Archive for August, 2015

In my previous blog i shared my experience in configuring site to site VPN using pre-shared keys.

In situation when we have to create VPN’s between multiple routers (R1 between R2 and R2 between R3 for example),we can use same pre-shared key for all connections,but it’s bad security practice,if we set different pre-shared key every connections,we need to know all pre-shared keys,it’s,from other side,additional burden.

The solutions is to use Digital Certificates.Each certificate is digitally signed by Certifcation Authority (CA),server who issues certificates trusted by all participants in comunication.Each certificate contains public key,CA digital signature (encrypted hash of certificate content,signed by CA),and device signature (identifies the device).When R1 wants to communicate with R2,he presents his certifcate to R2,R2 decrypts device signature  using it’s public key,R2 then would create hash of certificate content and will store it i memory and compare it with decrypted digital signature (which is,again,hash of certificate contents),if hash and CA signature match,R2 will communicate with R1

Untitled12

Windows server will act as CA,this topology is same as in topic regarded pre-shared key as well as configuration (i removed R2 and put VM winXP instead)

R3 configuration:

interface FastEthernet0/0
ip address 200.200.200.2 255.255.255.0
!
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0

network 100.0.0.0
network 192.168.12.0
network 200.200.200.0
no auto-summary


ASA1:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.1 255.255.255.0
router eigrp 20

network 172.16.3.0 255.255.255.0
network 200.200.200.0 255.255.255.0
no auto-summary

 ASA2:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0

router eigrp 20
no auto-summary
network 10.10.10.0 255.255.255.0
network 100.100.100.0 255.255.255.0

We’ll need Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services (it didn’t work on x64 Server 2003 version),with this add-on,our ASA’s can obtain digital certificated from CA

Defining trusted CA-creating trustpoint:

ASA1(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA1(config-ca-trustpoint)# no id-usage
ASA1(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA1(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1
INFO: Certificate has the following attributes:
Fingerprint:     9d34cbe3 da0e8249 f238a777 83d410c1
Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

192.168.12.10 is my CA Server 2003 Certification authority,trustpoint name is arbitrary

Generating public and private keys (this pair will be used with IKE policies)

ASA1(config)# crypto key generate rsa label ASA1-VPN noconfirm
INFO: The name for the keys will be: ASA1-VPN
Keypair generation process begin. Please wait...

Request Digital certificate from CA:

Password value got from CA:

Untitled

ASA1(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA1(config-ca-trustpoint)# keypair ASA1-VPN
ASA1(config-ca-trustpoint)# password 68D3E8145EE59ACB
ASA1(config-ca-trustpoint)# id-usage ssl-ipsec
ASA1(config-ca-trustpoint)# no fqdn
ASA1(config-ca-trustpoint)# subject-name CN=ASA1,C=SR,L=Zemoon
ASA1(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA1(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1 nointeractive

INFO: Certificate has the following attributes:
Fingerprint:     9d34cbe3 da0e8249 f238a777 83d410c1

Trustpoint CA certificate accepted.

ASA1(config)# crypto ca enroll ASDM_TrustPoint1 noconfirm
%
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=asa,C=SR,L=Zemoon

% The fully-qualified domain name in the certificate will be: ASA1
% Certificate request sent to Certificate Authority

Now go to CA,open CA console,open Pending Requests folder,you should see Certificate waiting approval,right click-All task-issue,after some seconds,certificate will be issued to ASA:

ASA1(config)# The certificate has been granted by CA!
ASA1# sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 6130908e000000000004
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=asa
Subject Name:
cn=ASA1
l=Zemoon
c=SR
hostname=ciscoasa
CRL Distribution Points:
[1]  http://gordon-d25de5f2/CertEnroll/asa.crl
[2]  file://\\gordon-d25de5f2\CertEnroll\asa.crl
Validity Date:
start date: 09:06:15 UTC Aug 5 2015
end   date: 09:16:15 UTC Aug 5 2016
Associated Trustpoints:ASDM_TrustPoint1
CA Certificate Status: Available Certificate
Serial Number: 0da01deacee2058a415221e9d755d19c
Certificate Usage: Signature 
Public Key Type: RSA (2048 bits) 
Signature Algorithm: SHA1 with RSA Encryption 
Issuer Name: cn=asa Subject Name: cn=asa 
CRL Distribution Points: [1]  http://gordon-d25de5f2/CertEnroll/asa.crl [2]
file://\\gordon-d25de5f2\CertEnroll\asa.crl 
Validity Date: start date: 08:05:32 UTC Aug 5 2015 
end   date: 08:14:42 UTC Aug 5 2020 
Associated Trustpoints:ASDM_TrustPoint1


For Password for ASA2,refresh http://192.168.12.10/certsrv/mscep/mscep.dll to get new challenge password


ASA2(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA2(config-ca-trustpoint)# no id-usage
ASA2(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1
ASA2(config)# crypto ca trustpoint ASDM_TrustPoint1
ASA2(config-ca-trustpoint)# keypair ASA2-VPN
ASA2(config-ca-trustpoint)# password 12C4E8145EE59DERF
ASA2(config-ca-trustpoint)# id-usage ssl-ipsec
ASA2(config-ca-trustpoint)# no fqdn
ASA2(config-ca-trustpoint)# subject-name CN=ASA2,C=SR,L=Zemoon
ASA2(config-ca-trustpoint)# enrollment url http://192.168.12.10/certsrv/mscep/mscep.dll
ASA2(config-ca-trustpoint)# crypto ca authenticate ASDM_TrustPoint1 nointeractive

Now we can create policy,transform set,tunnel group and crypto map,i won’t comment these commands because i elaborated it in previous post:(only difference is i authentication method-certificate instead of pre-shared key)

ASA1(config)# object network local_net
ASA1(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA1(config-network-object)# object network remote_net
ASA1(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config)# access-list 120 extended permit ip object local_net object remote_net
ASA1(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

ASA1(config)# isakmp policy 1
ASA1(config-ikev1-policy)# authentication rsa-sig
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 5
ASA1(config-ikev1-policy)# encryption 3des
ASA1(config-ikev1-policy)# lifetime 3600
ASA1(config-ikev1-policy)#exit
 
ASA1(config)#isakmp enable outside
ASA1(config)# tunnel-group 100.100.100.2 type ipsec-l2l  !ASA2's interace
ASA1(config)# tunnel-group 100.100.100.2  ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 trust-point ASDM_TrustPoint1 
ASA1(config-tunnel-ipsec)#exit 
ASA1(config)# crypto ipsec ikev1 transform-set mytransformset esp-des  esp-md5-hmac
ASA1(config)# crypto map mymap 10 match address 120
ASA1(config)# crypto map mymap 10 set peer 100.100.100.2 
ASA1(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA1(config)# crypto map mymap 10 set pfs
ASA1(config)# crypto map mymap 10 set trustpoint ASDM_TrustPoint1 chain
ASA1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map mymap interface outside !apply crypto-map to outside interface

ASA2:

ASA2(config)# object network local_net
ASA2(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA2(config-network-object)# object network remote_net
ASA2(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA2(config-network-object)# nat (inside,outside) dynamic interface
ASA2(config)# access-list 120 extended permit ip object local_net object remote_net
ASA2(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

ASA2(config)# isakmp policy 1
ASA2(config-ikev1-policy)# authentication rsa-sig
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 5
ASA2(config-ikev1-policy)# encryption 3des
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config-ikev1-policy)#exit
 
ASA2(config)#isakmp enable outside
ASA2(config)# tunnel-group 200.200.200.1 type ipsec-l2l  !ASA1's interace
ASA2(config)# tunnel-group 200.200.200.1  ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 trust-point ASDM_TrustPoint1 
ASA2(config-tunnel-ipsec)#exit 
ASA2(config)# crypto ipsec ikev1 transform-set mytransformset esp-des  esp-md5-hmac
ASA2(config)# crypto map mymap 10 match address 120
ASA2(config)# crypto map mymap 10 set peer 200.200.200.1 
ASA2(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA2(config)# crypto map mymap 10 set pfs
ASA2(config)# crypto map mymap 10 set trustpoint ASDM_TrustPoint1 chain
ASA2(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA2(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Testing

Ping XP clien t2 from XP client

Untitled3

Traffic between ASA1 and ASA2:

Untitled6

and between inside interface of ASA2 and XP client 2:

Untitled5

Advertisements

We alredy configured Site to site VPN between CISO routers (https://geekdudes.wordpress.com/2015/07/29/configuring-a-site-to-site-vpn-on-cisco-router/).Concept is the same,we also need to configure IKE1 policy (authentication,encryption,hash algorithm,lifetimeDH group),transformation set,ACL to define which traffic will be encrypted and crypto map

Untitled3

To avoid issues when running 2 ASA’a at the same time (one ASA “freezes”),assign different CPU core for each qemu process:

Untitled6
R3 configuration:

interface FastEthernet0/0
ip address 200.200.200.2 255.255.255.0
!
interface FastEthernet0/1
ip address 100.100.100.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0

network 100.0.0.0
network 192.168.12.0
network 200.200.200.0
no auto-summary

 R2 (simulates client)

interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
!
router eigrp 20
network 10.10.10.0 0.0.0.255
no auto-summary

ASA1:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.1 255.255.255.0
router eigrp 20

network 172.16.3.0 255.255.255.0
network 200.200.200.0 255.255.255.0
no auto-summary

 ASA2:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0

router eigrp 20
no auto-summary
network 10.10.10.0 255.255.255.0
network 100.100.100.0 255.255.255.0

Configuring ASA1

Create access list to allow internal users to access network 192.168.12.0

ASA1(config)# access-list 110 extended permit ip any 172.16.3.0 255.255.255.0
ASA1(config)#access-group 110 in interface outside

Create ACL which defines which traffic will be encrypted and NAT rule (translate IP address of internal hosts as of it originates from ASA1’s outside interface)

ASA1(config)# object network local_net
ASA1(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA1(config-network-object)# object network remote_net
ASA1(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
ASA1(config)# access-list 120 extended permit ip object local_net object remote_net

For IPSEC to encrypt traffic between peers (ASA1 and ASA2),we must exclude “interesting” traffic (defined by ACL 120):

ASA1(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net

Create  tunnel (establish secure communication channel for data transmission between ASA1 and ASA2)
VPN Peers (ASA1 and ASA2 exchange shared secret keys and security policies)

ASA1(config)# isakmp policy 10
ASA1(config-ikev1-policy)# authentication pre-share
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 5
ASA1(config-ikev1-policy)# encryption 3des
ASA1(config-ikev1-policy)# lifetime 3600
ASA1(config-ikev1-policy)#exit

Activate ISAKMP policy we’ve just created on ASA1’s outside interface and identify ISAKMP policy by IP address:

ASA1(config)#isakmp enable outside
ASA1(config)#isakmp identify address

Create a secure tunnel for data transfer between two networks (172.16.3.0 and 10.10.10.0) .The name of tunnel group will be te IP address of VPN peer (ASA2’s outside interface-100.100.100.2)

ASA1(config)# tunnel-group 100.100.100.2 type ipsec-l2l 
ASA1(config)# tunnel-group 100.100.100.2  ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key cisco !pre shared key as attribute
ASA1(config-tunnel-ipsec)#exit

Now,after we created a tunnel,we must protect it (enctypt the data packets and (negotiate IPSEC security parameters).We will use transform set to encrypt the data and to authenticate it.

ASA1(config)# crypto ipsec ikev1 transform-set mytransformset esp-3des  esp-md5-hmac

We can now put together previously created IPSEC security associations (SA-security parameters which IPSEC peer uses to negotiate when establishing a VPN tunnel).Here we created crypto map named mymap with sequence number 10,this crypto map matches ACL 120 (created in the beginning),set peer (ASA2),transform set we just created.

Perfect forward secrecy (PFS) will ensure the same key will not be generated again,(forcing a new diffie-hellman key exchange).If a private key has been compromized,future data would not be associated with that key ( a new one will be generated).

Security association lifetime  is the lifetime of the keys that the tunnel uses to encrypt data.When these timers run out the tunnel negotiates a new key.

ASA1(config)# crypto map mymap 10 match address 120
ASA1(config)# crypto map mymap 10 set peer 100.100.100.2
ASA1(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA1(config)# crypto map mymap 10 set pfs
ASA1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Mirror the same settings on ASA2:

!Object groups,NAT rule,and NAT exemption
ASA2(config)# object network local_net
ASA2(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA2(config-network-object)# object network remote_net
ASA2(config-network-object)# subnet 172.16.3.0 255.255.255.0
ASA2(config-network-object)# nat (inside,outside) dynamic interface
ASA2(config)# access-list 120 extended permit ip object local_net object remote_net
ASA2(config)#nat (inside,outside) source static local_net local_net destination static remote_net remote_net
!IPSEC policy
ASA2(config)# isakmp policy 10
ASA2(config-ikev1-policy)# authentication pre-share
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 5
ASA2(config-ikev1-policy)# encryption 3des
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config-ikev1-policy)#exit
!enable policy on outside inteface 
ASA2(config)#isakmp enable outside
ASA2(config)#isakmp identify address
!Define tunnel group
ASA2(config)# tunnel-group 200.200.200.1 type ipsec-l2l  !ASA1's interace
ASA2(config)# tunnel-group 200.200.200.1  ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key cisco !pre shared key as attribute
ASA2(config-tunnel-ipsec)#exit
!Create transform set
ASA2(config)# crypto ipsec ikev1 transform-set mytransformset esp-3des  esp-md5-hmac
!Create cryto map
ASA2(config)# crypto map mymap 10 match address 120
ASA2(config)# crypto map mymap 10 set peer 200.200.200.1
ASA2(config)# crypto map mymap 10 set ikev1 transform-set mytransformset
ASA2(config)# crypto map mymap 10 set pfs
ASA2(config)# crypto map mymap 10 set security-association lifetime seconds 3600
ASA2(config)# crypto map mymap interface outside !apply crypto-map to outside interface

Test VPN by pinging from winxp client (172.16.3.10) to R2 (10.10.10.3) and inspect trafic between ASA1 and ASA2:

Untitled