I wish Cisco’s developers for ASA and IOS were closer to each other when they develop this for IOS and ASA. Once you master ISAKMP profiles and certificates for IPSec tunnel for IOS then you lose your grasp on how to do it on ASA. Any cheat sheets for ASA ? ;)
From: [email protected] [mailto:[email protected]] On Behalf Of Ramakrishna Shenai Sent: Friday, March 18, 2011 10:35 PM To: [email protected] Subject: [OSL | CCIE_Security] Working with ISAKMP profiles and Certificates - Some pointers All of us have at some point or the other have had frustating hours when labbing with "Gee my connection is going into the other VPNs XAUTH and hence not establishing" specially when mocking up scenarios when you have a router that is acting as a termination end point for multiple kinds of VPNs. The Colonels secret sauce is the mucho powerful "isakmp profile". With appropriate use of this one can segregate which type of incoming VPN protocol (EZVPN, DMVPN, GDOI) needs to be matched against what kind of isakmp policy, what keypair/keyring to be used, what identity/groupname to be matched against. Look at these Cisco docs in particular. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html - ISAKMP profile HOWTO http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_isakmp_map.pdf - Certmap to ISAKMP profile HOWTO http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_isakp.html http://www.cisco.com/image/gif/paws/47541/dmvpn-ezvpn-isakmp.pdf The first one is what I consider a lifesaver. A MUST have cheatsheet. When it comes mocking up scenarios and wanting to work with certs here is what I do Clock synchronization a. NTP configured on all involved devices to synchronize time. b. If you dont want to do NTP then manually do first a time zone set on all devices involved. Then do a clock set on all devices. Ensure that the router chosen to be a CA server is one or two minutes behind in time compared to the rest of the servers. Saves you trouble of having to deal with the Certificate issued in the future/certificate not yet valid errors Setup CA router and identity cert on it a. Enable http server (for SCEP) b. Generate two key pairs labeled says CASRV, R1IDENT. CASRV will be used for the signing/issuing authority. R1IDENT will be the key material for the identity certificate if needed. c. Configure for pki server using name CASRV (so that it picks up the labeled key CASRV). Grant mode auto to make things easier. d. Issue yourself an identity certificate (for future use). For this setup a trustpoint say HOCA (head office CA) that points back in the enrollment url to this very same router Set rsakeypair value to R1IDENT Authenticate and enroll ** There should be a more elegant way instead of faking out another named trustpoint. Anyone has any pointer. Was looking into self-signed but still not figured that one out. Setting up identity cert on client routers a. Generate labelled key pair R??IDENT (where ?? is say router #). b. Issue this router a certificate by enrolling with the CA router. For conformity name the trust point HOCA and point to the CA router For this setup a trustpoint say HOCA (head office CA) that points back in the enrollment url to this very same router Set rsakeypair value to R??DENT Authenticate and enroll Sample Pseudo code logic - Define a isakmp profile - configure which trustpoints are valid for this profile - What certificate map rules are to be satisfied The 2nd URL listed above does a pretty good job of explaining CertMap to ISAKMP profile linkage/usage. - R Shenai
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
