Previous section   Next section

Recipe 12.7 Creating a Router-to-Router VPN with RSA Keys

12.7.1 Problem

You want to create an encrypted VPN between two routers using RSA keys.

12.7.2 Solution

As in Recipe 12.3, we will use IPSec transport mode and a GRE tunnel for this encrypted router-to-router connection:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#crypto key pubkey-chain rsa
Router1(config-pubkey-chain)#addressed-key 172.22.1.4
Router1(config-pubkey-key)#address 172.22.1.4
Router1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
   
Router1(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B8120C
AC2C5AAC 
Router1(config-pubkey)#ADAD378D A5A1F140 2EB9A66A DD6FF2A9 7DD47692 5CDE4732 E2C9EDDA
52809BE0 
Router1(config-pubkey)#D60A5A34 CDD7DC31 DA7F9590 849F142E 26C6F130 0A2E4491 65020301
0001
Router1(config-pubkey)#quit
Router1(config-pubkey-key)#exit
Router1(config-pubkey-chain)#exit
Router1(config)#crypto isakmp policy 100
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication rsa-encr
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router1(cfg-crypto-trans)#mode transport
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
Router1(config-crypto-map)#set peer 172.22.1.4
Router1(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router1(config-crypto-map)#match address 116
Router1(config-crypto-map)#exit
Router1(config)#access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Router1(config)#interface Tunnel5
Router1(config-if)#ip address 192.168.66.5 255.255.255.252
Router1(config-if)#tunnel source 172.22.1.3
Router1(config-if)#tunnel destination 172.22.1.4
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.22.1.3 255.255.255.0
Router1(config-if)#crypto map TUNNEL-RSA
Router1(config-if)#end
Router1#

Here is the corresponding configuration for the other router:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 172.22.1.3
Router2(config-pubkey-key)#address 172.22.1.3
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
   
Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810
6627212B 
Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56
7DCE7A33 
Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301
0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#crypto isakmp policy 100
Router2(config-isakmp)#encryption 3des
Router2(config-isakmp)#authentication rsa-encr
Router2(config-isakmp)#group 2
Router2(config-isakmp)#exit
Router2(config)#crypto ipsec transform-set TUNNEL-TRANSFORM ah-sha-hmac esp-3des esp-
sha-hmac
Router2(cfg-crypto-trans)#mode transport
Router2(cfg-crypto-trans)#exit
Router2(config)#crypto map TUNNEL-RSA 10 ipsec-isakmp
Router2(config-crypto-map)#set peer 172.22.1.3
Router2(config-crypto-map)#set transform-set TUNNEL-TRANSFORM
Router2(config-crypto-map)#match address 116
Router2(config-crypto-map)#exit
Router2(config)#access-list 116 permit gre host 172.22.1.4 host 172.22.1.3
Router2(config)#interface Tunnel5
Router2(config-if)#ip address 192.168.66.6 255.255.255.252
Router2(config-if)#tunnel source 172.22.1.4
Router2(config-if)#tunnel destination 172.22.1.3
Router2(config-if)#exit
Router2(config)#interface FastEthernet1/0
Router2(config-if)#ip address 172.22.1.4 255.255.255.0
Router2(config-if)#crypto map TUNNEL-RSA
Router2(config-if)#end
Router2#

12.7.3 Discussion

This recipe is similar to Recipe 12.3, except that here we use RSA keys for authentication and encryption instead of pre-shared keys. This technique is more secure but more time consuming to configure.

The first step is to create a set of RSA encryption keys using the methods discussed in Recipe 12.6. We took the keys that we generated in this way and entered them into the router configurations. So, for example, we created the key on Router1 as follows:

Router1(config)#crypto key generate rsa 
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
   
How many bits in the modulus [512]: 
Generating RSA keys ...
[OK]
   
Router1(config)#exit
Router1#show crypto key mypubkey rsa 
% Key pair was generated at: 11:25:55 EST Jan 26 2003
Key name: Router1.oreilly.com
 Usage: General Purpose Key
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810 6627212B 
  7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56 7DCE7A33 
  7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301 0001
% Key pair was generated at: 11:26:01 EST Jan 26 2003
Key name: Router1.oreilly.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A3603A 58941769 
  EF93B43D C89AC7CF 2A6DA0D5 F72BCFF8 D9EEDDD2 B0CE9A8E B4BAFD2D 805A4D8F 
  969A5AE3 5F4F8252 744A0834 B4BA24B9 BC7E4522 2345F081 587BD1A8 309B03F4 
  A70F2373 2AB6CEE5 736F6D61 F64A94A6 30CE253F BEB8330B FF020301 0001
Router1#

Note that in this example we used the default 512-bit key. However, in production networks, we recommend using 1024-bit keys or higher.

Then we took the general purpose key from this output and entered it into the other router as follows:

Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 172.22.1.3
Router2(config-pubkey-key)#address 172.22.1.3
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
   
Router2(config-pubkey)#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DA2810
6627212B 
Router2(config-pubkey)#7234CC4A 91BCB4CC 7985AD4B 884E4653 9E533422 A34A4011 E7402B56
7DCE7A33 
Router2(config-pubkey)#7407C6DE 995D2EBD E9F2C29D B4EEB962 61B9CF3B 05D903FC 57020301
0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit

We then repeated the procedure on the other router.

With the keys in place, we proceeded to tell the routers how to use these keys to create an IPSec connection. Even though we are using a manually entered key, the two routers still need to use ISAKMP. The important difference between this example and the one in Recipe 12.3 is that here we are using RSA authentication keys. So we need to tell the routers to use this key method in the ISAKMP policy:

Router1(config)#crypto isakmp policy 100
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication rsa-encr
Router1(config-isakmp)#group 2

After that, the remainder of the configuration is essentially identical to what we showed in Recipe 12.3.

12.7.4 See Also

Recipe 12.3; Recipe 12.6


  Previous section   Next section
Top