IOS Site-Site VPN Conf with RSA Signature Microsoft CA Server 2003

R1

interface fastEthernet 0/0

no shutdown

ip add 192.168.101.1 255.255.255.0

no shutdown

int s0/0

no shutdown

ip add 101.1.1.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 101.1.1.1

 

ISP

 

interface s0/0

no shutdown

ip add 101.1.1.1 255.255.255.0

no shutdown

int s0/1

no shutdown

ip add 102.1.1.1 255.255.255.0

no shutdown

int f0/0

no shutdown

ip add 192.168.105.1 255.255.255.0

no shutdown

 

R2

 

interface fastEthernet 0/0

no shutdown

ip add 192.168.102.1 255.255.255.0

no shutdown

int s0/0

no shutdown

ip add 102.1.1.100 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 102.1.1.1

 

R1

 

R1#ping 192.168.101.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#pin

R1#ping 192.168.105.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/24 ms

R1#pin

R1#ping 102.1.1.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/18/44 ms

 

R2

 

R2#ping 192.168.102.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R2#pin

R2#ping 192.168.105.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms

R2#pin

R2#ping 101.1.1.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 101.1.1.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/44 ms

 

ISP

 

ISP#clock set 15:43:45 18 jan 2016

 

ISP(config)#ntp master

 

R1

 

R1(config)#ntp server 101.1.1.1

 

R2

 

R2(config)#ntp server 101.1.1.1

 

R1#sh clock

15:44:39.428 UTC Mon Jan 18 2016

 

R2#sh clock

15:44:43.644 UTC Mon Jan 18 2016

 

R1

 

crypto  ca trustpoint ttt

enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll

revocation-check none

exit

 

R1(config)#crypto  ca authenticate ttt

Certificate has the following attributes:

Fingerprint MD5: C0952B98 E5B8A10A A233B5A6 48DEE923

Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 A7668E19

 

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

 

R1(config)#crypto  ca enroll  ttt

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

 

Password: 05287B6712D04F84

Jan 18 15:45:48.729:  RSA key size needs to be atleast 768 bits for ssh version 2

Jan 18 15:45:48.741: %SSH-5-ENABLED: SSH 1.5 has been enabled

Jan 18 15:45:48.745: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair

Re-enter password: 05287B6712D04F84

 

% The subject name in the certificate will include: R1.lab.local

% Include the router serial number in the subject name? [yes/no]: n

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The ‘show crypto ca certificate ttt verbose’ commandwill show the fingerprint.

 

R1(config)#

Jan 18 15:46:45.774: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 9183CBF5 AAF82FA0 3988E942 A484CBFF

Jan 18 15:46:45.782: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: F5C0FD62 DF75A859 E311818A AD8E1690 B54D6D6C

R1(config)#

Jan 18 15:46:48.098: %PKI-6-CERTRET: Certificate received from Certificate Authority

 

Obtain OTP from

RSA Signature Microsoft CA Server 2003

R1#sh crypto  ca certificates

Certificate

Status: Available

Certificate Serial Number: 0x6108AC93000000000004

Certificate Usage: General Purpose

Issuer:

cn=CA

Subject:

Name: R1.lab.local

hostname=R1.lab.local

CRL Distribution Points:

http://ca/CertEnroll/CA.crl

Validity Date:

start date: 10:06:45 UTC Jan 18 2016

end   date: 10:16:45 UTC Jan 18 2017

Associated Trustpoints: ttt

 

CA Certificate

Status: Available

Certificate Serial Number: 0x7DF36B80B94A57814E744D2283267CA4

Certificate Usage: Signature

Issuer:

cn=CA

Subject:

cn=CA

CRL Distribution Points:

http://ca/CertEnroll/CA.crl

Validity Date:

start date: 09:45:09 UTC Jan 18 2016

end   date: 09:54:59 UTC Jan 18 2021

Associated Trustpoints: ttt

 

R2

 

crypto  ca trustpoint ttt

enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll

revocation-check none

exit

R2(config)#crypto  ca authenticate ttt

Certificate has the following attributes:

Fingerprint MD5: C0952B98 E5B8A10A A233B5A6 48DEE923

Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 A7668E19

 

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

 

R2(config)#crypto  ca enroll  ttt

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

 

Password:

Jan 18 15:54:14.652:  RSA key size needs to be atleast 768 bits for ssh version 2

Jan 18 15:54:14.660: %SSH-5-ENABLED: SSH 1.5 has been enabled

Jan 18 15:54:14.664: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair

Re-enter password:

 

% The subject name in the certificate will include: R2.lab.local

% Include the router serial number in the subject name? [yes/no]: n

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The ‘show crypto ca certificate ttt verbose’ commandwill show the fingerprint.

 

R2(config)#

Jan 18 15:54:36.721: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 9059692A 18DB2D9A 8E6BA1D0 E7C91B2D

Jan 18 15:54:36.729: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 532D69C7 3220722D B82FA9A0 1BC02403 8B78A018

R2(config)#

Jan 18 15:54:39.025: %PKI-6-CERTRET: Certificate received from Certificate Authority

 

R2#sh crypto  ca certificates

Certificate

Status: Available

Certificate Serial Number: 0x610FDC04000000000005

Certificate Usage: General Purpose

Issuer:

cn=CA

Subject:

Name: R2.lab.local

hostname=R2.lab.local

CRL Distribution Points:

http://ca/CertEnroll/CA.crl

Validity Date:

start date: 10:14:36 UTC Jan 18 2016

end   date: 10:24:36 UTC Jan 18 2017

Associated Trustpoints: ttt

 

CA Certificate

Status: Available

Certificate Serial Number: 0x7DF36B80B94A57814E744D2283267CA4

Certificate Usage: Signature

Issuer:

cn=CA

Subject:

cn=CA

CRL Distribution Points:

http://ca/CertEnroll/CA.crl

Validity Date:

start date: 09:45:09 UTC Jan 18 2016

end   date: 09:54:59 UTC Jan 18 2021

Associated Trustpoints: ttt

 

 

R1

crypto  isakmp policy 1

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 1800

exit

crypto  ipsec  transform-set t-set esp-aes esp-sha-hmac

mode tunnel

exit

crypto  ipsec profile  shiva

set  transform-set t-set

int t0

ip add 192.168.1.1 255.255.255.0

tunnel source serial 0/0

tunnel destination 102.1.1.100

tunnel mode ipsec ipv4

tunnel protection ipsec profile  shiva

 

R2

 

crypto  isakmp policy 1

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 1800

exit

crypto  ipsec  transform-set t-set esp-aes esp-sha-hmac

mode tunnel

exit

crypto  ipsec profile  shiva

set  transform-set t-set

int t0

ip add 192.168.1.2 255.255.255.0

tunnel source s0/0

tunnel destination 101.1.1.100

tunnel mode ipsec ipv4

tunnel protection ipsec profile  shiva

 

R1

int t0

ip ospf 100 area 0

int f0/0

ip ospf 100 area 0

 

R2

int t0

ip ospf 100 area 0

int f0/0

ip ospf 100 area 0

 

 

 

 

 

 

 

R1#sh ip ospf  neighbor

 

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.102.1     0   FULL/  –        00:00:39    192.168.1.2     Tunnel0

R1#sh ip route  ospf

O    192.168.102.0/24 [110/11121] via 192.168.1.2, 00:00:08, Tunnel0

 

R2#sh ip route  ospf

O    192.168.101.0/24 [110/11121] via 192.168.1.1, 00:00:52, Tunnel0

 

R2#sh ip ospf  neighbor

 

Neighbor ID     Pri   State           Dead Time   Address         Interface

192.168.101.1     0   FULL/  –        00:00:38    192.168.1.1     Tunnel0

 

R1

R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100

 

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.101.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 40/54/72 ms

 

R1#sh crypto ipsec sa

 

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 101.1.1.100

 

protected vrf: (none)

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 102.1.1.100 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 119, #pkts encrypt: 119, #pkts digest: 119

#pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

current outbound spi: 0x3D1AA06C(1025155180)

 

inbound esp sas:

spi: 0xC5C37F5(207370229)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4479465/3459)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

 

inbound ah sas:

 

inbound pcp sas:

 

outbound esp sas:

spi: 0x3D1AA06C(1025155180)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4479464/3458)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

 

outbound ah sas:

 

outbound pcp sas:

 

R1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

101.1.1.100     102.1.1.100     QM_IDLE           1001    0 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

R2

 

R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100

 

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.102.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 44/54/72 ms

 

R2#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

101.1.1.100     102.1.1.100     QM_IDLE           1001    0 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

R2#sh crypto ipsec sa

 

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 102.1.1.100

 

protected vrf: (none)

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 101.1.1.100 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221

#pkts decaps: 223, #pkts decrypt: 223, #pkts verify: 223

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

current outbound spi: 0xC5C37F5(207370229)

 

inbound esp sas:

spi: 0x3D1AA06C(1025155180)

transform: esp-aes esp-sha-hmac ,