA certificates, unless the router is in query mode. To delete the certificate of the router or RA certificates from the configuration, use the commands shown in Figure in global configuration mode. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 9 (continue) – monitor and maintain CA interoperability Delete Public Keys of Peers Under certain circumstances it may be necessary to delete the RSA public keys of peer devices from the router configuration. For example, if the integrity of a peer public key is doubted, the key should be deleted. To delete an RSA public key of a peer, use the commands shown in Figure , beginning in global configuration mode. To delete the CA certificate, the entire CA trustpoint must be removed. This also removes all certificates associated with the CA, including the certificate belonging to the router, the CA certificate, and any RA certificates. To remove a CA trustpoint, use the no crypto pki trustpoint name command in global configuration mode. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 10 – verify the CA support configuration To view keys and certificates, use the commands shown in Figures and in EXEC mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 10 (continue)– verify the CA support configuration To view keys and certificates, use the commands shown in Figures 1 and in EXEC mode. Figure 2 displays the running configuration of a router properly configured for CA support.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll a device with a CA
•
The typical process for enrolling a device, such as a router or PIX Security Appliance, with a CA is as follows : – Step 1 Configure the device for CA support. – Step 2 Generate a public and private key-pair on the device. – Step 3 The device authenticates the CA server: • Send the certificate request to the CA/RA. • Generate a CA/RA certificate. • Download a CA/RA certificate to the device. • Authenticate a CA/RA certificate via the CA/RA fingerprint. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll a device with a CA
•
•
The typical process for enrolling a device, such as a router or PIX Security Appliance, with a CA is as follows : – Step 4 The device sends a certificate request to the CA. – Step 5 The CA generates and signs an identity certificate. – Step 6 The CA sends the certificates to the device and posts the certificates in its public repository. – Step 7 The device verifies the identify certificate and posts the certificate. Most of these steps have been automated by Cisco and the SCEP protocol that is supported by many CA server vendors. Each vendor determines how long certificates are valid. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure an IOS Router Site-to-Site VPN Using Digital Certificates
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates • • •
• • • •
The configuration of a site-to-site VPN using digital certificates is similar to the configuration that is done when pre-shared keys are used for authentication. The following tasks are used to configure a site-to-site VPN using digital certificates: Task 1 Prepare for IKE and IPSec – To prepare for IPSec, determine the following detailed encryption policy: – Identify the hosts and networks to be protected – Determine IPSec peer details – Determine the IPSec features that are needed – Ensure that the existing access lists are compatible with IPSec Task 2 Configure CA Support – To configure CA support, set the router hostname and domain name, generate the keys, declare a CA, authenticate and request network-own certificates. Task 3 Configure IKE for IPSec – To configure IKE, enable IKE, create the IKE policies, and validate the configuration. Task 4 Configure IPSec – To configure IPSec, define the transform sets, create crypto access lists, create crypto map entries, and apply crypto map sets to the interfaces. Task 5 Test and verify IPSec – Use show, debug, and related commands to test and verify that IPSec encryption works, and to troubleshoot problems.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 1 – prepare for IKE and IPSec Successful implementation of an IPSec network using digital certificates for authentication requires advance planning before beginning configuration of individual routers. In task 1, define the IPSec security policy based on the overall company security policy. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
•
Task 2 – configure CA support
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• •
Task 3 – configure IKE Configuring IKE consists of the following steps and commands : – Enable IKE with the crypto isakmp enable command, in case it has been disabled from the default enable condition. – Create IKE policies with the crypto isakmp policy command. – Set the IKE identity to address or hostname with the crypto isakmp identity command. – Test and verify the IKE configuration with the show crypto isakmp policy and show crypto isakmp sa commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 3 (continue) – configure IKE The crypto isakmp policy command invokes the ISAKMP policy configuration command mode config-isakmp, which can be used to set ISAKMP parameters. If one of these commands is not specified, the default value for that parameter is used. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 3 (continue) – configure IKE While in the config-isakmp command mode, the keywords that are available to specify the parameters in the policy are shown in Figure. Multiple ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• •
•
Task 4 – configure IPSec The general steps and commands used to configure IPSec encryption on Cisco routers are summarized as follows : – Configure transform set suites with the crypto ipsec transform-set command. – Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command. – Configure crypto access lists with the access-list command. The rest of the steps used to configure IPSec parameters for IKE RSA signature keys are as follows: – Configure crypto maps with the crypto map command. – Apply the crypto maps to the terminating or originating interface with the interface and the crypto map commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • • •
Task 5 – test and verify IPSec Cisco IOS software contains a number of show, clear, and debug commands useful for testing and verifying IPSec and ISAKMP. Use debug commands with caution. Enabling debugging can disrupt operation of the router because of the large amount of output. Also, look at the CPU load using the show processes cpu command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Scaling PIX Security Appliance VPNs
• • •
When using the PIX Security Appliance to implement IPSec VPNs using digital certificates, the CA server enrollment process can be largely automated so that it scales well to large deployments. Each PIX that is to be configured as an IPSec peer individually enrolls with the CA server and obtains public and private encryption keys compatible with other peers that are enrolled with the server. The PIX Security Appliance supports the following CA servers: – Cisco IOS Certificate Server – Baltimore Technologies – Entrust – Microsoft Certificate Services – Netscape CMS – RSA Keon – VeriSign Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
The enrollment steps can be summarized as follows : – Step 1 The PIX Security Appliance generates an RSA public and private key pair. – Step 2 The PIX Security Appliance obtains a public key and its certificate from the CA server. – Step 3 The PIX Security Appliance requests a signed certificate from the CA using the generated RSA keys and the public key certificate from the CA server. – Step 4 The CA administrator verifies the request and sends a signed certificate. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
•
Generate an RSA Key Pair RSA Key pairs are generated with the crypto key generate rsa command. If additional keywords are not used, this command generates one general purpose RSA key pair. Because the key modulus is not specified, the default key modulus of 1024 is used. Other modulus sizes can be specified with the modulus keyword. Use the show crypto key mypubkey rsa command to view the created key pair. To remove RSA key pairs, use the crypto key zeroize rsa command in global configuration mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
•
Obtain a Public Key and Certificate from the CA Server Create a trustpoint corresponding to the CA from which the PIX Security Appliance needs to receive its certificate with the crypto ca trustpoint trustpoint command. Upon entering this command, crypto ca trustpoint configuration mode is entered. To specify SCEP enrollment, use the enrollment url command. To specify manual enrollment, use the enrollment terminal command. As needed, specify other characteristics for the trustpoint. More information about these command can be found in the Command Reference. After configuring the trustpoint, Obtain the CA certificate for the trustpoint with the crypto ca authenticate command. The public key of the CA is included with this certificate. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
Request a Signed Certificate from the CA Enroll the PIX Security Appliance with the trustpoint using the the crypto ca enroll command. Before entering this command, contact the CA administrator because the administrator may need to authenticate the enrollment request manually before the CA grants its certificates.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
Verify that the CA Administrator Has Sent a Signed Certificate After the enrollment is complete, verify that the enrollment process was successful using the show crypto ca certificate command. The output of this command shows the details of the certificate issued for the PIX Security Appliance and the CA certificate for the trustpoint. Be sure to save the configuration using the write memory command after the certificate ahs been received.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Summary • •
Upon completing this module, the student will be able to configure Certificate Authority (CA) support on Cisco routers. The student will also be able to configure the Cisco IOS router and the PIX Security Appliance for a site-to-site VPN using digital certificates for authentication.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
PDF created with pdfFactory trial version www.pdffactory.com
Overview
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Steps to configure CA support Configuring Cisco IOS software certificate authority (CA) support is complicated. Having a detailed plan lessens the chances of configuration errors. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 1 – manage the non-volatile RAM (NVRAM) Certificates and certificate revocation lists (CRLs) are used by the router when a CA is used. Normally certain certificates and all CRLs are stored locally in the NVRAM of the router, and each certificate and CRL uses a moderate amount of memory. The following certificates are normally stored at the router : – The certificate of the router – The certificate of the CA – Root certificates obtained from CA servers. All root certificates are saved in RAM after the router has been initialized. – Two RA certificates, if the CA supports an RA Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
•
Step 1 (continue)– manage the non-volatile RAM (NVRAM) In some cases, storing certificates and CRLs locally will not present a problem. However, in other cases, memory might become an issue if a large number of certificates and CRLs end up being stored on the router. These certificates and CRLs can consume a large amount of NVRAM space. To save NVRAM space, the router can be configured so that certificates and CRLs should not be stored locally, but should be retrieved from the CA when needed. This will save NVRAM space but could have a slight performance impact. To specify that certificates and CRLs should not be stored locally on the router, but should be retrieved when required, turn on query mode by using the crypto ca certificate query command in global configuration mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 1 (continue)– manage the non-volatile RAM (NVRAM) If query mode is not turned on initially, it can be turned on later even if certificates and CRLs have already been stored on the router. In this case, when query mode is turned on, the stored certificates and CRLs will be deleted from the router after the configuration is saved. If the configuration is copied to a TFTP site prior to turning on query mode, stored certificates and CRLs will be saved at the TFTP site. If query mode is turned on initially, it can turned off later. If query mode is turned off later, the copy system:running-config nvram:startupconfig command can be issued beforehand to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot and would need to be retrieved the next time they were needed by the router.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 2 – set the router time and date Ensure that the time zone, time, and date has been accurately set with the show clock commands in privileged exec mode. The clock must be accurately set before generating RSA key pairs and enrolling with the CA server because certificates are time-sensitive. On certificates, there is a valid from and to date and time. When the certificate is validated by the router, the router determines if its system clock falls within the validity range. If it does, the certificate is valid. If not, the certificate is deemed invalid or expired. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 2 (continue)– set the router time and date To specify the time zone of the router, use the clock timezone global configuration command. The command sets the time zone and an offset from Universal Time Code (UTC) . The router can optionally be set to automatically update the calendar and time from a Network Time Protocol (NTP) server with the ntp series of commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 3 – add a CA server entry to the router host table The host name and IP domain name of the router must be configured if this has not already been done. This is required because the router assigns a fully qualified domain name (FQDN) to the keys and certificates used by IPSec, and the FQDN is based on the host name and IP domain name assigned to the router. To specify or modify the hostname for the network server, use the hostname global configuration command . The setup command facility also prompts for a hostname at startup.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 3 (continue) – add a CA server entry to the router host table To define a default domain name that the Cisco IOS software uses to complete unqualified hostnames use the ip domain-name global configuration command. Unqualified names are names without a dotteddecimal domain name. To disable use of the DNS, use the no form of this command. Use the ip host global configuration command to define a static hostname-toaddress mapping in the host cache . To remove the name-to-address mapping, use the no form of this command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • • •
Step 4 – generate an RSA key pair RSA key pairs are used to sign and encrypt IKE key management messages and are required before obtaining a certificate for the router. Use the crypto key generate rsa global configuration command to generate RSA key pairs . By default, RSA key pairs do not exist. If the usage-keys option is not used in the command, general-purpose keys are generated. RSA keys are generated in pairs consisting of one public RSA key and one private RSA key. If the router already has RSA keys when this command is issued, the router warns and prompts the administrator to replace the existing keys with new keys. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 4 (continue)– generate an RSA key pair Special-usage Keys If special-usage keys are generated, two pairs of RSA keys are created. One pair is used with any IKE policy that specifies RSA signatures as the authentication method, and the other pair is used with any IKE policy that specifies RSA encrypted nonces as the authentication method. If both types of RSA authentication methods are present in the IKE policies, specialusage keys may be the proffered option. With special-usage keys, each key is not unnecessarily exposed. Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 4 (continue)– generate an RSA key pair General-purpose Keys If general-purpose keys are generated, only one pair of RSA keys is created. This pair is used with IKE policies specifying either RSA signatures or RSA encrypted nonces. Therefore, a general-purpose key pair might get used more frequently than a specialusage key pair. When RSA keys are generated, the administrator is prompted to enter a modulus length, as shown in Figure . A longer modulus could offer stronger security, but takes longer to generate and also takes longer to use. A modulus below 512 is normally not recommended. Cisco recommends using a minimum modulus of 1024. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 5 – declare a CA Note that in 12.3(7)T, crypto pki trustpoint replaces the crypto ca trustpoint command from previous Cisco IOS software releases. The crypto ca trustpoint command can be entered, but the command will be written in the configuration as crypto pki trustpoint. Use the crypto pki trustpoint global configuration command to declare what CA the router will use . The crypto pki trustpoint command will allow the router to re-enroll to the CA server automatically when its certificates expire. Use the no form of this command to delete all identity information and certificates associated with the CA. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 5 (continue)– declare a CA Performing the crypto pki trustpoint command puts the prompt into the ca-trustpoint configuration mode, where characteristics for the CA can be specified with the commands shown in Figure. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 5 (continue)– declare a CA The example shown in Figure declares an Entrust CA and identifies characteristics of the CA. In this example, the name vpnca is created for the CA, which is located at http://vpnca. The example also declares a CA using an RA. The scripts for the CA are stored in the default location, and the CA uses SCEP instead of LDAP. This is the minimum possible configuration required to declare a CA that uses an RA. The example shown in Figure declares a Microsoft Windows 2000 CA. Note that the enrollment URL points to the MSCEP DLL. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 6 – authenticate the CA The router needs to authenticate the CA to verify that it is valid. The router does this by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA certificate is self-signed, meaning that the CA signs its own certificate, the public key of the CA should be manually authenticated. This is done by contacting the CA administrator to verify the fingerprint of the CA certificate. To get the public key of the CA, use the crypto pki authenticatename command in global configuration mode. Use the same name that was used when declaring the CA with the crypto pki trustpoint command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • •
Step 6 (continue)– authenticate the CA If RA mode is used, using the enrollment mode ra command, when the crypto pki authenticate command is issued, the RA signing and encryption certificates are returned from the CA as well as the CA certificate. The following example shows a CA authentication: RouterA(config)# crypto pki authenticate VPNCA Certificate has the following attributes: Fingerprint: 93700C31 4853EC4A DED81400 43D3C82C % Do you accept this certificate? [yes/no]: y Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 7 – request a certificate for the router A signed certificate must be obtained from the CA for each RSA key pair on the router. If general-purpose RSA keys were generated, the router has only one RSA key pair and needs only one certificate. If special-usage RSA keys were generated, the router has two RSA key pairs and needs two certificates. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • • •
• •
Step 7 (continue)– request a certificate for the router To request signed certificates from the CA, use the crypto pki enroll name command in global configuration mode. During the enrollment process, a challenge password is created. This password can be used by the CA administrator to validate the identity of the individual that is requesting the certificate. This password is not saved with the configuration. This password is required in the event that the certificate needs to be revoked, so it must be remembered or stored in a manner consistent with the security policy of the organization. Technically, enrolling and obtaining certificates are two separate events, but they both occur when the crypto pki enroll command is issued. If a certificate for the keys already exists, this command cannot be completed. Instead, the administrator is prompted to remove the existing certificate first. Existing certificates can be removed with the no certificate command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 8 – save the configuration Use the copy system:running-config nvram:startup-config command to save the configuration. This command includes saving RSA keys to private NVRAM. RSA keys are not saved with the configuration when a copy system:running-config rcp: or copy system:running-config tftp: command is issued. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 9 – monitor and maintain CA interoperability The tasks are shown in Figure are optional, depending on the particular requirements of the VPN implementation. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • • • •
• • •
Step 9 (continue) – monitor and maintain CA interoperability Request a Certificate Revocation List A CRL can be requested only if the CA does not support an RA. The following information applies only when the CA does not support an RA. When the router receives a certificate from a peer, the router will download a CRL from the CA. The router then checks the CRL to make sure the certificate that the peer sent has not been revoked. If the certificate appears on the CRL, the router will not accept the certificate and will not authenticate the peer. With CA systems that support RAs, multiple CRLs exist and the certificate of the peer indicates which CRL applies and should be downloaded by the router. If the router does not have the applicable CRL and is unable to obtain one, the router rejects the certificate of the peer, unless the crl optional command is used in the configuration. If the crl optional command is used, the router will still try to obtain a CRL, but if it cannot obtain a CRL it can still accept the certificate of the peer. A CRL can be reused with subsequent certificates until the CRL expires if query mode is off. If the router receives a certificate from a peer after the applicable CRL has expired, the router will download the new CRL. When the router receives additional certificates from peers, the router continues to attempt to download the appropriate CRL, even if it was previously unsuccessful, and even if the crl optional command is enabled. The crl optional command only specifies that when the router cannot obtain the CRL, the router is not forced to reject a certificate of a peer outright. If the router has a CRL that has not yet expired, but it is suspected that the contents of the CRL are out of date, it is possible to request that the latest CRL be downloaded immediately to replace the old CRL. To request immediate download of the latest CRL, use the crypto pki crl request name command in global configuration mode. This command replaces the CRL currently stored on the router with the newest version of the CRL.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• Step 9 (continue) – monitor and maintain CA interoperability • Delete RSA Keys from the Router
•
Under certain circumstances it may be necessary to delete the RSA keys that were generated for the router. For example, if the RSA keys are believed to be compromised in some way and should no longer be used, the keys should be deleted. To delete all RSA keys from the router, use the crypto key zeroize rsa command in global configuration mode. After the RSA keys are deleted, the CA administrator should be asked to revoke certificates for the router at the CA. It will be necessary to supply the challenge password created when the certificated were obtained with the crypto pki enroll command. The certificates should also be manually removed from the router configuration.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• • • •
Step 9 (continue) – monitor and maintain CA interoperability Delete Certificates from the Configuration If the need arises, certificates that are saved on the router can be deleted. The router saves its own certificates, the certificate of the CA, and any RA certificates, unless the router is in query mode. To delete the certificate of the router or RA certificates from the configuration, use the commands shown in Figure in global configuration mode. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
•
Step 9 (continue) – monitor and maintain CA interoperability Delete Public Keys of Peers Under certain circumstances it may be necessary to delete the RSA public keys of peer devices from the router configuration. For example, if the integrity of a peer public key is doubted, the key should be deleted. To delete an RSA public key of a peer, use the commands shown in Figure , beginning in global configuration mode. To delete the CA certificate, the entire CA trustpoint must be removed. This also removes all certificates associated with the CA, including the certificate belonging to the router, the CA certificate, and any RA certificates. To remove a CA trustpoint, use the no crypto pki trustpoint name command in global configuration mode. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router
• •
Step 10 – verify the CA support configuration To view keys and certificates, use the commands shown in Figures and in EXEC mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure CA Support on a Cisco Router • •
•
Step 10 (continue)– verify the CA support configuration To view keys and certificates, use the commands shown in Figures 1 and in EXEC mode. Figure 2 displays the running configuration of a router properly configured for CA support.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll a device with a CA
•
The typical process for enrolling a device, such as a router or PIX Security Appliance, with a CA is as follows : – Step 1 Configure the device for CA support. – Step 2 Generate a public and private key-pair on the device. – Step 3 The device authenticates the CA server: • Send the certificate request to the CA/RA. • Generate a CA/RA certificate. • Download a CA/RA certificate to the device. • Authenticate a CA/RA certificate via the CA/RA fingerprint. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll a device with a CA
•
•
The typical process for enrolling a device, such as a router or PIX Security Appliance, with a CA is as follows : – Step 4 The device sends a certificate request to the CA. – Step 5 The CA generates and signs an identity certificate. – Step 6 The CA sends the certificates to the device and posts the certificates in its public repository. – Step 7 The device verifies the identify certificate and posts the certificate. Most of these steps have been automated by Cisco and the SCEP protocol that is supported by many CA server vendors. Each vendor determines how long certificates are valid. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure an IOS Router Site-to-Site VPN Using Digital Certificates
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates • • •
• • • •
The configuration of a site-to-site VPN using digital certificates is similar to the configuration that is done when pre-shared keys are used for authentication. The following tasks are used to configure a site-to-site VPN using digital certificates: Task 1 Prepare for IKE and IPSec – To prepare for IPSec, determine the following detailed encryption policy: – Identify the hosts and networks to be protected – Determine IPSec peer details – Determine the IPSec features that are needed – Ensure that the existing access lists are compatible with IPSec Task 2 Configure CA Support – To configure CA support, set the router hostname and domain name, generate the keys, declare a CA, authenticate and request network-own certificates. Task 3 Configure IKE for IPSec – To configure IKE, enable IKE, create the IKE policies, and validate the configuration. Task 4 Configure IPSec – To configure IPSec, define the transform sets, create crypto access lists, create crypto map entries, and apply crypto map sets to the interfaces. Task 5 Test and verify IPSec – Use show, debug, and related commands to test and verify that IPSec encryption works, and to troubleshoot problems.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 1 – prepare for IKE and IPSec Successful implementation of an IPSec network using digital certificates for authentication requires advance planning before beginning configuration of individual routers. In task 1, define the IPSec security policy based on the overall company security policy. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
•
Task 2 – configure CA support
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• •
Task 3 – configure IKE Configuring IKE consists of the following steps and commands : – Enable IKE with the crypto isakmp enable command, in case it has been disabled from the default enable condition. – Create IKE policies with the crypto isakmp policy command. – Set the IKE identity to address or hostname with the crypto isakmp identity command. – Test and verify the IKE configuration with the show crypto isakmp policy and show crypto isakmp sa commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 3 (continue) – configure IKE The crypto isakmp policy command invokes the ISAKMP policy configuration command mode config-isakmp, which can be used to set ISAKMP parameters. If one of these commands is not specified, the default value for that parameter is used. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • •
Task 3 (continue) – configure IKE While in the config-isakmp command mode, the keywords that are available to specify the parameters in the policy are shown in Figure. Multiple ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• •
•
Task 4 – configure IPSec The general steps and commands used to configure IPSec encryption on Cisco routers are summarized as follows : – Configure transform set suites with the crypto ipsec transform-set command. – Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command. – Configure crypto access lists with the access-list command. The rest of the steps used to configure IPSec parameters for IKE RSA signature keys are as follows: – Configure crypto maps with the crypto map command. – Apply the crypto maps to the terminating or originating interface with the interface and the crypto map commands. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure Site-to-Site VPNs Using Digital Certificates
• • • •
Task 5 – test and verify IPSec Cisco IOS software contains a number of show, clear, and debug commands useful for testing and verifying IPSec and ISAKMP. Use debug commands with caution. Enabling debugging can disrupt operation of the router because of the large amount of output. Also, look at the CPU load using the show processes cpu command. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Scaling PIX Security Appliance VPNs
• • •
When using the PIX Security Appliance to implement IPSec VPNs using digital certificates, the CA server enrollment process can be largely automated so that it scales well to large deployments. Each PIX that is to be configured as an IPSec peer individually enrolls with the CA server and obtains public and private encryption keys compatible with other peers that are enrolled with the server. The PIX Security Appliance supports the following CA servers: – Cisco IOS Certificate Server – Baltimore Technologies – Entrust – Microsoft Certificate Services – Netscape CMS – RSA Keon – VeriSign Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
The enrollment steps can be summarized as follows : – Step 1 The PIX Security Appliance generates an RSA public and private key pair. – Step 2 The PIX Security Appliance obtains a public key and its certificate from the CA server. – Step 3 The PIX Security Appliance requests a signed certificate from the CA using the generated RSA keys and the public key certificate from the CA server. – Step 4 The CA administrator verifies the request and sends a signed certificate. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
•
Generate an RSA Key Pair RSA Key pairs are generated with the crypto key generate rsa command. If additional keywords are not used, this command generates one general purpose RSA key pair. Because the key modulus is not specified, the default key modulus of 1024 is used. Other modulus sizes can be specified with the modulus keyword. Use the show crypto key mypubkey rsa command to view the created key pair. To remove RSA key pairs, use the crypto key zeroize rsa command in global configuration mode.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
•
Obtain a Public Key and Certificate from the CA Server Create a trustpoint corresponding to the CA from which the PIX Security Appliance needs to receive its certificate with the crypto ca trustpoint trustpoint command. Upon entering this command, crypto ca trustpoint configuration mode is entered. To specify SCEP enrollment, use the enrollment url command. To specify manual enrollment, use the enrollment terminal command. As needed, specify other characteristics for the trustpoint. More information about these command can be found in the Command Reference. After configuring the trustpoint, Obtain the CA certificate for the trustpoint with the crypto ca authenticate command. The public key of the CA is included with this certificate. Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
Request a Signed Certificate from the CA Enroll the PIX Security Appliance with the trustpoint using the the crypto ca enroll command. Before entering this command, contact the CA administrator because the administrator may need to authenticate the enrollment request manually before the CA grants its certificates.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Enroll the PIX Security Appliance with a CA
•
Verify that the CA Administrator Has Sent a Signed Certificate After the enrollment is complete, verify that the enrollment process was successful using the show crypto ca certificate command. The output of this command shows the details of the certificate issued for the PIX Security Appliance and the CA certificate for the trustpoint. Be sure to save the configuration using the write memory command after the certificate ahs been received.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Summary • •
Upon completing this module, the student will be able to configure Certificate Authority (CA) support on Cisco routers. The student will also be able to configure the Cisco IOS router and the PIX Security Appliance for a site-to-site VPN using digital certificates for authentication.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
PDF created with pdfFactory trial version www.pdffactory.com
Related Documents
Module 5
October 2019 24
Module 5
December 2019 25
Module 5
April 2020 17
Module 5
June 2020 21
Notes Pom Module 5
October 2019 19
