Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College."— Presentation transcript:

1 1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College of San Francisco Spring 2007

2 2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

3 3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 5.1 Configure CA Support on a Cisco Router 5.2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates 5.3 Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates

4 4 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5.1 Configure CA Support on a Cisco Router

5 5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS Software CA Configuration Procedure Step 1 – (Optional) Manage the NVRAM memory usage. Step 2 – Set the router time and date. clock timezone clock set Step 3 – Configure the router hostname and domain name. hostname name ip domain-name name Step 4 – Generate an RSA key pair. crypto key generate rsa usage keys Step 5: Declare a CA. crypto pki trustpoint name

6 6 © 2005 Cisco Systems, Inc. All rights reserved. Cisco IOS Software CA Configuration Procedure (Continued) Step 6 – Authenticate the CA crypto pki authenticate name Step 7 – Request a certificate for the router crypto pki enroll name Step 8 – Save the configuration copy running-config startup-config Step 9 – (Optional) Monitor and maintain CA interoperability crypto pki trustpoint name Step 10 – Verify the CA support configuration show crypto pki certificates show crypto key mypubkey | pubkey-chain

7 7 © 2005 Cisco Systems, Inc. All rights reserved. Step 1 – (Optional) Manage NVRAM Memory Usage Types of certificates stored on a router: The identity certificate of the router The root certificate of the CA Root certificates obtained from CA servers Two RA certificates, these are CA vendor-specific The number of CRLs stored on a router: One, if the CA does not support an RA Multiple, if the CA supports an RA

8 8 © 2005 Cisco Systems, Inc. All rights reserved. Step 2 – Set the Router Time and Date router(config)# clock set hh:mm:ss day month year clock set hh:mm:ss month day year Sets the router time and date clock timezone zone hours [minutes] Sets the router time zone and offset from UTC RouterA(config)# clock timezone cst -6 RouterA# clock set 23:59:59 17 February 2005 router#

9 9 © 2005 Cisco Systems, Inc. All rights reserved. Step 3 – Add a CA Server Entry to the Router Host Table router(config)# ip domain-name name Specifies a unique domain name for the router hostname name Specifies a unique name for the router router(config)# hostname RouterA RouterA(config)# ip domain-name xyz.com router(config)# 172.30.1.2 Site 1 Site 2 172.30.2.2 A B 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 Internet

10 10 © 2005 Cisco Systems, Inc. All rights reserved. Static Name-to-Address Mapping Defines a static hostname-to-address mapping for the CA server Step necessary if the domain name is not resolvable router(config)# ip host name address1 [address2...addressN] RouterA(config)# ip host vpnca 172.30.1.51 172.30.1.2 Site 1 Site 2 172.30.2.2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 vpnca Internet A B

11 11 © 2005 Cisco Systems, Inc. All rights reserved. router(config)# crypto key generate rsa [general-keys | usage-keys] Using the keyword usage-keys generates two sets of RSA keys: –Use one key set for RSA signatures. –Use one key set for RSA encrypted nonces. RouterA(config)# crypto key generate rsa Step 4 – Generate an RSA Key Pair Site 1 Site 2 10.0.1.0 10.0.2.0 RouterARouterB CA Internet A B

12 12 © 2005 Cisco Systems, Inc. All rights reserved. Step 4 – Generate RSA Keys – Example Output RouterA(config)# crypto key generate rsa The name for the keys will be: router.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 512 Generating RSA keys... [OK] RouterA# show crypto key mypubkey rsa % Key pair was generated at: 23:58:59 UTC Dec 31 2000 Key name: RouterA.cisco.com Usage: General Purpose Key Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A9443B 62FDACFB CCDB8784 19AE1CD8 95B30953 1EDD30D1 380219D6 4636E015 4D7C6F33 4DC1F6E0 C929A25E 521688A1 295907F4 E98BF920 6A81CE57 28A21116 E3020301 0001

13 13 © 2005 Cisco Systems, Inc. All rights reserved. router(config)# crypto pki trustpoint name Specifies the desired CA server name Puts the administrator in the ca-trustpoint configuration mode RouterA(config)# crypto pki trustpoint vpnca RouterA(ca-trustpoint)# Step 5 – Declare a CA 172.30.1.2 Site 1 Site 2 172.30.2.2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 VPNCA Internet A B

14 14 © 2005 Cisco Systems, Inc. All rights reserved. Step 5 – Commands Used to Declare a CA RouterA(config)# crypto pki trustpoint vpnca RouterA(ca-trustpoint)# ? ca trustpoint configuration commands: crl CRL option default Set a command to its defaults enrollment Enrollment parameters exit Exit from certificate authority identity entry mode no Negate a command or set its defaults query Query parameters RouterA(ca-trustpoint)# enrollment ? http-proxy HTTP proxy server for enrollment mode Mode supported by the Certicicate Authority retry Polling parameters url CA server enrollment URL

15 15 © 2005 Cisco Systems, Inc. All rights reserved. Step 5 – Declare a CA RouterA(config)# crypto pki trustpoint VPNCA RouterA(ca-trustpoint)# enrollment url http://vpnca/certsrv/mscep/mscep.dll RouterA(ca-trustpoint)# enrollment mode ra RouterA(ca-trustpoint)# crl optional Specifies the URL for the CA server Minimum configuration to declare a CA 172.30.1.2 Site 1 Site 2 172.30.2.2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 VPNCA Internet A B

16 16 © 2005 Cisco Systems, Inc. All rights reserved. Step 6 – Authenticate the CA router(config)# crypto pki authenticate name RouterA(config)# crypto pki authenticate VPNCA Manually authenticates the public key of the CA by contacting the CA administrator to compare the fingerprint of the CA certificate Site 1 Site 2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 VPNCA Get CA/RA Cert CA/RA Dnld CA/RA Fingerprint xxxx aaaa zzzz bbbb CA/RA Fingerprint xxxx aaaa zzzz bbbb Compare Internet A B

17 17 © 2005 Cisco Systems, Inc. All rights reserved. Step 7 – Request a Certificate for the Router RouterA(config)# crypto pki enroll VPNCA Requests a signed identity certificate from the CA/RA router(config)# crypto pki enroll name CA 172.30.1.51 VPNCA Enroll request and password Identity certificate download Site 1 RouterA 10.0.1.0 Site 2 10.0.2.0 RouterB Internet A B

18 18 © 2005 Cisco Systems, Inc. All rights reserved. Step 8 – Save the Configuration RouterA# copy running-config startup-config Saves the running configuration of the router to NVRAM 172.30.1.2 Site 1 Site 2 172.30.2.2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 VPNCA Internet A B

19 19 © 2005 Cisco Systems, Inc. All rights reserved. Step 9 – Monitor and Maintain CA Interoperability The following steps are optional, depending on the particular requirements: Request a CRL Query a CRL Delete RSA Keys from the router Delete peer public keys Delete certificates from the configuration View keys and certificates

20 20 © 2005 Cisco Systems, Inc. All rights reserved. Step 10 Verify the CA Support Configuration show crypto pki certificates View any configured CA or RA certificates show crypto key {mypubkey | pubkey-chain} rsa View RSA keys for the router and other IPSec peers enrolled with a CA router# 172.30.1.2 Site 1 Site 2 172.30.2.2 10.0.1.0 10.0.2.0 RouterARouterB CA 172.30.1.51 VPNCA Internet A B

21 21 © 2005 Cisco Systems, Inc. All rights reserved. CA Support Configuration Example RouterA# show running-config ! hostname RouterA ! ip domain-name cisco.com ! crypto pki trustpoint VPNCA enrollment mode ra enrollment url http://vpnca:80 query url ldap://vpnca crl optional crypto pki certificate chain entrust certificate 37C6EAD6 30820299 30820202 A0030201 02020437 C6EAD630 0D06092A 864886F7 0D010105 (certificates concatenated)

22 22 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5.2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates

23 23 © 2005 Cisco Systems, Inc. All rights reserved. Configuration Tasks Prepare for ISAKMP and IPSec. Configure CA support. Configure ISAKMP. Configure IPSec. Test and verify IPSec.

24 24 © 2005 Cisco Systems, Inc. All rights reserved. Prepare for IPSec Step 1 Plan for CA support Step 2 Determine the ISAKMP (IKE phase one) policy Step 3 Determine the IPSec (IKE phase two) policy Step 4 Check the current configuration Step 5 Ensure the network works without encryption Step 6 Ensure that access lists are compatible with IPSec

25 25 © 2005 Cisco Systems, Inc. All rights reserved. Configure the Router for CA Support Step 1 Manage the non-volatile RAM (NVRAM) memory usage. Step 2 Set the router time and date. Step 3 Configure the router hostname and domain name. Step 4 Generate an RSA key pair Step 5 Declare a CA. Step 6 Authenticate the CA. Step 7 Request a certificate. Step 8 Save the configuration. Step 9 Monitor and maintain CA interoperability (Optional). Step 10 Verify the CA support configuration.

26 26 © 2005 Cisco Systems, Inc. All rights reserved. Create IKE Policies

27 27 © 2005 Cisco Systems, Inc. All rights reserved. Configure IPSec Encryption Configure transform set suites with the crypto ipsec transform-set command. Configure global IPSec security association lifetimes with the crypto ipsec security- association lifetime command. Configure crypto access lists with the access- list command.

28 28 © 2005 Cisco Systems, Inc. All rights reserved. Test and Verify IPSec Display the configured transform sets using the show crypto ipsec transform set command. Display the current state of the IPSec SAs with the show crypto ipsec sa command. View the configured crypto maps with the show crypto map command. Debug IKE and IPSec traffic through the Cisco IOS with the debug crypto ipseec and debug crypto isakmp commands. Debug CA events through the Cisco IOS using the debug crypto key-exchange and debug crypto pki commands.

29 29 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5.3 Configure a PIX Security Appliance Site-to- Site VPN Using Digital Certificates

30 30 © 2005 Cisco Systems, Inc. All rights reserved. CA Server Fulfilling Requests from IPSec Peers

31 31 © 2005 Cisco Systems, Inc. All rights reserved. Enroll a PIX Security Appliance with a CA

32 32 © 2005, Cisco Systems, Inc. All rights reserved.

Download ppt "1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Building IPSEC VPNS Using Cisco Routers

Building IPSEC VPNS Using Cisco Routers
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;

Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Sybex CCNA 640-802 Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.

Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
1 © 2002, Cisco Systems, Inc. All rights reserved. Router boot procedure.

1 © 2002, Cisco Systems, Inc. All rights reserved. Router boot procedure.
© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.

© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google