Sunday, February 26, 2012

Using PKI with a third party certificate with cisco routers



I've spent a few hours working on this one lately, and thought for future reference I would document it here. The process itself is quite straightforward, but as with all things PKI related, you MUST have files and certificates in the right format and make sure that you follow certain steps in order, else it just won't work (and may not even tell you why).
PKI certificates are useful for a number of things, I need mine for WebVPN, but you also use it for https management to your router and I believe you can use it for IPSec using certificates instead of shared keys.
Firstly, you need to be running an IOS image which supports crypto. I am using an ADVSECURITY-K9 image on my router.
Then create a trustpoint. A trustpoint is basically a certificate authority who you trust, and it is called a trustpoint because you implicitly trust this authority. The idea is that by trusting a given self-signed certificate, then your PKI system will automatically trust any other certificates signed with that trusted certificate.
A trustpoint certificate is a self-signed certificate, hence the name trustpoint, since it does not rely on the trust of anyone else or other party.
Paste this into your router, changing anything in [HERE] to be whatever is appropriate for you. For example for me I need to change fqdn [FQDN.MYROUTER.ME] to be fqdn router.reub.net
router(config)crypto pki trustpoint cacert.org
router(ca-trustpoint)#enrollment terminal pem
router(ca-trustpoint)#fqdn [FQDN.MYROUTER.ME]
router(ca-trustpoint)#subject-name C=[COUNTRY], ST=[STATE] O=[DOMAIN], OU=[MY ROLE], CN=[FQDN.MYROUTER.ME]/emailAddress=[MY EMAIL ADDRESS]
router(ca-trustpoint)#revocation-check none
router(ca-trustpoint)#rsakeypair [FQDN.MYROUTER.ME] 1024
Then create some RSA keys. First start by wiping any old keys you have, so that you are starting on a clean slate:
router(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]:
Choose yes. If you have a reason to keep a particular RSA key you have already got in the router you may wish to skip this step.
Now create the keys:
router(config)#crypto key generate rsa general-keys label [FQDN.MYROUTER.ME] export modulus 1024
Being able to export your public and private key is good if you can keep it secure. It means that you can continue to use that key in the future if your router gets replaced or hardware corrupted or wiped.
The next step is to import the trustpoint root certificate. In my case I use www.cacert.org, and I can find their root certificate on their homepage.
crypto pki authenticate cacert.org
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 
Fingerprint SHA1: 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
test-router(config)#
Your trustpoint is now set up.
Next step is to create a CSR (certificate signing request):
router(config)#crypto pki enroll cacert.org
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=router.reub.net
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIBgDCB6gIBADAPMQ0wCwYDVQQDEwR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GN
[snip]
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
router(config)#
This csr is what you submit to your CA. They sign it, and return a signed certificate to you which you then enter like this:
router(config)#crypto pki import cacert.org certificate
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
% Router Certificate successfully imported
test-router(config)#
You should now be set to go.
I suggest you back up your public and private keys, and your certificate csr and signed certificate in case you ever need to reload them:
router(config)#crypto key export rsa
and
router(config)#crypto pki export
Other useful commands are:
router#show crypto pki certificates
router#show crypto key mypubkey rsa
Useful links:
http://www.cisco.com/en/US/partner/products/ps6635/products_white_paper0900aecd8029d630.shtml
-------------------------------------------------------------------------------------------------------------------------------------------------

Cisco IOS Site-to-Site IPSec VPN using Certificates



After a couple of weeks trying to get a Site-to-Site IPSec tunnel to work using a Watchguard firewall, I decided to simply do it with a Cisco Router.
These are the steps involved in the configuration, hopefully this will help someone else or myself in the future.
In my particular case, the remote end uses certificates for the VPN and has a Certification Authority, so first we have to generate a certificate and ask them to sign it, the CSR can be generated on the IOS but for backup purposes I always tend to use openssl, that way if the router/firewall dies, we have backups:
openssl req -new -nodes -keyout example.key -out example.csr

Generating a 1024 bit RSA private key
………….++++++
…………++++++
writing new private key to ‘example.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now that the CSR its done, the CA has to sign it.
After the CA does the signing, we need to import the certificates into the IOS device. There are many ways of doing this, but I prefer the PKCS#12 method since it’s self-contained and simpler.
To use PKCS#12, we need to create the p12 file, I do this with openssl:
openssl pkcs12 -export -in example.cer -inkey example.key -certfile ca.cer -name “name” -out example.p12
Enter Export Password:
Verifying – Enter Export Password:

Now that we have the certificate signed and in PKCS#12 format, we have to import it to the IOS device, for that we have to create a pki trustpoint:
R1(config)#crypto pki trustpoint EXAMPLE-VPN
R1(ca-trustpoint)#revocation-check none

With the trustpoint created, we can import the certificate. There are several methods, I use TFTP:
R1(config)#crypto ca import EXAMPLE-VPN pkcs12 tftp: PASSWORD
% Importing pkcs12…
Address or name of remote host []? 1.1.1.1
Source filename [trustpoint]? example.p12
Reading file from tftp://1.1.1.1/example.p12
Loading example.p12 from 1.1.1.1 (via FastEthernet0/0): !
[OK - 1245 bytes]

CRYPTO_PKI: Imported PKCS12 file successful
We can verify that everything was imported correctly with the commands:
show crypto pki trustpoints
show crypto pki certificates
Now that the certificates are out of the way, we can focus on the VPN configuration itself.
The tunnel parameters for this example are:
IKE Phase 1
  • Encryption 3DES
  • Hash SHA
  • DH-Group 2
IKE Phase 2
  • ESP-3DES-MD5
  • Local Network: 192.168.2.1/32
  • Remote Network: 192.168.1.0/24
IKE Phase 1:
crypto isakmp policy 1
encr 3des
authentication rsa-sig
hash sha
group 2
This can be verified using show crypto isakmp policy
Transform-Set(s):
crypto ipsec transform-set TRANSFORM-SET-NAME esp-3des esp-md5-hmac

This can be verified using show crypto ipsec transform-set

Interesting traffic and NATing the source:
Lets assume that my network is 192.168.0.0/24, the remote network 192.168.1.0/24 and that the remote side has told me that all of my traffic has to come from 192.168.2.1
ip access-list extended NAT-IP-VPN
permit ip host 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip nat pool VPN-NAT 192.168.2.1 192.168.2.1 prefix-length 30
ip nat inside source list NAT-IP-VPN pool VPN-NAT overload
ip access-list extended TRAFFIC-VPN
permit ip host 192.168.2.1 192.168.1.0 0.0.0.255

Be careful with the NAT because if you have more than one statement the order matters. This can be verified using show ip nat translationsshow access-lists

Crypto Map:
This is where we put it all together for the IKE Phase 2
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set TRANSFORM-SET-NAME
match address TRAFFIC-VPN

Apply the crypto map/nat on the interfaces:
interface FastEthernet0/0
description LAN
ip nat inside

interface ATM0.1 point-to-point
description WAN
ip nat outside
crypto map VPN-Map-1
Verification:
Now all we have to do is generate interesting traffic and test what happens, some useful commands are show crypto isakmp saand show crypto ipsec sa.
Useful Links:

No comments: