Monday, February 20, 2012

ISAKMP associations using RSA keys



Most of the IPsec tunnels I see configured, both in labs and in the real world, rely on relatively weak preshared keys to establish the initial secure ISAKMP channel for key exchange between the IPsec peers (see my IPsec quick and dirty article for an example configuration). A much stronger solution is to use public/private key pairs distributed by a secure Public Key Infrastructure (PKI) Certificate Authority (CA). Unfortunately, deploying an enterprise PKI is no small undertaking, and many engineers are understandably hesitant about tying any aspect of network connectivity to the functionality of unrelated servers or services.
Fortunately, IOS allows for a comfortable middle ground, using manually distributed RSA encryption keys on routers. The 12.4T documentation has a pretty clear run-down of the steps required for such a setup. The example in this post will create an IPsec tunnel between R1 and R3 in the following topology.
topology.png
First, we need to generate an RSA public/private key pair on both of the endpoint routers.
R1(config)# crypto key generate rsa general-keys label R1
The name for the keys will be: R1
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R3(config)# crypto key generate rsa general-keys label R3
The name for the keys will be: R3
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
If this is your first time creating an RSA keypair on the router, you may see a log message indicating that SSH has been enabled. RSA keys are also used for securing SSH connections.
%SSH-5-ENABLED: SSH 1.99 has been enabled
We can view the public key in our new keypair with the show crypto key mypubkey rsa command:
R1# show crypto key mypubkey rsa R1
% Key pair was generated at: 00:20:40 UTC Mar 1 2002
Key name: R1
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B000A8 22C680DC
AC788B8D 536BFF8A 999F7905 8F6D6878 73C07ECC 2BB2478A ACF270DB 08FF854F
99827407 294C63C4 1B5E9EBB CD3277E3 88A48EFD 033F3806 C9020301 0001
R3# show crypto key mypubkey rsa R3
% Key pair was generated at: 00:21:56 UTC Mar 1 2002
Key name: R3
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B6CAA3 400F6DA9
1D1D6553 3A272A70 A713D69B CA790F74 7D067215 4E2DEDC8 4A59F8A6 F849C422
8D7FCEBE 0D1E4D73 6541A85D 899D4208 EB176BB6 3125C290 63020301 0001
Note that I've neglected to properly configure the clock on the routers in my lab; when creating crypto keys in the real world, you want to first ensure the router's clock is accurate.
Both routers now have unique public and private keys. For these to be useful, we need to exchange the public keys between the routers so that R1 has a copy of R3's public key and vice versa. To do that, we create a public key chain on each router and manually copy the keys over.
R1(config)# crypto key pubkey-chain rsa
R1(config-pubkey-chain)# addressed-key 10.0.23.3 encryption
R1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
At this prompt you can simply copy the key from the output of R3's terminal into R1's terminal. End by entering quit.
R1(config-pubkey)# 305C300D 06092A86 4886F70D 01010105
R1(config-pubkey)# 00034B00 30480241 00B6CAA3 400F6DA9
R1(config-pubkey)# 1D1D6553 3A272A70 A713D69B CA790F74
R1(config-pubkey)# 7D067215 4E2DEDC8 4A59F8A6 F849C422
R1(config-pubkey)# 8D7FCEBE 0D1E4D73 6541A85D 899D4208
R1(config-pubkey)# EB176BB6 3125C290 63020301 0001
R1(config-pubkey)# quit
We can confirm that the key was successfully entered on R1 by inspecting its public key chain:
R1# show crypto key pubkey-chain rsa address 10.0.23.3
Key address: 10.0.23.3
Usage: Encryption Key
Source: Manually entered
Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B6CAA3 400F6DA9
1D1D6553 3A272A70 A713D69B CA790F74 7D067215 4E2DEDC8 4A59F8A6 F849C422
8D7FCEBE 0D1E4D73 6541A85D 899D4208 EB176BB6 3125C290 63020301 0001
Note that the hex string above exactly matches that in the output of show crypto key mypubkey rsa R3 on R3. This verifies that we have correctly copied its public key.
Repeat this configuration for R3, copying R1's public key to R3, to complete the key exchange.
With the RSA keys settled, we can move on to the ISAKMP and IPsec configurations. Creating an ISAKMP profile to use the RSA keys is almost indentical to one which uses a preshared key, except we specify RSA encryption as the authentication type instead of pre-shared.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication rsa-encr
At this point, you might encounter the following system message, especially if performing this configuration on a Dynamips lab:
%CRYPTO-4-IKMP_INVALID_POLICY: ISAKMP policy rsa-encr not supported by crypto
HW accelerator
This message warns that hardware RSA encryption is unavailable on the platform, and can be safely ignored in our case.
We can verify the creation of our ISAKMP policy with show crypto isakmp policy:
R1# show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Encryption
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
I'll resist diving into the remainder of the IPsec configuration here, but the following is an example configuration for R1 (you can also reference the complete R1 and R3 configs attached at the end of this article):
crypto ipsec transform-set MyTransformSet ah-sha-hmac esp-aes 
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source 10.0.12.1
tunnel destination 10.0.23.3
tunnel protection ipsec profile MyProfile
Once the configurations have been completed, you can inpsect the ISAKMP and IPsec security associations with show crypto isakmp sa and show crypto ipsec sa, respectively:
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.23.3 10.0.12.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

R1# show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.0.12.1

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.12.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.0.23.3/255.255.255.255/47/0)
current_peer 10.0.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.0.12.1, remote crypto endpt.: 10.0.23.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8FF969E(150967966)
...

No comments: