Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 11

17. RSA-Sig IKEv2 Authentication

Hello guys, welcome to a new video and I’m really excited for this video because we are going to be implemented the Utah certificate for this video. So we are now going to use Pshaqi to authenticate icon version two. We are going to be using the Utah certificate and we are going to first configure a certificate authority which is going to this ISP right here, is going to be assigned as the CA and it’s going to be the trusted entity that’s going to issue indeed the certificates to all my routers over here. And then those routers are going to be using those digital certificates that are going to come from this router and they are going to be able to authenticate with IG version two.

And also after I get all these digital certificates I’m going to be configuring a Dvti. So this one’s going to be the hub and this one are going to be disposed and they are going to be authenticating. They’re not going to bendicating using picture key but they are going to be authenticating certificates. So it’s going to be a little bit long configuration. So let’s go ahead and start with that configuration guys. I want to start with the ISB which is going to be the CA or the digital or the certificate authority which is like I said, it is the trusted entity that issues and digital certificates. So we are going to start with the ISP.

The first thing that you want to do is you want to do an entity and you want it to be an MTP master and we are going to put a Saturnal Five. And also I want to configure an interface. Look back for this one, look back five IP address 5505. There we go. And I want to configure this as an entpy because the certificates are time sensitive so therefore we want to have other routers synchronized with the same time otherwise it could cause problems. So we are going to configure NTP as well. Since I configure this as a master, we are all going to be able to connect to it and get the time from the entpaster. After that we need to go ahead and configure or enable the Http server.

Http server, you have to enable it because that’s how we are going to get the certificate from the spokes. Okay, so that is done. After that is done we need to do a crypto PKI server and we’re going to call the CA. We have to give it the issuer name and the issuer name is going to be CNCA comma for Organization. It’s going to be ccdpt. com. All right hashtag we are going to use an MD Five and we are going to grant automatically incoming Sep enrollment request. So Sep is the protocol that lets routers enrolled in this PKI server. So we are going to just automatically grant incoming Scep enrollment request.

So let’s go ahead and say auto and then after that is done we just go and do a note shut down and it’s going to ask us for a password or for a passphrase and this is to protect our private key. So the prior key of the casco, one, two, three, you can name it whatever you want. Just going to name and that’s going to generate a keys for us and it’s also going to as you can see the PKI service now enable. So that’s a good sign. And if you want to see you can do a show or we can just do show crypto PKI server and we can see the server right here. The status is enabled. Status enabled. So that’s good. Here’s the issuer name. Great. The last certificate issue serial number was this one. That’s our own digital certificate. Next update next certificate expiration in 2022 and there it is. So that is good. So we have our certificate authority configure. Now we need to configure the routers so they can get their own digital certificate from the CA, which is this is now let’s go ahead and bring up you’re going to start with the hub configtee. And the first thing that we want to do is you want to do an NTP server, and we want to point to that loop back IP address that we configure over here.

Also let’s see if we’re able to paint it first we are since we are able to paint it we should do the NTP server and then you can do a do show NTP associations and you can see right here it is working and you can do it also do show NTP status like it’s unsynchronized. It still hasn’t synchronized yet but it is configured so that’s good. What we could do now is that for another here we need to do a crypto key generate and we have to generate our own RSA modulus. It’s going to attend 24 and the label I want to label this a Hub Ccdtt. com. Great after that is done you can do showcryptokey my pub key and you want to see that RSA you can go ahead and do a hub Ccdt. com and you can go ahead and see your RSA key that has been configured. So after that is done you need to do a crypto PKI trust point and we are going to call this trusted CA and over here you need to do the enrollment URL which is going to be Http and that’s why we enable Http in this ISP router. Then we do an RSA key pair and you are going to use the RSA key pair that we configure and we name this Hubccdt. com press over here the subject name is going to be the CN. It’s going to be called Hub and the organization name is going to be called Ccdgt. com revocation check. We are going to say no.

There we go. Then we do exit. After we do that we’re going to do a crypto PKI authenticate and we are going to authenticate with a trusted CA. There we go. Do you want to accept this certificate? You want to say yes. So the trusted point CA certificate has been accepted. That’s good. And if you do show crypto PKI trust point, you can see that trust point. It is coming from this URL. Here’s the subject name of that CA. Right. CA Cddg account, which is the one that we configure from the ISP. So that means that it is working. You can also do show crypto PKI certificates. You can see the certificates right here. The issuer is the CA subject CA. Here’s the start date and here’s the end date. All right. So now after that we need to go ahead and create our own certificate. So we do a crypto PKI enroll and we’re going to enroll with the trusted CA. You have to create a password. There we go. So the first one you want to say no, second one, let’s say yes. The IP address is going to be the local IP address of the Hub interface, which is one or 2181. Good. And then the next one you want to say yes.

Good. Now we have our own certificates. So if we do a showcrypto BK certificate, you’re going to see now that you have your own certificate, which is name hub with this IP address. Here’s the host name, here’s the CA for organization. Here’s the start date and the end date. Okay, so that is good guys. That is really good. So now we need to do that for router one, router two and router three. So let’s go ahead and do that. I’m going to be doing it a little bit faster. I’m not going to do any show commands for this one. So let’s go ahead and config t. And we are going to do first enterver. After that we do the crypto key, generate crypto key, generate RSA modulus 1024. The label for this one is going to be R one because this one is R one Ccdtt. com. Good. Then we have to do the crypto PKI TrustPoint is going to be called trusted CA. Over here we need to do the enrollment URL http rsakeeper, which is the one that we just configure right here. We need to attach it in here. And if you want to do the FQDN, you can also do that. It’s going to be R one Ccdtt. com subject name. You can do the CN. It’s going to be, R? One organization. It’s going to be Ccd. com Revocation.

It’s going to be nonexit crypto pkikate crypto PKI authenticate with the trusted CA. Yes, done. And then you want to do the crypto enroll crypto PKI PKI enrolled and certificates actually with the trusted if I know how to spell it CA password. You can create your own password. The first question is going to be no. Second one is yes. And then the IP address is going to be one and 2110 one. And then for that question do you want to request from the CA you want to say yes? Great. So now we have our digital certificate for R one. We need to do it for R two as well. What we could do is we can just go ahead and you can just open Novepad and we can copy and paste for what we need and let’s go and open leasepad, right? So for the first one we need to do an entity server. Then after that we need to do the crypto key, generate RSA modulus 1024. The label is going to be R two Ccdtt. com. Then we do the crypto PKI trust trust point. We’re going to call it trusted CA.

You want to do the enrollment URL http. Then we do the RCP pair and we get it from this one right here, copy it and paste it right here. Then we do the Fqdnr. Two Ccdtt. com. Then the subject name is going to be CN, going to be R two comma organization all together equals to Ccdt. com. Revocation revocation check. We are going to say none. There we go. Then we exit out here and then we have to just do this one by one, which is a crypto PKI authenticate with a trusted CA that’s going to ask you if you want to accept it and then you want to do the crypto PKI enroll trusted CA. All right, so I’m just going to paste this stuff over here. Copy, let’s go ahead and route it to then we have to do the crypto PKI trust CA avocation nonexit. Then you want to do the enrollment. You say yes or the authentication and then you want to do the PKI enrollment. It’s going to ask you for a password. The first one. For the first question you want to say no. The second one, yes. And then the IP address is going to be 192 121 and then for the last question you want to say yes.

So there we go, that is done. Now let’s go ahead and do it for router three. And we are going to just go ahead and open lace pad and we have to change router two, four, router three, router three, router three, R three and there we go. Everything is going to be the same. Then we do the crypto PKI TrustPoint trustee, then we do the crypto, we say yes and then we do the enrollment. We enter the password or you create a password. The first one you say no, the second one you say yes. Then we do the IP address which is 192 131 and then you say yes and there we go. So we have the euro certificates for the hub, order one, order two and router three and also the ISP. And the ISP is the one given all these the euro certificates. So now what we can do is we can go ahead and create this Dvti. And the first step that we need to do to create this one is that we are not going to use a key ring because a key ring is for to use pre shirt key. So we are going to create a certificate map.

So you go like this and do a crypto certificate. Let me see if I got it. Crypto PKI certificate map, CMAP sequence number ten, issuer name co you’re going to say it’s going to be the CA. So now I also want to put all this into notepad because we are just going to copy and paste because it’s going to be basically the same configuration. Okay, paste that right here. Good. After that is done, we need to go ahead and configure a crypto IV two proposal. We’re going to go IV two proposal. And the proposal is going to be encryption. It’s going to be three desk integrity and the five diplomatic number two, right? So let’s go ahead and do that. This right here, crypto IQB two proposal.

IQB two proposal, encryption, three hash group number two. And this one actually needs to be integrity. Then after that we need to go and create the crypto IQV two policy and we’re going to call this ICV two policy. And inside here we need to just specify the proposal that we’re going to be using, which is the IG two proposal. And after that is done, what we want to do is we want to go ahead and create the Dvti tunnel and since we only have to do the virtual template from the hub, we are just going to go ahead and configure the hub.

So let’s go ahead and do that guys. So you want to do an interface virtual or virtual template type tono and you actually have to give it a number eight. And so here we want to do a ton of mode. It’s going to be IPsec with IP before and this will do show IP interface brief. You are going to borrow loopback IP address. So we’re going to do IP number loopback h and let’s also specify the tonal source. So after that is done, we need to go ahead and configure the crypto AGV two profile. So let’s go ahead and do crypto V two profile. We are going to call this profile and inside this profile, what we need to do is inside the profile what we need to do is we need to do the identity of the local. It’s going to be using the distant name. So you do a DN and then we need to match the certificate that we are going to be using and it is the CMAP, which was the one that we can figure out right here, CMAP, because we are not attaching the carrier anymore because we’re going to use some pressure keys. We are using zero certificates. So that therefore that’s why I configured that certificate map.

Okay, that is done. We need to do an application. It’s going to be remote and it’s going to be using RSA SIG because we’re using Theater certificate and then authentication local. It’s also going to be using RSA sick. And then you want to do the virtual template and you want to attach it right here. Eight, right. So let’s go ahead and just copy this and paste it in the hub. We have an issue with the match certificate. I spell that wrong. Okay. CMAP. There we go. Go ahead and copy it and remove this one because I spell it incorrectly. So that is done. After that, what we need to do is force. We need to do IPsec. So we do. Crypto IPsec Transform set. You’re going to call just a Tseet, that’s fine. And over here we need to do ESPAS ESP with HMAC. And then we do the crypto IPsec profile and we want to IPsec profile. So we do IPsec profile for the name and we want to attach the set transform set to Tseet. And we also need to set the IB two profile to IGB two profile. Copy this, paste that right here, cubines. So we are done with that. After that we need to go ahead and go into the interface virtual template. And you want to do template H type tonal and you want to do the tonal protection IPsec profile. IPsec profile. There we go. I second up is now on. So that is a good sign.

So now what we need to do is we need to do the same configuration for router one or two, router three. It’s just that we are going to be using tunnels instead of virtual templates. So we’re going to do interface tunnel eight for all of them. The IP on number is going to be loop back zero because you’ll have configured that loop back zero tonal destination, it’s going to be 192 181. That’s good. Tunnel source is going to be gigabytes, then tunnel mode, IP check with IP before and the tunnel mode or tunnel protection, it’s going to be IPsec profile and the profile is IPsec profile. So that is good. Looking good, looking good. So also from these virtual templates, if you do that should take care of adding OSPF. So we are going to be configuring OSBF. Let’s go ahead and open leavepad and copy this right here and paste it. And we have to remove this virtual template from the AG version two profile because it’s not going to be there. And let’s go into router one.

And we have to do the crypto or the certificate map proposal policy aggregate profile. Let’s go ahead and copy and paste all that, no errors. That’s good. Then let’s go ahead and do IPsec. No errors. That’s also good. And then let’s go ahead and do this. Turn on campus on. That is a really good sign. So if we do show ID OSPF, we can see OSPF ID one so that’s good. Let’s go ahead and do n let’s go and go to the hub show IP or not show IP show IP interface Brief it is still down so that’s not a good sign. Let’s go and do a debug crypto agree to do it all. Let’s see if we get any errors over here, okay on all. Let’s see what errors we got. Failed to initiate the exchange. Failed to initiate exchange fell fail to find a matching policy. No proposal chosen notify so we have an issue with the proposal. Show Crypto agree to proposal 375 is daughter over here. Show crypto aggregate two proposal and it looks like we have the same. Okay, let’s go ahead and do a show. Instead of proposal policy, do this one over here. Policy. So for aggregate two policy, we only have the default for the hub.

So it looks like we didn’t create. Okay. Confixti I forgot to create or attach this proposal that we created. So let’s go ahead and do this copy and paste it. Interface tonal h shutdown exit interface virtual template eight type tunnel shutdown no shutdown no shutdown. Our second. App is on. Interface is up. And there we go. Interface is up and let’s do a debug again. To debug crypto. I could be two. Let’s see what errors we get now. Destination IP Address retrieve Trust CA, we got the public IP address. Then we got this. SA detection, IP authentication exchange file. Interesting. Let’s go ahead and just do the same configuration that we have right here for router two and let’s see if it works. And if it works. I think I know why it didn’t work for router one, but let’s see what happens whenever I configure it for router two. And it didn’t come up either on the hub, so that’s also not a good sign. Isaac app is on to show IP interface brief okay, let me see if I got anything wrong destination is good, source is good IPsec good IP and number good hey guys, I’m back. Sorry for that.

I had to go upstairs and do something. So let’s see. Let’s verify my so we are not able to form a tunnel. Let me see if I can do a show crypto section. Actually not show crypto, show run. See if I’m missing something here’s. My certificates, policy proposal of the proposals in here. Cave. I think I’m missing something. Let’s go ahead and go to profile. I go to profile. I think I forgot to do the PKI TrustPoint trusted CA. Let’s also do this from R one. We have to go into right here and do a PKI TrustPoint trusted CA. See that does the magic. I haven’t seen anything interface tono eight let’s just go ahead and shut it down interface virtual template eight type tonal shut down let’s do no shut down from here. Okay, IPsec packet is invalid loaded okay, so we see something over here we see that OSPF is now loading. Okay, so that’s what I was missing. You can see that virtual access one is working. So let’s go ahead and go into router two. Config t. So I was just missing that the PKI thrust point trusted CA that should also right. Did I configure everything over here? Yeah, I can figure everything over here. Let’s go ahead and go to the hub tunnel H. Let’s go interface tunnel.

There it is, it just came right up and you can see tunnel eight full and loading. We go to the hub and you can see that virtual access to it is working as well. So now let’s go ahead and configure it. Let’s go right over here. So what I was missing from over here is this not that it is the PKI trust point trusted CA I forgot to mention the trust point in the aggregate profile. So what we could do, we can just go ahead and copy all this and it should work for routed through as well. There we go. And then if we go to interface gigabytes one, I believe, which is the local one and we should be able to enable OSPF on there Iposarea zero onto a piece configure. So I forgot to do a show IP interface brief. I don’t have that configure to show IP interface brief. Yeah, I don’t have that configure. So let’s go and do IP 10 10 31 just do not shut down and then IP address there we go. Then we can do the IPOs. Okay, I did this from the incorrect did I just copy everything? Man, I was supposed to paste that on router three and I paste it on the hub. Okay, that’s not a good sign. Let’s do.

No. Iposare. Let’s go ahead and shut this bad boy down. Let’s do no interface tunnel eight as well. So we’re supposed to paste all of this configuration locally? Yeah. So since I copied all of this, I need to add into the IP two profile. I need to add something else that was probably overwritten. So you want to do a virtual actually, it should be there. If we do show crypto IV two profile yeah, we don’t have no virtual template, so if we do virtual template eight sorry for that. And it show IP interface brief. I keep messing it up. Configt go back over here. No vertool template. Eight. Okay, so from the hub is the one that we want to do and show crypto IP two profile verify that virtual template isn’t there. Okay, it is indeed there. So nothing should have changed. If you do a show IP interface brief sorry for the confusion and everything I’m doing. Okay, access one is there. Now we should configure configure router three. And router three is going. You have interface one, Ipospone area zero. So I was going to copy all of this and this should work. Boom. There we go.

Isaacamp is on OSPF is on loading to full. So that is a good sign. Here’s another better sign. Virtual access one is up and running. If we do a show crypto connection maybe or engine connection active. If you do that, you can see the connections that are active. You can see the ID of each one of the connections that we have. Up and running for IPsec. And you can see the IQ V two tunnels. We have three tunnels working and if you do it show crypto IV, two essays. You can see the ICV two SAS in front. Over here you can see that the Local is going to be the same because the Local is the Hub, right? The remote is one I 2101, which is router 1500. Because we are not using natural reversal. If you were using natural Verso, it was going to be four to 500. You can see that the encryption that we provided from the proposal encryption is three desk hashing Nd, five different number two authentication. Now.

We are now using Preserve Key. We are actually using an RSA digital certificate that we got from our certificate authority, which was ISP you can see this one and then the remote 19212. Here’s the encryption that comes from the proposal. You can see that we are actually using RSA and RSA and all of that is working great. So we were able to configure, finally configure. I know I made a lot of errors, but I was able to figure it out what was wrong and I was able to fix it, which is a good sign, right? Troubleshooting is part of the CCMP security examos that I’m trying to take.

So I was able to Troubleshoot and find out what was wrong with it. The first part was that the proposal was not attached to the IQB two policy in the Hub. We fixed that and then the next step was that I forgot to put the PKI Transport Trust CA into the Crypto Ivory two profile and we fixed that. And then I pasted the entire configuration that was supposed to go to R three into the Hub. And then I put the virtual templates into our three and that was not supposed to be there. So I removed that and then we fixed it. So that’s it for this video.

• Category: Uncategorized