3.2.3 Flex VPN using PKI

FLEX VPN (S2S) USING PKI

BASIC CONFIGURATION

R1:

int f0/0

ip address 1.1.1.1 255.255.255.0

no shut

int l0

ip address 10.1.1.1 255.255.255.255

ip route 0.0.0.0 0.0.0.0 1.1.1.2

R2:

int f0/0

ip address 2.2.2.1 255.255.255.0

no shut

int l0

ip address 10.1.2.1 255.255.255.255

ip route 0.0.0.0 0.0.0.0 2.2.2.2

R4:

int f0/0

ip address 3.3.3.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 3.3.3.2

R3:

int f2/0

ip address 3.3.3.2 255.255.255.0

no shut

int f0/0

ip address 1.1.1.2 255.255.255.0

no shut

int f0/1

ip address 2.2.2.2 255.255.255.0

no shut

NTP CONFIGURATION

R3:

clock set 07:21:00 01 DEC 2013

ntp master 1

ntp authentication-key 1 md5 cisco

ntp trusted-key 1

ntp authenticate

R1:

ntp server 1.1.1.2

ntp authentication-key 1 md5 cisco

ntp trusted-key 1

ntp authenticate

R2:

ntp server 2.2.2.2

ntp authentication-key 1 md5 cisco

ntp trusted-key 1

ntp authenticate

R4:

ntp server 3.3.3.2

ntp authentication-key 1 md5 cisco

ntp trusted-key 1

ntp authenticate

CERTIFICATE CONFIGURATION

R4:

ip http server

crypto key generate rsa modulus 1024 label PKI exportable

crypto pki server CA_Server

issuer-name CN=ca_server OU=cisco C=India S=Karnataka L=Bangalore

lifetime ca-certificate 3

lifetime certificate 2

grant auto

no shut

R1:

crypto pki trustpoint CA

enrollment url http://3.3.3.1

revocation-check none

crypto pki authenticate CA

crypto pki enroll CA

R2:

crypto pki trustpoint CA

enrollment url http://3.3.3.1

revocation-check none

crypto pki authenticate CA

crypto pki enroll CA

IKEV2 CONFIGURATION

R1:

access-list 101 permit ip host 10.1.1.1 host 10.1.2.1

crypto ikev2 proposal PRO

encryption aes-cbc-128

integrity sha1

group 2

crypto ikev2 policy 10

proposal PRO

crypto ikev2 profile PROFILE

match fvrf any

match identity remote fqdn PEER

identity local fqdn PEER

authentication local rsa-sig

authentication remote rsa-sig

pki trustpoint CA

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set TSET

set ikev2-profile PROFILE

match address 101

int f0/0

crypto map CMAP

R2:

access-list 101 permit ip host 10.1.2.1 host 10.1.1.1

crypto ikev2 proposal PRO

encryption aes-cbc-128

integrity sha1

group 2

crypto ikev2 policy 10

proposal PRO

crypto ikev2 profile PROFILE

match fvrf any

match identity remote fqdn PEER

identity local fqdn PEER

authentication local rsa-sig

authentication remote rsa-sig

pki trustpoint CA

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set TSET

set ikev2-profile PROFILE

match address 101

int f0/0

crypto map CMAP