CCIE Security Lab: ASA to IOS IKEv2 tunnel - Part 2: A clean slate


In the previous post, I switched the IKEv1 tunnel to a PKI-based IKEv2 tunnel. I got the desired result in the end but spent too much time searching for the answer, and in the lab exam there won't be any access to Google, so I need to be able to get it working first time around.

In this post, I will try and break down some of the reasons it did not work and set it up from scratch. I will be keeping the existing IP configuration, along with the NTP config, but the VPN will be set up again from scratch.

There is actually a useful command on the ASA, allowing you to migrate IKEv1 to IKEv2; it's the "migrate" command. However, this is not available on the IOS and despite the similarities between the two, when it comes to IKEv2 the command set does have some big differences.

Let's start by having a look at some of the issues and "gotchas".

no crypto ikev2 http-url cert

This is a known issue, and pretty well documented:

Certificate lookup based on the HTTP URL avoids the fragmentation that results when large certificates are transferred. This feature is enabled on Cisco IOS software devices by default, so the cert req type 12 is used by Cisco IOS software.

If software versions that do not have the fix for Cisco bug ID CSCul48246 are used on the ASA, then the HTTP-URL-based lookup is not negotiated on the ASA, and Cisco IOS software causes the authorization attempt to fail.

On the ASA, if IKEv2 protocol debugs are enabled, these messages appear:

IKEv2-PROTO-1: (139): Auth exchange failed
IKEv2-PROTO-1: (140): Unsupported cert encoding found or Peer requested 
   HTTP URL but never sent
HTTP_LOOKUP_SUPPORTED Notification
In order to avoid this issue, use the no crypto ikev2 http-url cert command in order to disable this feature on the router when it peers with an ASA.

IKEv2 Peer validation

The second issue I faced was the peer validation. Thankfully, this and the issue above, are documented in this link. I won't copy and paste the entire thing, but the nutshell is:

During IKE AUTH stage Internet Security Association and Key Management Protocol (ISAKMP) negotiations, the peers must identify themselves to each other. However, there is a difference in the way routers and ASAs select their local identity.

Therefore, we need to specify how the ASA presents itself to the IOS router, and vice-versa:

By default, the router uses the address as the local identity.

By contrast:

By default, the command mode is set to auto, which means that the ASA determines ISAKMP negotiation by connection type:
IP address for pre-shared key.
Cert Distinguished Name for certificate authentication.


This means that we need to specify how the router and the ASA present themselves. Which can be done as follows:
Router:

crypto ikev2 profile pro1
 match identity remote fqdn RTD-ASA.ccielab.local
 identity local fqdn dmvpn-hub2.ccielab.local

ASA:
crypto isakmp identity hostname 
Using this setting on the ASA (with the domain-name set to ccielab.local) seems to have worked.

On the ASA tunnel is the setting "peer-id-validate nocheck" which circumvents some of the issues, and this is, in part, because I chose not to include the IP address when creating the certificate:

Similarly, by default the ASA selects the local ID automatically so, when cert auth is used, it sends the Distinguished Name (DN) as the identity. If the router is configured to receive the address as the remote ID, the peer ID validation fails on the router. For this issue, either configure the router in order to validate the fully qualified domain name (FQDN) or configure the ASA in order to use address as the ISAKMP ID.

What seems to have been the final "fix" was to create the certificate map on the router. Again the document linked above does clarify this approach:

On the router, a certificate map that is attached to the IKEv2 profile must be configured in order to recognize the DN.

This was done with the following:
crypto pki certificate map CA-Flex-Map 10
 issuer-name co ca-flex
I think the final issue was with the leftovers from the IKEv1 setup. Lots or reading as part of troubleshooting was done, but then I spent a lot of time thinking "Maybe I needed this bit, but not another bit". The "fvrf" command (front-door VRF) is an example of this. Clearly not enough time spent reading and learning before implementing. Now I will start again from scratch and this time document all the steps!

Cisco ASA to IOS IKEv2 with PKI

The steps are:
  • Create certificates
  • Enroll in CA
  • Create interesting traffic ACL
  • Define crypto maps and proposals
  • Create tunnels
With a fresh start, the IOS router still takes ages to synchronize NTP, so again, in a lab exam, this is one of those things to set up and return to later, instead of expecting it to work immediately. You could spend ages troubleshooting this when actually, it's working fine.

I ran through this a couple of times. There was much cursing, googling and frustration, but I got it in the end.

Cisco ASA to IOS IKEv2

Clearly, before the exam, I will need to run through it a couple of times again so that it is firmly ingrained.

Below are the steps for the ASA, followed by the IOS router. I have inserted comments, hopefully, to make it easier to read:
RTD-ASA(config)# crypto key generate rsa label RTD-ASA mod 1024
INFO: The name for the keys will be: RTD-ASA
Keypair generation process begin. Please wait...
!
! Keys are generated - lets set up the CA trustpoint:
!
RTD-ASA(config)# crypto ca trustpoint CA-Flex
RTD-ASA(config-ca-trustpoint)# enrollment url http://80.2.10.1
RTD-ASA(config-ca-trustpoint)# crl configure
RTD-ASA(config-ca-crl)# exit
RTD-ASA(config-ca-trustpoint)# fqdn RTD-ASA.ccielab.local
RTD-ASA(config-ca-trustpoint)# keypair RTD-ASA
RTD-ASA(config-ca-trustpoint)# exit
RTD-ASA(config)# 
RTD-ASA(config)# crypto ca authenticate CA-Flex

INFO: Certificate has the following attributes:
Fingerprint:     2a8252e6 eb4d9723 8f4e3480 1602cec3 
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
RTD-ASA(config)#   
RTD-ASA(config)# crypto ca enroll CA-Flex
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
Password: ********
Re-enter password: ********


% The fully-qualified domain name in the certificate will be: RTD-ASA.ccielab.local

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
RTD-ASA(config)# 
RTD-ASA(config)# The certificate has been granted by CA!
RTD-ASA(config)#
!
! Great, now let's define the interesting traffic and set up NAT
!
RTD-ASA(config)# object network Nat-Networks
RTD-ASA(config-network-object)# subnet 10.1.1.0 255.255.255.0
RTD-ASA(config-network-object)# object network No-Nat-Networks
RTD-ASA(config-network-object)# host 1.1.1.1
RTD-ASA(config-network-object)# object network No-Nat-Destination
RTD-ASA(config-network-object)# host 3.3.3.3
RTD-ASA(config-network-object)# access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3
RTD-ASA(config)# access-list NONAT extended permit ip object No-Nat-Networks object No-Nat-Destination
RTD-ASA(config)# nat (Inside,Outside) source static No-Nat-Networks No-Nat-Networks destination static No-Nat-Destination No-Nat-Destination no-proxy-arp route-lookup
!
! Now we create the IKEv2 stuff, starting with the proposal
!
RTD-ASA(config)# crypto ipsec ikev2 ipsec-proposal IKEv2-Proposal
RTD-ASA(config-ipsec-proposal)# protocol esp encryption aes-256 3des
RTD-ASA(config-ipsec-proposal)# protocol esp integrity sha-1
RTD-ASA(config-ipsec-proposal)# exit
RTD-ASA(config)#
!
! Next come the policies - probably more than I actually need...
!
RTD-ASA(config)# crypto ikev2 policy 10
RTD-ASA(config-ikev2-policy)# encryption 3des
RTD-ASA(config-ikev2-policy)# integrity sha
RTD-ASA(config-ikev2-policy)# group 5
RTD-ASA(config-ikev2-policy)# prf sha
RTD-ASA(config-ikev2-policy)# exit
RTD-ASA(config)# crypto ikev2 policy 20
RTD-ASA(config-ikev2-policy)#  encryption aes-192
RTD-ASA(config-ikev2-policy)#  integrity sha256 sha
RTD-ASA(config-ikev2-policy)#  group 14 5 2
RTD-ASA(config-ikev2-policy)#  prf sha
RTD-ASA(config-ikev2-policy)#  lifetime seconds 86400
RTD-ASA(config-ikev2-policy)# exit
RTD-ASA(config)# crypto ikev2 policy 30
RTD-ASA(config-ikev2-policy)#  encryption 3des
RTD-ASA(config-ikev2-policy)#  integrity sha
RTD-ASA(config-ikev2-policy)#  group 5 2
RTD-ASA(config-ikev2-policy)#  prf sha
RTD-ASA(config-ikev2-policy)#  lifetime seconds 86400
RTD-ASA(config-ikev2-policy)# exit
RTD-ASA(config)# crypto ikev2 policy 40
RTD-ASA(config-ikev2-policy)#  encryption aes-256
RTD-ASA(config-ikev2-policy)#  integrity sha
RTD-ASA(config-ikev2-policy)#  group 14 5 2
RTD-ASA(config-ikev2-policy)#  prf sha
RTD-ASA(config-ikev2-policy)#  lifetime seconds 86400
RTD-ASA(config-ikev2-policy)#  exit
!
! We need to enable the Outside interface for IKEv2
!
RTD-ASA(config)# crypto ikev2 enable Outside
!
! Set the identity to be the hostname
!
RTD-ASA(config)# crypto isakmp identity hostname
RTD-ASA(config)#
!
! Now we create the tunnel, using a group policy to specify the protocol as IKEv2
!
RTD-ASA(config)# group-policy GroupPolicy2 internal
RTD-ASA(config)# group-policy GroupPolicy2 attributes
RTD-ASA(config-group-policy)# vpn-idle-timeout 30
RTD-ASA(config-group-policy)# vpn-tunnel-protocol ikev2
RTD-ASA(config-group-policy)# exit
RTD-ASA(config)# tunnel-group 10.1.3.3 type ipsec-l2l
RTD-ASA(config)# tunnel-group 10.1.3.3 general-attributes
RTD-ASA(config-tunnel-general)# default-group-policy GroupPolicy2
RTD-ASA(config-tunnel-general)# exit
!
! This is where we tell the tunnel that we are sending a certificate, 
! and expecting one in return.
!
RTD-ASA(config)# tunnel-group 10.1.3.3 ipsec-attributes
RTD-ASA(config-tunnel-ipsec)# ikev2 local-authentication certificate CA-Flex
RTD-ASA(config-tunnel-ipsec)# ikev2 remote-authentication certificate
RTD-ASA(config-tunnel-ipsec)# peer-id-validate nocheck                        
RTD-ASA(config-tunnel-ipsec)# exit
!
! This is our crypto map:
!
RTD-ASA(config)# crypto map VPN-Map 1 match address IPSec-VPN-Traffic
RTD-ASA(config)# crypto map VPN-Map 1 set pfs group5
RTD-ASA(config)# crypto map VPN-Map 1 set peer 10.1.3.3
RTD-ASA(config)# crypto map VPN-Map 1 set ikev2 ipsec-proposal IKEv2-Proposal
RTD-ASA(config)# crypto map VPN-Map 1 set reverse-route
RTD-ASA(config)# crypto map VPN-Map interface Outside
RTD-ASA(config)# 
Now the IOS router:
!
! Start by creating the crypto key
!
DMVPN-Hub2(config)#crypto key generate rsa mod 1024 label DMVPN-Hub2 exportable        
The name for the keys will be: DMVPN-Hub2

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)

DMVPN-Hub2(config)#
Jun 30: %SSH-5-ENABLED: SSH 1.99 has been enabled
DMVPN-Hub2(config)#
!
! Next we set up the PKI trustpoint. 
!
DMVPN-Hub2(config)#crypto pki trustpoint CA-Flex
DMVPN-Hub2(ca-trustpoint)#enrollment url http://80.2.10.1
DMVPN-Hub2(ca-trustpoint)#rsakeypair DMVPN-Hub2
DMVPN-Hub2(ca-trustpoint)#usage ike
DMVPN-Hub2(ca-trustpoint)#fqdn DMVPN-Hub2.ccielab.local
DMVPN-Hub2(ca-trustpoint)#revocation-check none
DMVPN-Hub2(ca-trustpoint)#eku request server-auth 
DMVPN-Hub2(ca-trustpoint)#exit
DMVPN-Hub2(config)#
!
! Authenticate to the trustpoint
!
DMVPN-Hub2(config)#crypto pki authenticate CA-Flex
Certificate has the following attributes:
       Fingerprint MD5: 2A8252E6 EB4D9723 8F4E3480 1602CEC3 
      Fingerprint SHA1: 0FB2B075 23BC42B6 54FEB918 0D384DD5 8AE6B8E1 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
DMVPN-Hub2(config)#
!
! Enroll in the trustpoint
!
DMVPN-Hub2(config)#crypto pki enroll CA-Flex
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: 
Re-enter password: 

% The subject name in the certificate will include: DMVPN-Hub2.ccielab.local
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-Flex' commandwill show the fingerprint.

DMVPN-Hub2(config)#
Jun 30: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 67664772 0E859851 DFF2BA03 C9D727F4 
Jun 30: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 13767DB5 F17DA7D6 CD3E2043 A968155D 77959542 
Jun 30: %PKI-6-CERTRET: Certificate received from Certificate Authority
DMVPN-Hub2(config)#
!
! Define the interesting traffic
!
DMVPN-Hub2(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1
DMVPN-Hub2(config)#
!
! Create the IKEv2 proposal
!
DMVPN-Hub2(config)#crypto ikev2 proposal IKEv2-Proposal
IKEv2 proposal MUST either have a set of an encryption algorithm other than aes-gcm, an integrity algorithm and a DH group configured or 
 encryption algorithm aes-gcm, a prf algorithm and a DH group configured
DMVPN-Hub2(config-ikev2-proposal)#encryption aes-cbc-256
DMVPN-Hub2(config-ikev2-proposal)#integrity sha1
DMVPN-Hub2(config-ikev2-proposal)#group 5
DMVPN-Hub2(config-ikev2-proposal)#
DMVPN-Hub2(config-ikev2-proposal)#exit
DMVPN-Hub2(config)#
!
! Create a ikev2 policy
!
DMVPN-Hub2(config)#crypto ikev2 policy 10
IKEv2 policy MUST have atleast one complete proposal attached 
DMVPN-Hub2(config-ikev2-policy)#match fvrf any
DMVPN-Hub2(config-ikev2-policy)#proposal IKEv2-Proposal
DMVPN-Hub2(config-ikev2-policy)#exit
DMVPN-Hub2(config)#
!
! Create a keyring
!
DMVPN-Hub2(config)#crypto ikev2 keyring ASA-Key
DMVPN-Hub2(config-ikev2-keyring)#peer RTD-ASA
DMVPN-Hub2(config-ikev2-keyring-peer)#address 10.1.2.254
DMVPN-Hub2(config-ikev2-keyring-peer)#exit
DMVPN-Hub2(config-ikev2-keyring)#
DMVPN-Hub2(config-ikev2-keyring)#exit
DMVPN-Hub2(config)#
!
! Create an IKEv2 profile
!
DMVPN-Hub2(config)#crypto ikev2 profile IKEv2-Profile
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate or match any statement.
DMVPN-Hub2(config-ikev2-profile)#match fvrf any
DMVPN-Hub2(config-ikev2-profile)#match identity remote address 10.1.2.254 255.255.255.255        
DMVPN-Hub2(config-ikev2-profile)#match identity remote fqdn RTD-ASA.ccielab.local      
DMVPN-Hub2(config-ikev2-profile)#match certificate CA-Flex-Map
%No such certificate map CA-Flex-Map
DMVPN-Hub2(config-ikev2-profile)#identity local dn
DMVPN-Hub2(config-ikev2-profile)#authentication local rsa-sig
DMVPN-Hub2(config-ikev2-profile)#authentication remote rsa-sig
DMVPN-Hub2(config-ikev2-profile)#keyring local ASA-Key
DMVPN-Hub2(config-ikev2-profile)#pki trustpoint CA-Flex
DMVPN-Hub2(config-ikev2-profile)#exit
DMVPN-Hub2(config)#
!
! Create the transform set
!
DMVPN-Hub2(config)#crypto ipsec transform-set IKEv2-Transform esp-3des esp-sha-hmac    
DMVPN-Hub2(cfg-crypto-trans)#mode tunnel
DMVPN-Hub2(cfg-crypto-trans)#exit
DMVPN-Hub2(config)#
!
! Create the certificate map that should have been done before the profile...
!
DMVPN-Hub2(config)#crypto pki certificate map CA-Flex-Map 10
DMVPN-Hub2(ca-certificate-map)#issuer-name co CA-Flex
DMVPN-Hub2(ca-certificate-map)#exit
DMVPN-Hub2(config)#crypto ikev2 profile IKEv2-Profile
DMVPN-Hub2(config-ikev2-profile)#match certificate CA-Flex-Map
DMVPN-Hub2(config-ikev2-profile)#exit
DMVPN-Hub2(config)#
!
! Create the crypto map
!
DMVPN-Hub2(config)#crypto map VPN-Map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
DMVPN-Hub2(config-crypto-map)#set peer 10.1.2.254
DMVPN-Hub2(config-crypto-map)#set transform-set IKEv2-Transform
DMVPN-Hub2(config-crypto-map)#set ikev2-profile IKEv2-Profile
DMVPN-Hub2(config-crypto-map)#match address 101
DMVPN-Hub2(config-crypto-map)#exit
!
! Enable the interface
!
DMVPN-Hub2(config)#int gi 0/3
DMVPN-Hub2(config-if)#crypto map VPN-Map
DMVPN-Hub2(config-if)#exit
Jun 30: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
DMVPN-Hub2(config)#
!
! Disable HTTP certificate lookups
!
DMVPN-Hub2(config)#no crypto ikev2 http-url cert
DMVPN-Hub2(config)#
There is a lot to remember here, and a lot to forget. I will need to run through this a couple of times! But the tunnel is up and working:
Local-1#ping 3.3.3.3 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/9/11 ms
Local-1#

RTD-ASA# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 46168045        10.1.2.254/500          10.1.3.3/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/21 sec
Child sa: local selector  1.1.1.1/0 - 1.1.1.1/65535
          remote selector 3.3.3.3/0 - 3.3.3.3/65535
          ESP spi in/out: 0x33701b89/0xacbd1af8  
RTD-ASA# 

DMVPN-Hub2#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.1.3.3/500          10.1.2.254/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/48 sec

 IPv6 Crypto IKEv2  SA 

DMVPN-Hub2#
This one will get revisited, most likely in the form of a break-fix scenario. But now it's time to move on (mainly because I am annoyed that this is taking a while to get into my head).

Next-up will dual-hub DMVPN!

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »