You want to create an encrypted VPN between two routers using RSA keys.
As in Recipe 12.3, we will use IPSec transport mode and a GRE tunnel for this encrypted router-to-router connection:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#crypto key pubkey-chain rsa Router1(config-pubkey-chain)#addressed-key 172.22.1.4 Router1(config-pubkey-key)#address 172.22.1.4 Router1(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router1(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B8120C AC2C5AAC Router1(config-pubkey)#ADAD378D A5A1F140 2EB9A66A DD6FF2A9 7DD47692 5CDE4732 E2C9EDDA 52809BE0 Router1(config-pubkey)#D60A5A34 CDD7DC31 DA7F9590 849F142E 26C6F130 0A2E4491 65020301 0001 Router1(config-pubkey)#quit Router1(config-pubkey-key)#exit Router1(config-pubkey-chain)#exit Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption 3des Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2 Router1(config-isakmp)#exit Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp- sha-hmac Router1(cfg-crypto-trans)#mode transport Router1(cfg-crypto-trans)#exit Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp Router1(config-crypto-map)#set peer 172.22.1.4 Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router1(config-crypto-map)#match address 116 Router1(config-crypto-map)#exit Router1(config)#access-list 116 permit gre host 172.22.1.3 host 172.22.1.4 Router1(config)#interface Tunnel5 Router1(config-if)#ip address 192.168.66.5 255.255.255.252 Router1(config-if)#tunnel source 172.22.1.3 Router1(config-if)#tunnel destination 172.22.1.4 Router1(config-if)#exit Router1(config)#interface FastEthernet0/1 Router1(config-if)#ip address 172.22.1.3 255.255.255.0 Router1(config-if)#crypto map TUNNEL-RSA Router1(config-if)#end Router1#
Here is the corresponding configuration for the other router:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.22.1.3 Router2(config-pubkey-key)#address 172.22.1.3 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810 6627212B Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56 7DCE7A33 Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301 0001 Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit Router2(config)#crypto isakmp policy 100 Router2(config-isakmp)#encryption 3des Router2(config-isakmp)#authentication rsa-encr Router2(config-isakmp)#group 2 Router2(config-isakmp)#exit Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp- sha-hmac Router2(cfg-crypto-trans)#mode transport Router2(cfg-crypto-trans)#exit Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp Router2(config-crypto-map)#set peer 172.22.1.3 Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM Router2(config-crypto-map)#match address 116 Router2(config-crypto-map)#exit Router2(config)#access-list 116 permit gre host 172.22.1.4 host 172.22.1.3 Router2(config)#interface Tunnel5 Router2(config-if)#ip address 192.168.66.6 255.255.255.252 Router2(config-if)#tunnel source 172.22.1.4 Router2(config-if)#tunnel destination 172.22.1.3 Router2(config-if)#exit Router2(config)#interface FastEthernet1/0 Router2(config-if)#ip address 172.22.1.4 255.255.255.0 Router2(config-if)#crypto map TUNNEL-RSA Router2(config-if)#end Router2#
This recipe is similar to Recipe 12.3, except that here we use RSA keys for authentication and encryption instead of pre-shared keys. This technique is more secure but more time consuming to configure.
The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.6. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the key on Router1 as follows:
Router1(config)#crypto key generate rsa The name for the keys will be: Router1.oreilly.com % You already have RSA keys defined for Router1.oreilly.com. % Do you really want to replace them? [yes/no]: yes Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK] Router1(config)#exit Router1#show crypto key mypubkey rsa % Key pair was generated at: 11:25:55 EST Jan 26 2003 Key name: Router1.oreilly.com Usage: General Purpose Key Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810 6627212B 7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56 7DCE7A33 7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301 0001 % Key pair was generated at: 11:26:01 EST Jan 26 2003 Key name: Router1.oreilly.com.server Usage: Encryption Key Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A3603A 58941769 EF93B43D C89AC7CF 2A6DA0D5 F72BCFF8 D9EEDDD2 B0CE9A8E B4BAFD2D 805A4D8F 969A5AE3 5F4F8252 744A0834 B4BA24B9 BC7E4522 2345F081 587BD1A8 309B03F4 A70F2373 2AB6CEE5 736F6D61 F64A94A6 30CE253F BEB8330B FF020301 0001 Router1#
Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024-bit keys or higher.
Then we took the general purpose key from this output and entered it into the other router as follows:
Router2(config)#crypto key pubkey-chain rsa Router2(config-pubkey-chain)#addressed-key 172.22.1.3 Router2(config-pubkey-key)#address 172.22.1.3 Router2(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810 6627212B Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56 7DCE7A33 Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301 0001 Router2(config-pubkey)#quit Router2(config-pubkey-key)#exit Router2(config-pubkey-chain)#exit
We then repeated the procedure on the other router.
With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:
Router1(config)#crypto isakmp policy 100 Router1(config-isakmp)#encryption 3des Router1(config-isakmp)#authentication rsa-encr Router1(config-isakmp)#group 2
After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3.
|
|
|
| Top |