Tips and Pitfalls: IPSEC and CA

Generate key
crypto key generate rsa

Create Trustpoint
crypto ca trustpoint trustpointlabel
enrollment terminal
revocation-check crl
rsakeypair key

Authenticate CA
crypto ca authenticate trustpointlabel
<paste CA key in Base-64 format>

Generate Identity Certificate Signing Request (CSR)
crypto ca enroll trustpointlabel

Install Certificate
crypto ca import trustpointlabel certificate

Revoke Certificate
crypto ca trustpoint trustpointlabel
delete certificate force
crypto ca trustpoint trustpointlabel
no rsakeypair name

crypto key zeroize rsa name

re-create key
re-add key to trustpoint
re-generate CSR

Import CRL
crypto ca crl request trustpointlabel bootflash:filename

show crypto ca trustpoint
show crypto ca certificates
show crypto ca crl name

Export Identity Key
crypto ca export trustpointlabel pkcs12 bootflash:file passphrase

Import Identity Key
crypto ca import trustpointlabel pkcs12 bootflash:filename passphrase

Example:

IPSec with Pre-Shared Keys
MDS1 MDS2
crypto ike enable
crypto ike domain ipsec
policy 1
encryption aes
hash md5
group 2
lifetime seconds 14400
key mykey address 192.168.0.3
crypto ipsec enable
crypto transform-set domain ipsec 3DES-SHA esp-3des esp-sha1-hmac
crypto map domain ipsec myMap 1
set peer 192.168.0.3
match address MDS2MDS3
set transform-set 3DES-SHA
set security-association lifetime  seconds 7200
ip access-list MDS2MDS3 permit ip 192.168.0.2 0.0.0.0 192.168.0.3 0.0.0.0

MDS2# show int fcip 1 | inc Profile
Using Profile id 1  (interface port-channel 100)
MDS2# show int po100 | inc Member     Member[1] : GigabitEthernet2/1
Member[2] : GigabitEthernet2/2
MDS2(config)# int g2/1-2
MDS2(config-if)# crypto map domain ipsec myMap

crypto ike enable
crypto ike domain ipsec
policy 1
encryption aes
hash md5
group 2
lifetime seconds 14400
key mykey address 192.168.0.2
crypto ipsec enable
crypto transform-set domain ipsec 3DES-SHA esp-3des esp-sha1-hmac
crypto map domain ipsec myMap 1
set peer 192.168.0.2
match address MDS3MDS2

transform-set 3DES-SHA
set security-association lifetime  seconds 7200
ip access-list MDS3MDS2 permit ip 192.168.0.3 0.0.0.0 192.168.0.2 0.0.0.0

MDS3# show int fcip1 | inc Profile
Using Profile id 1  (interface GigabitEthernet2/1)


MDS3(config)# int g2/1
MDS3(config-if)# crypto map domain ipsec myMap

IPSec with Digital Certificates (RSA Digital Signatures)
MDS1 MDS2
crypto ike enable
crypto ike domain ipsec
policy 1
authentication rsa-sig
identity hostname
crypto ipsec enable
crypto transform-set domain ipsec AES-MD5 esp-aes 128 esp-md5-hmac
crypto map domain ipsec MDS1MDS3map 1
set peer auto-peer
match address MDS1MDS3
set transform-set AES-MD5
ip access-list MDS1MDS3 permit ip 192.168.13.1 0.0.0.0 192.168.13.3 0.0.0.0
MDS1# show int fcip9 | inc Profile
Using Profile id 9  (interface GigabitEthernet2/2)
MDS1(config)# int g2/2
MDS1(config-if)# crypto map domain ipsec myMap
crypto ike enable
crypto ike domain ipsec
policy 1
authentication rsa-sig
identity hostname
crypto ipsec enable
crypto transform-set domain ipsec AES-MD5 esp-aes 128 esp-md5-hmac
crypto map domain ipsec MDS3MDS1map 1
set peer auto-peer
match address MDS3MDS1
set transform-set AES-MD5
ip access-list MDS3MDS1 permit ip 192.168.13.3 0.0.0.0 192.168.13.1 0.0.0.0
MDS3# show int fcip9 | inc Profile
Using Profile id 9  (interface GigabitEthernet2/2)
MDS2(config)# int g2/2
MDS2(config-if)# crypto map domain ipsec myMap

Key Points / Pitfalls

  • domain-name and hostname must be set prior to certificate generation
  • If you revoke a certificate you need to zeroize the rsa keypair
  • OSCP must be used for real time revocation checking
  • You can define multiple trustpoints
  • When keys are exported the CA certificate and RSA keypair are exported with it
  • IPSEC is configured on Gigabit interfaces not Port-Channels or FCIP interfaces
  • IPSEC with digital certificates requires identity hostname
  • MS iSCSI Initiator IKE uses 3DES, SHA or MD5 and DH 2
  • MS iSCSI Initiator IPSec uses 3DES, SHA-1
  • Cisco iSCSI Initiator IKE uses 3DES, MD5, DH1
  • Cisco iSCSI IPSec uses 3DES, MD5
  • If the peer IP address specified in the crypto map entry is a VRRP IP address on a remote Cisco MDS switch, ensure that the IP address is created using the secondary option
This entry was posted in CCIE Storage, Certificate Authority, IPSec and tagged , , . Bookmark the permalink.

1 Response to Tips and Pitfalls: IPSEC and CA

Leave a Reply