Configuring a Site-to-Site VPN between two ASA’s (8.4.2) using Digital certificates

Posted: August 6, 2015 in CISCO

In my previous blog i shared my experience in configuring site to site VPN using pre-shared keys.

In situation when we have to create VPN’s between multiple routers (R1 between R2 and R2 between R3 for example),we can use same pre-shared key for all connections,but it’s bad security practice,if we set different pre-shared key every connections,we need to know all pre-shared keys,it’s,from other side,additional burden.

The solutions is to use Digital Certificates.Each certificate is digitally signed by Certifcation Authority (CA),server who issues certificates trusted by all participants in comunication.Each certificate contains public key,CA digital signature (encrypted hash of certificate content,signed by CA),and device signature (identifies the device).When R1 wants to communicate with R2,he presents his certifcate to R2,R2 decrypts device signature  using it’s public key,R2 then would create hash of certificate content and will store it i memory and compare it with decrypted digital signature (which is,again,hash of certificate contents),if hash and CA signature match,R2 will communicate with R1

Untitled12

Windows server will act as CA,this topology is same as in topic regarded pre-shared key as well as configuration (i removed R2 and put VM winXP instead)

R3 configuration:

interface FastEthernet0/0
ip address 200.200.200.2 255.255.255.0
!
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0

network 100.0.0.0
network 192.168.12.0
network 200.200.200.0
no auto-summary


ASA1:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.1 255.255.255.0
router eigrp 20

network 172.16.3.0 255.255.255.0
network 200.200.200.0 255.255.255.0
no auto-summary

 ASA2:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0

router eigrp 20
no auto-summary
network 10.10.10.0 255.255.255.0
network 100.100.100.0 255.255.255.0

We’ll need Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services (it didn’t work on x64 Server 2003 version),with this add-on,our ASA’s can obtain digital certificated from CA

Defining trusted CA-creating trustpoint:

ASA1(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA1(config-ca-trustpoint)# no id-usage
ASA1(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA1(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1
INFO: Certificate has the following attributes:
Fingerprint:     9d34cbe3 da0e8249 f238a777 83d410c1
Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

192.168.12.10 is my CA Server 2003 Certification authority,trustpoint name is arbitrary

Generating public and private keys (this pair will be used with IKE policies)

ASA1(config)# crypto key generate rsa label ASA1-VPN noconfirm
INFO: The name for the keys will be: ASA1-VPN
Keypair generation process begin. Please wait...

Request Digital certificate from CA:

Password value got from CA:

Untitled

ASA1(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA1(config-ca-trustpoint)# keypair ASA1-VPN
ASA1(config-ca-trustpoint)# password 68D3E8145EE59ACB
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# no fqdn
ASA1(config-ca-trustpoint)# subject-name CN=ASA1,C=SR,L=Zemoon
ASA1(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA1(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1 nointeractive

INFO: Certificate has the following attributes:
Fingerprint:     9d34cbe3 da0e8249 f238a777 83d410c1

Trustpoint CA certificate accepted.

ASA1(config)# crypto ca enroll ASDM_TrustPoint1 noconfirm
%
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=asa,C=SR,L=Zemoon

% The fully-qualified domain name in the certificate will be: ASA1
% Certificate request sent to Certificate Authority

Now go to CA,open CA console,open Pending Requests folder,you should see Certificate waiting approval,right click-All task-issue,after some seconds,certificate will be issued to ASA:

ASA1(config)# The certificate has been granted by CA!
ASA1# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 6130908e000000000004
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=asa
Subject Name:
cn=ASA1
l=Zemoon
c=SR
hostname=ciscoasa
CRL Distribution Points:
[1]  http://gordon-d25de5f2/CertEnroll/asa.crl
[2]  file://\\gordon-d25de5f2\CertEnroll\asa.crl
Validity Date:
start date: 09:06:15 UTC Aug 5 2015
end   date: 09:16:15 UTC Aug 5 2016
Associated Trustpoints:ASDM_TrustPoint1
CA Certificate Status: Available Certificate
Serial Number: 0da01deacee2058a415221e9d755d19c
Certificate Usage: Signature 
Public Key Type: RSA (2048 bits) 
Signature Algorithm: SHA1 with RSA Encryption 
Issuer Name: cn=asa Subject Name: cn=asa 
CRL Distribution Points: [1]  http://gordon-d25de5f2/CertEnroll/asa.crl [2]
file://\\gordon-d25de5f2\CertEnroll\asa.crl 
Validity Date: start date: 08:05:32 UTC Aug 5 2015 
end   date: 08:14:42 UTC Aug 5 2020 
Associated Trustpoints:ASDM_TrustPoint1


For Password for ASA2,refresh http://192.168.12.10/certsrv/mscep/mscep.dll to get new challenge password


ASA2(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA2(config-ca-trustpoint)# no id-usage
ASA2(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1
ASA2(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA2(config-ca-trustpoint)# keypair ASA2-VPN
ASA2(config-ca-trustpoint)# password 12C4E8145EE59DERF
ASA2(config-ca-trustpoint)# id-usage ssl-ipsec
ASA2(config-ca-trustpoint)# no fqdn
ASA2(config-ca-trustpoint)# subject-name CN=ASA2,C=SR,L=Zemoon
ASA2(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1 nointeractive

Now we can create policy,transform set,tunnel group and crypto map,i won’t comment these commands because i elaborated it in previous post:(only difference is i authentication method-certificate instead of pre-shared key)

ASA1(config)# object network local_net
ASA1(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA1(config-network-object)# object network remote_net
ASA1(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config)# access-list 120 extended permit ip object local_net object remote_net
ASA1(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

ASA1(config)# isakmp policy 1
ASA1(config-ikev1-policy)# authentication rsa-sig
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 5
ASA1(config-ikev1-policy)# encryption 3des
ASA1(config-ikev1-policy)# lifetime 3600
ASA1(config-ikev1-policy)#exit
 
ASA1(config)#isakmp enable outside
ASA1(config)# tunnel-group 100.100.100.2 type ipsec-l2l  !ASA2's interace
ASA1(config)# tunnel-group 100.100.100.2  ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 trust-point ASDM_TrustPoint1 
ASA1(config-tunnel-ipsec)#exit 
ASA1(config)# crypto ipsec ikev1 transform-set mytransformset esp-des  esp-md5-hmac
ASA1(config)# crypto map mymap 10 match address 120
ASA1(config)# crypto map mymap 10 set peer 100.100.100.2 
ASA1(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA1(config)# crypto map mymap 10 set pfs
ASA1(config)# crypto map mymap 10 set trustpoint ASDM_TrustPoint1 chain
ASA1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map mymap interface outside !apply crypto-map to outside interface

ASA2:

ASA2(config)# object network local_net
ASA2(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA2(config-network-object)# object network remote_net
ASA2(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA2(config-network-object)# nat (inside,outside) dynamic interface
ASA2(config)# access-list 120 extended permit ip object local_net object remote_net
ASA2(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

ASA2(config)# isakmp policy 1
ASA2(config-ikev1-policy)# authentication rsa-sig
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 5
ASA2(config-ikev1-policy)# encryption 3des
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config-ikev1-policy)#exit
 
ASA2(config)#isakmp enable outside
ASA2(config)# tunnel-group 200.200.200.1 type ipsec-l2l  !ASA1's interace
ASA2(config)# tunnel-group 200.200.200.1  ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 trust-point ASDM_TrustPoint1 
ASA2(config-tunnel-ipsec)#exit 
ASA2(config)# crypto ipsec ikev1 transform-set mytransformset esp-des  esp-md5-hmac
ASA2(config)# crypto map mymap 10 match address 120
ASA2(config)# crypto map mymap 10 set peer 200.200.200.1 
ASA2(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA2(config)# crypto map mymap 10 set pfs
ASA2(config)# crypto map mymap 10 set trustpoint ASDM_TrustPoint1 chain
ASA2(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA2(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Testing

Ping XP clien t2 from XP client

Untitled3

Traffic between ASA1 and ASA2:

Untitled6

and between inside interface of ASA2 and XP client 2:

Untitled5

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s