Skip to main content

GET VPN - part three

This is the third post about the GET VPN series. You should read my previous two posts before you start reading this one.



Today I will change the authentication method for ISAKMP (phase1) from pre-share key to the certification.

Let’s start with the CA:

R6(config)#ip domain name mymicroblog.com
R6(config)#

R6(config)#crypto pki server PKI-SERVER
R6(cs-server)#issuer-name CN=R6.mymicroblog.com, OU=HR
R6(cs-server)#grant auto
R6(cs-server)#
*Dec 14 23:07:14.059: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
R6(cs-server)#no sh
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:

Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
R6(cs-server)#
*Dec 14 23:07:34.139: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Dec 14 23:07:35.243: %PKI-6-CS_ENABLED: Certificate server now enabled.
R6(cs-server)#exit

Now I generate a new key and then I configure a trustpoint on the KS1:

!
crypto pki trustpoint CA-TP
 enrollment url http://8.8.8.2:80
 revocation-check crl
!
 


 
 
R1(config)#crypto key generate rsa modulus 1024 general-keys
R1(config)#crypto pki authenticate CA-TP % Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0 R1(config)# *Dec 14 23:13:28.941: %PKI-3-SOCKETSEND: Failed to send out message to CA server. R1(config)#
I think we need to add some rules on the ASA:

%ASA-2-106001: Inbound TCP connection denied from 3.3.3.2/63698 to 8.8.8.2/80 flags SYN  on interface keys1

access-list KEYS1 extended permit tcp host 3.3.3.2 host 8.8.8.2 eq www
access-group KEYS1 in interface keys1

Let’s try once again:

R1(config)#crypto pki authenticate CA-TP
Certificate has the following attributes:
       Fingerprint MD5: 248526A1 823E2E2F BE9DB758 09545AFF
      Fingerprint SHA1: BB471A1B B4F2CC84 EF139332 72ABA28C A7048A4A

% Do you accept this certificate? [yes/no]:

before I accept it I need to confirm the fingerprint on the R6 is the same:

R6#sh crypto pki certificates verbose
CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=R6.mymicroblog.com
  Subject:
    cn=R6.mymicroblog.com
  Validity Date:
    start date: 23:07:34 UTC Dec 14 2014
    end   date: 23:07:34 UTC Dec 13 2017
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: 248526A1 823E2E2F BE9DB758 09545AFF
  Fingerprint SHA1: BB471A1B B4F2CC84 EF139332 72ABA28C A7048A4A
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
 --More--

ok, I can say ‘yes’

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#

Now I can continue:

R1(config)#crypto pki enroll CA-TP
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: R1.microblog.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA-TP' commandwill show the fingerprint.

R1(config)#
*Dec 14 23:27:02.793: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 88143201 DDC5FB8E B32D16EB 23AEDA7A
*Dec 14 23:27:02.797: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: F58EB09D 172C2D3B 69941ED2 1793508E 882F0E6A
R1(config)#
*Dec 14 23:27:08.405: %PKI-6-CERTRET: Certificate received from Certificate Authority
R1(config)#

we can check now both certificates:

R1(config)#do sh crypto pki certificates verbose
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer:
    cn=R6.mymicroblog.com
  Subject:
    Name: R1.microblog.com
    hostname=R1.microblog.com
  Validity Date:
    start date: 23:27:07 UTC Dec 14 2014
    end   date: 23:27:07 UTC Dec 14 2015
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: 8E875561 2A14DCFA BEF44650 8B9BEA0C
  Fingerprint SHA1: 937FE90B DC19FF47 3ADD8E21 322D5A44 3C0FEA4B
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: DAE7B890 708FD971 410D206C AA29458D 9E41A5E4
    X509v3 Authority Key ID: 99CFC046 F0E73F7C 5EBDA691 5C45C925 3269D858
    Authority Info Access:
  Associated Trustpoints: CA-TP
  Key Label: R1.microblog.com

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=R6.mymicroblog.com
  Subject:
    cn=R6.mymicroblog.com
  Validity Date:
    start date: 23:07:34 UTC Dec 14 2014
    end   date: 23:07:34 UTC Dec 13 2017
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: MD5 with RSA Encryption
  Fingerprint MD5: 248526A1 823E2E2F BE9DB758 09545AFF
  Fingerprint SHA1: BB471A1B B4F2CC84 EF139332 72ABA28C A7048A4A
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 99CFC046 F0E73F7C 5EBDA691 5C45C925 3269D858
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 99CFC046 F0E73F7C 5EBDA691 5C45C925 3269D858
    Authority Info Access:
  Associated Trustpoints: CA-TP


R1(config)#

I need also change isakmp settings:

!
crypto isakmp policy 1
authentication rsa-sig
!
no crypto isakmp key cisco address 0.0.0.0
!

Now I’m going to repeat the same steps on all GMs and the KS2...

Once I finished I test the connection:

R5#ping 10.33.33.33 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.33.33.33, timeout is 2 seconds:
Packet sent with a source address of 10.55.55.55
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/100/112 ms
R5#
R5#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
      Phase1_id: R1.microblog.com
      Desc: (none)
  IKEv1 SA: local 5.5.5.2/848 remote 3.3.3.2/848 Active
          Capabilities:(none) connid:1003 lifetime:23:59:08
  IKEv1 SA: local 5.5.5.2/848 remote 3.3.3.2/848 Inactive
          Capabilities:(none) connid:1001 lifetime:0
  IKEv1 SA: local 5.5.5.2/848 remote 3.3.3.2/848 Active
          Capabilities:(none) connid:1004 lifetime:0
  IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2049
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2049

R5#ping 10.44.44.44 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 10.55.55.55
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/96/112 ms
R5#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 848 fvrf: (none) ivrf: (none)
      Phase1_id: R1.microblog.com
      Desc: (none)
  IKEv1 SA: local 5.5.5.2/848 remote 3.3.3.2/848 Active
          Capabilities:(none) connid:1003 lifetime:23:58:58
  IKEv1 SA: local 5.5.5.2/848 remote 3.3.3.2/848 Active
          Capabilities:(none) connid:1004 lifetime:0
  IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 10 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2038
        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2038

I check once again if the phase one is authenticated by the certificate:

R5#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1003  5.5.5.2         3.3.3.2                ACTIVE aes  sha    rsig 2  23:57:43
       Engine-id:Conn-id =  SW:3

1004  5.5.5.2         3.3.3.2                ACTIVE 3des sha    rsig 0  0
       Engine-id:Conn-id =  SW:4

IPv6 Crypto ISAKMP SA

R5#

As you see the auth method is 'rsig’.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo