In the previous post, I set up an IKEv1 tunnel between RTD-ASA and DMVPN-Hub2.
In this post, we'll change it to an IKEv2 tunnel. For this to work, we will need to have in place a certificate authority, and an NTP server. CA-Flex will perform both of these functions. The Cisco doc this is here: Cisco ASA to IOS Site-to-Site IKEv2 tunnel.
We start by adding a new loopback to CA-Flex and setting up the NTP service.
Configuring NTP on Cisco IOS
CA-Flex(config)#int lo100 CA-Flex(config-if)#ip add 80.2.10.1 255.255.255.255 CA-Flex(config)#router ospf 1 CA-Flex(config-router)#network 80.2.10.1 0.0.0.0 area 0 CA-Flex(config-router)#exit CA-Flex(config)#ntp master 1 CA-Flex(config)#ntp source lo100 CA-Flex(config)#ntp authentication-key 1 md5 cisco CA-Flex(config)#ntp authenticate CA-Flex(config)#ntp trusted-key 1 CA-Flex(config)# DMVPN-Hub2(config)#ntp server 80.2.10.1 key 1 DMVPN-Hub2(config)#ntp authentication-key 1 md5 cisco DMVPN-Hub2(config)#ntp trusted-key 1 DMVPN-Hub2(config)# RTD-ASA(config)# ntp server 80.2.10.1 key 1 prefer RTD-ASA(config)# ntp authentication-key 1 md5 cisco RTD-ASA(config)# ntp authenticate RTD-ASA(config)# ntp trusted-key 1 RTD-ASA(config)#After a little time, the clock on the ASA synchronized:
RTD-ASA# sh ntp stat Clock is synchronized, stratum 3, reference is 80.2.10.1 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is db1cd4c0.b1a26267 (10:49:36.693 UTC Tue Jun 28 2016) clock offset is -108.4542 msec, root delay is 4.82 msec root dispersion is 15999.53 msec, peer dispersion is 15890.63 msec RTD-ASA#The IOS router (DMVPN-Hub2) took a long time, probably around fifteen minutes or so. I checked and double-checked the settings, and then turned on logging, and debugged NTP (debug ntp all). Eventually, it got there:
DMVPN-Hub2#sh ntp sta Clock is unsynchronized, stratum 3, reference is 80.2.10.1 nominal freq is 1000.0003 Hz, actual freq is 1000.0003 Hz, precision is 2**14 ntp uptime is 230800 (1/100 of seconds), resolution is 1000 reference time is DB1CD9B4.5E24EDF7 (11:10:44.367 UTC Tue Jun 28 2016) clock offset is 127.6537 msec, root delay is 5.57 msec root dispersion is 163.01 msec, peer dispersion is 1.10 msec loopfilter state is 'FREQ' (Drift being measured), drift is 0.000000000 s/s system poll interval is 64, last update was 7 sec ago. DMVPN-Hub2# *Jun 28: NTP message sent to 80.2.10.1, from interface 'GigabitEthernet0/3' (10.1.3.3). *Jun 28: NTP message received from 80.2.10.1 on interface 'GigabitEthernet0/3' (10.1.3.3). *Jun 28: NTP Core(DEBUG): ntp_receive: message received *Jun 28: NTP Core(DEBUG): ntp_receive: peer is 0x0D6B0F68, next action is 1. *Jun 28: NTP Core(NOTICE): ntpd PPM *Jun 28: NTP: step(0x00000000.26AAF451): local_offset = 0x00000000.00000000, curtime = 0xDB1CD9F8.5DF3AEBF *Jun 28: NTP Core(NOTICE): time reset 0.151046 s *Jun 28: NTP Core(NOTICE): trans state : 5 *Jun 28: NTP Core(INFO): 0.0.0.0 C69C 0C clock_step *Jun 28: NTP Core(INFO): 0.0.0.0 C0AC 0C clock_step *Jun 28: NTP message sent to 80.2.10.1, from interface 'GigabitEthernet0/3' (10.1.3.3). *Jun 28: NTP message received from 80.2.10.1 on interface 'GigabitEthernet0/3' (10.1.3.3). *Jun 28: NTP Core(DEBUG): ntp_receive: message received *Jun 28: NTP Core(DEBUG): ntp_receive: peer is 0x0D6B0F68, next action is 1. *Jun 28: NTP Core(DEBUG): Peer becomes reachable, poll set to 6. *Jun 28: NTP Core(INFO): 80.2.10.1 E054 84 reachable *Jun 28: NTP Core(INFO): 80.2.10.1 F66A 8A sys_peer *Jun 28: NTP Core(NOTICE): Clock is synchronized. Jun 28 11:11:54.511: NTP: Calendar updated. DMVPN-Hub2#sh ntp sta Clock is synchronized, stratum 3, reference is 80.2.10.1 nominal freq is 1000.0003 Hz, actual freq is 999.8436 Hz, precision is 2**14 ntp uptime is 237700 (1/100 of seconds), resolution is 1001 reference time is DB1CD9F9.83E971D3 (11:11:53.515 UTC Tue Jun 28 2016) clock offset is 1.7506 msec, root delay is 4.75 msec root dispersion is 7940.04 msec, peer dispersion is 7937.56 msec loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000156686 s/s system poll interval is 64, last update was 7 sec ago. DMVPN-Hub2#I did find this useful article though explaining why it can take a while for NTP to update. Now we can set up CA-Flex to be a Certificate Authority (CA).
Configuring a CA on Cisco IOS.
IKEv2 likes certificates, so let's create a certificate server. It also likes pre-shared-keys, but the CA should prove more interesting.CA-Flex(config)#crypto key generate rsa label CA-Flex general-key mod 1024
The name for the keys will be: CA-Flex
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable... <== NOTICE THIS!!
[OK] (elapsed time was 1 seconds)
CA-Flex(config)#
Jun 28: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA-Flex(config)#crypto key export rsa CA-Flex pem url nvram: 3des cisco123
% RSA keypair 'CA-Flex' is not exportable.
CA-Flex(config)#crypto key generate rsa label CA-Flex general-key mod 1024 ?
exportable Allow the key to be exported
on create key on specified device.
storage Store key on specified device
CA-Flex(config)#$generate rsa label CA-Flex general-key mod 1024 export
% You already have RSA keys defined named CA-Flex.
% They will be replaced.
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)
CA-Flex(config)#
Jun 28: %SSH-5-DISABLED: SSH 1.99 has been disabled
Jun 28: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA-Flex(config)#crypto key export rsa CA-Flex pem url nvram: 3des cisco123
% Key name: CA-Flex
Usage: General Purpose Key
Exporting public key...
Destination filename [CA-Flex.pub]?
Writing file to nvram:CA-Flex.pub
Exporting private key...
Destination filename [CA-Flex.prv]?
Writing file to nvram:CA-Flex.prv
CA-Flex(config)#crypto pki server CA-Flex
CA-Flex(cs-server)#issuer-name CN=CA-Flex.ccielab.local
CA-Flex(cs-server)#grant auto
CA-Flex(cs-server)#
Jun 28: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
CA-Flex(cs-server)#lifetime certificate 10
CA-Flex(cs-server)#lifetime ca-certificate 10
CA-Flex(cs-server)#cdp-url http://80.2.10.1/ca-flex.crl
CA-Flex(cs-server)#eku server-auth ipsec-end-system ipsec-tunnel ipsec-user
CA-Flex(cs-server)#database archive pem password cisco123
CA-Flex(cs-server)#database url pem nvram:
CA-Flex(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
CA-Flex(cs-server)#
Jun 28: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA-Flex(cs-server)#do sh crypto pki server
Certificate Server CA-Flex:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA-Flex.ccielab.local
CA cert fingerprint: 2A8252E6 EB4D9723 8F4E3480 1602CEC3
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 11:40:24 UTC Jul 8 2016
CRL NextUpdate timer: 17:40:25 UTC Jun 28 2016
Current primary storage dir: nvram:
Current storage dir for .pem files: nvram:
Database Level: Minimum - no cert data written to storage
CA-Flex(cs-server)#exit
CA-Flex(config)#ip http server
CA-Flex(config)#
Now we set up the routers for PKI. This bit was much harder than expected. I wrote this page twice while trying to get this to work, and in then end, I completely lost track of all the steps I took while troubleshooting, so please excuse the cut and paste job. I think part of the issue stems from trying to move from IKEv1 to IKEv2; the little remnants left behind made it messy. I think I'll do another post starting with a clean slate and see if it is smoother.Below we have the configurations for the ASA and the router.
ASA to IOS IKEv2 tunnel with PKI
ASA config:
object network Nat-Networks subnet 10.1.1.0 255.255.255.0 object network No-Nat-Networks host 1.1.1.1 object network No-Nat-Destination host 3.3.3.3 access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3 access-list NONAT extended permit ip object No-Nat-Networks object No-Nat-Destination ! nat (Inside,Outside) source static No-Nat-Networks No-Nat-Networks destination static No-Nat-Destination No-Nat-Destination no-proxy-arp route-lookup ! crypto ipsec ikev1 transform-set VPN-transforms esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal Prop1 protocol esp encryption 3des protocol esp integrity sha-1 crypto ipsec security-association pmtu-aging infinite crypto map VPN_Map 1 match address IPSec-VPN-Traffic crypto map VPN_Map 1 set peer 10.1.3.3 crypto map VPN_Map 1 set ikev1 transform-set VPN-transforms crypto map VPN_Map 1 set ikev2 ipsec-proposal DES AES256 crypto map VPN_Map 1 set trustpoint CA-Flex crypto map VPN_Map interface Outside crypto ca trustpoint CA-Flex enrollment url http://80.2.10.1:80 crl configure crypto ca trustpool policy ! crypto isakmp identity hostname crypto ikev2 policy 1 encryption aes-256 integrity sha group 14 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha256 sha group 14 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 policy 10 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 ! group-policy GroupPolicy2 internal group-policy GroupPolicy2 attributes vpn-idle-timeout 30 vpn-tunnel-protocol ikev1 ikev2 dynamic-access-policy-record DfltAccessPolicy tunnel-group 10.1.3.3 type ipsec-l2l tunnel-group 10.1.3.3 general-attributes default-group-policy GroupPolicy2 tunnel-group 10.1.3.3 ipsec-attributes peer-id-validate nocheck ikev2 remote-authentication certificate ikev2 local-authentication certificate CA-Flex !
IOS config:
crypto pki trustpoint CA-Flex enrollment url http://80.2.10.1:80 usage ike fqdn dmvpn-hub2.ccielab.local revocation-check none rsakeypair DMVPN-Hub2 eku request server-auth ! crypto pki certificate map CA-Flex-Map 10 issuer-name co ca-flex ! crypto ikev2 proposal AES256 encryption aes-cbc-256 integrity sha1 group 5 2 14 crypto ikev2 proposal aes-cbc-256-proposal encryption aes-cbc-256 integrity sha1 group 5 2 14 ! crypto ikev2 policy 1 match fvrf any match address local 10.1.3.3 proposal AES256 ! crypto ikev2 profile pro1 match fvrf any match address local 10.1.3.3 match identity remote fqdn RTD-ASA.ccielab.local match certificate CA-Flex-Map identity local fqdn dmvpn-hub2.ccielab.local authentication remote rsa-sig authentication local rsa-sig pki trustpoint CA-Flex ! no crypto ikev2 http-url cert ! crypto isakmp policy 10 encr 3des group 5 crypto isakmp invalid-spi-recovery crypto isakmp profile VPN_Map keyring VPN_Keys match identity address 10.1.2.254 255.255.255.255 ! crypto ipsec transform-set VPN-transforms esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac mode tunnel ! crypto map VPN_Map 1 ipsec-isakmp set peer 10.1.2.254 set transform-set ESP-AES-SHA set pfs group2 set ikev2-profile pro1 match address 101 ! access-list 101 permit ip host 3.3.3.3 host 1.1.1.1So, there we have all the configs, we probably have more than we need, probably not using all of them, and it has not been a good learning experience. I would have certainly failed this bit in the lab exam. The next step is, therefore, to remove all the tunnel configs, and start from scratch. Repetition is good for the memory, and then I can properly lay out all the steps, along with explanations.
I got the desired result:
Local-1#ping 3.3.3.3 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
Local-1#
RTD-ASA# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
139751863 10.1.2.254/500 10.1.3.3/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/1577 sec
Child sa: local selector 1.1.1.1/0 - 1.1.1.1/65535
remote selector 3.3.3.3/0 - 3.3.3.3/65535
ESP spi in/out: 0xea2c233e/0x30cdff43
RTD-ASA#
This is not enough, though, there is not enough time (or the help of Google) in the lab to blunder through. So, I will wipe the configs and start again. Until I get it right.