Created
November 1, 2011 18:57
-
-
Save fapestniegd/1331534 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| I'm trying to make a Certificate Authenticated Dynamic Lan-to-Lan VPN between | |
| a Linux host (using racoon) and a Cisco ASA 5520. | |
| Setup: | |
| (Static Private IP) (DHCP Assigned, Non-Static Public IP) | |
| (interface "eth2") (interface "eth1") | |
| 10.100.1.1/30 A.B.C.D | |
| +-----------+ \ / | |
| | Passive | \ +--------------+ / | |
| | Remote +----------+ Linux router +--------------+ | |
| | Appliance | \ +--------------+ | | |
| +-----------+ \ | | |
| 10.100.1.2 | | |
| | | |
| IPSec Tunnel | | |
| +---------------------------------------------+ | |
| | | |
| | 10.100.0.3/24 | |
| | \ | |
| | +-----------+ \ +--------+ | |
| +----------------+ Cisco ASA +------------+ Server + | |
| / +-----------+ \ +--------+ | |
| / \ | |
| E.F.G.H 10.100.0.1/24 (standby 10.100.0.2/24) | |
| (interface "outside") (interface "inside") | |
| (Static, Public IP) (Static, Private IP) | |
| There are 3 methods by which we can Identify a remote host. | |
| 1) By IP address (this would work for E.F.G.H, but not for A.B.C.D, which is dynamic) | |
| 2) By fully-qualified domain name (again, we don't know what A.B.C.D's fqdn will be) | |
| 3) By an distinguished name from an X509 certificate | |
| Since we cannot use IP or FQDN, we'll have to use an X509 certificate to establish | |
| identities. | |
| * Decide where your Certificate Revocation List will be hosted | |
| * Decide on a tunnel-group name for the ASA (you will need it for the ID certificates) | |
| * Identify the networks that need to communicate | |
| - 10.100.0.0/24 <---> 10.100.1.0/30 | |
| * Decide on ISAKMP Phase 1 key parameters | |
| - Authentication Method: RSA-Key | |
| - Diffie-Hellman Group: 5 (1536 bit) | |
| - Encryption Algorithm: AES-256 | |
| - Data Integrity Algorithm: SHA-1 | |
| - Use aggressive mode: No (main mode is more secure) | |
| - Lifetime: 86400s (1 day) | |
| * Decide on Phase 2 Parameters | |
| - Encapsulation (ESP or AH): ESP | |
| - Encryption Algorithm: AES-256 | |
| - Authentication Algorithm: SHA-1 | |
| - Perfect Forward Secrecy: No | |
| - Lifetime: 3600s (1 hour) | |
| ######################################## | |
| # Certificate Authority | |
| ######################################## | |
| * Create a openssl.cnf policy file | |
| - Edit the varibles in the script below and just cut-and-paste it into a bash shell | |
| ############## BEGIN CUT-N-PASTE HERE ################################## | |
| ### Edit Below ### | |
| DOMAIN="exampledomain.net" | |
| CRL_PATH="http://pki.exampledomain.net/exampledomain.net.crl" | |
| COUNTRY="US" | |
| STATE="Tennessee" | |
| LOCALITY="Nashville" | |
| ORG="Web Sages" | |
| ORGUNIT="Information_Technology" | |
| CN="somehost.${DOMAIN}" | |
| EMAIL="certificate.authority@${DOMAIN}" | |
| ### Edit Above ### | |
| SED_CRL_PATH=$(echo ${CRL_PATH} | sed -e 's/\//\\\//g') | |
| /bin/cat<<' EOF' | \ | |
| sed -e 's/^........//' \ | |
| -e "s/~DOMAIN~/${DOMAIN}/" \ | |
| -e "s/~CRLPATH~/${SED_CRL_PATH}/" \ | |
| -e "s/~COUNTRY~/${COUNTRY}/" \ | |
| -e "s/~STATE~/${STATE}/" \ | |
| -e "s/~LOCALITY~/${LOCALITY}/" \ | |
| -e "s/~ORG~/${ORG}/" \ | |
| -e "s/~ORGUNIT~/${ORGUNIT}/" \ | |
| -e "s/~CN~/${CN}/" \ | |
| -e "s/~EMAIL~/${EMAIL}/" \ | |
| > /tmp/openssl.cnf | |
| HOME = . | |
| RANDFILE = $ENV::HOME/.rnd | |
| DOMAIN = ~DOMAIN~ | |
| [ ca ] | |
| default_ca = CA_default # The default ca section | |
| [ CA_default ] | |
| dir = . | |
| certs = $dir/certs | |
| crl_dir = $dir/crl | |
| database = $dir/index.txt | |
| new_certs_dir = $dir/newcerts | |
| certificate = $dir/mid-ca.${DOMAIN}.pem | |
| serial = $dir/serial | |
| crlnumber = $dir/crlnumber | |
| crl = $dir/crl.${DOMAIN}.pem | |
| private_key = $dir/private/mid-ca.${DOMAIN}.key | |
| RANDFILE = $dir/private/.rand | |
| x509_extensions = usr_cert | |
| name_opt = ca_default | |
| cert_opt = ca_default | |
| default_days = 1095 | |
| default_crl_days= 1095 | |
| default_md = sha1 | |
| preserve = no | |
| policy = policy_match | |
| [ policy_match ] | |
| countryName = match | |
| stateOrProvinceName = match | |
| organizationName = match | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| [ policy_anything ] | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| [ req ] | |
| default_bits = 1024 | |
| default_keyfile = ${DOMAIN}.pem | |
| distinguished_name = req_distinguished_name | |
| attributes = req_attributes | |
| x509_extensions = v3_ca | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_default = ~COUNTRY~ | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| stateOrProvinceName_default = ~STATE~ | |
| localityName = Locality Name (eg, city) | |
| localityName_default = ~LOCALITY~ | |
| 0.organizationName = Organization Name (eg, company) | |
| 0.organizationName_default = ~ORG~ | |
| organizationalUnitName = Organizational Unit Name (eg, section) | |
| organizationalUnitName_default = ~ORGUNIT~ | |
| commonName = Common Name (eg, YOUR name) | |
| commonName_max = 64 | |
| commonName_default = ~CN~ | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| emailAddress_default = ~EMAIL~ | |
| [ req_attributes ] | |
| challengePassword = A challenge password | |
| challengePassword_min = 4 | |
| challengePassword_max = 20 | |
| [ usr_cert ] | |
| basicConstraints=CA:FALSE | |
| nsComment = "OpenSSL Generated Certificate" | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid,issuer | |
| nsCaRevocationUrl = ~CRLPATH~ | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| nsCaRevocationUrl = ~CRLPATH~ | |
| [ v3_ca ] | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid:always,issuer:always | |
| basicConstraints = CA:true | |
| nsCaRevocationUrl = ~CRLPATH~ | |
| EOF | |
| ##################### END CUT-N-PASTE HERE ############################# | |
| * Create a Root Certificate Authority (RCA) | |
| * Create an Intermediate CA (ICA) | |
| * Create a Certificate Signing Request (CSR) for the Intermediate CA | |
| * Sign the Intermediate CA's CSR with the Root CA | |
| * Pack up the Root CA private key and put it somewhere secure. | |
| (Should the Intermediate CA become compromised, only the Root CA can Revoke it.) | |
| ######################################## | |
| # Certificate Revocation List | |
| ######################################## | |
| * | |
| * Ensure the CRL is publicly available and reachable from both the ASA and linux | |
| ######################################## | |
| # The linux router side | |
| ######################################## | |
| * Create an identity certificate (and CSR) for the linux router | |
| * Sign the linux router identity CSR with the Intermediate CA | |
| * Install the Root CA, Intermediate CA, and linux router's ID cert onto the linux box. | |
| scp exampledomain_trust_chain.crt root@host:/etc/ssl/certs | |
| c_rehash | |
| (cd /etc/racoon/certs; ln -s /etc/ssl/certs/e426e9ba.0) | |
| * Set up SNAT for the network we want to pass to the ASA | |
| Tells the kernel to masquerade any packets going out to 10.100.0.1 (from A.B.C.D) as coming | |
| from source address 10.100.1.2 (which does not need to correspond to any physical network | |
| interface of the router). Before any tunnel was set up, I could test the SNAT by | |
| pinging 10.100.0.1 and using tcpdump to see the SNAT. Note the things behind it will be | |
| passed with their actual IP. (the appliance with 10.100.1.2 will not get natted) | |
| # iptables -t nat -A POSTROUTING -s A.B.C.D/32 -d 10.100.0.0/24 -j SNAT --to-source 10.100.1.1 | |
| iptables -t nat -A POSTROUTING -s 96.24.218.145/32 -d 10.100.0.0/24 -j SNAT --to-source 10.100.1.1 | |
| # enable packet forwarding | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| * Set up the kernel's security policy | |
| #!/bin/sh | |
| export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | |
| SRCNET="10.100.1.0/30" | |
| DSTNET="10.100.0.0/24" | |
| TUNNEL_LOCAL=$(ifconfig eth1|grep "inet addr"|sed -e 's/[^:]*://' -e 's/ .*//') | |
| TUNNEL_REMOTE="74.255.130.2" | |
| /sbin/setkey -c >/dev/null 2>&1 << EOF | |
| spdflush; | |
| flush; | |
| spdadd $SRCNET $DSTNET any -P out ipsec | |
| esp/tunnel/$TUNNEL_LOCAL-$TUNNEL_REMOTE/require | |
| ; | |
| spdadd $DSTNET $SRCNET any -P in ipsec | |
| esp/tunnel/$TUNNEL_REMOTE-$TUNNEL_LOCAL/require | |
| ; | |
| EOF | |
| * Set up the racoon.conf with the ISAKMP Parameters | |
| path certificate "/etc/racoon/certs" | |
| remote 74.255.130.2 | |
| { | |
| exchange_mode main; | |
| peers_identifier asn1dn; | |
| my_identifier asn1dn; | |
| verify_identifier on; | |
| verify_cert on; | |
| certificate_type x509 "nomad.exampledomain.net.crt" "nomad.exampledomain.net.key"; | |
| proposal | |
| { | |
| encryption_algorithm aes 256; | |
| hash_algorithm sha1; | |
| authentication_method rsasig; | |
| dh_group 5; | |
| lifetime time 86400 sec; | |
| } | |
| } | |
| sainfo address 10.100.1.0/30 any address 10.100.1.1/32 any | |
| { | |
| lifetime time 1 hour ; | |
| encryption_algorithm aes 256 ; | |
| authentication_algorithm hmac_sha1; | |
| compression_algorithm deflate ; | |
| } | |
| ######################################## | |
| # The ASA side | |
| ######################################## | |
| * Create a keypair to use for RSA authentication | |
| ciscoasa# conf t | |
| ciscoasa(config)# crypto key generate rsa general-keys label exampledomain-keypair modulus 1024 noconfirm | |
| INFO: The name for the keys will be: exampledomain-keypair | |
| Keypair generation process begin. Please wait... | |
| ciscoasa(config)# end | |
| * Confirm the Public key is there (optional sanity check) | |
| ciscoasa# show crypto key mypub rsa | |
| ...(other keys may be listed as well)... | |
| Key name: exampledomain-keypair | |
| Usage: General Purpose Key | |
| Modulus Size (bits): 1024 | |
| Key Data: | |
| 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00859a69 | |
| 404884ec 5762bc8e 940f312d 09f00d05 24c65c72 0b718272 db8c5cbd 7a5b52bb | |
| a6b3c880 1ea5984a b45175aa 36a132e1 cb94a256 488074ca db1ed897 beb40c76 | |
| 3e1f1aa0 85d4a9cd 1997aaf9 77dabd6d 9e5e9319 4bec8c56 f4370c45 662fb925 | |
| 2354546b 16df7845 c445cac4 69c0ea02 64acdc7c 37056c89 9a481879 9d020301 0001 | |
| ... (more keys may follow)... | |
| * Deleting the Keypair (don't do this, this is just to show you how, but you can always make a new one.) | |
| ciscoasa# conf t | |
| ciscoasa(config)# crypto key zeroize rsa label exampledomain-keypair | |
| WARNING: Keys to be removed are named 'exampledomain-keypair'. | |
| WARNING: All device digital certificates issued using these keys will also be removed and | |
| the associated trustpoints may not function correctly. | |
| Do you really want to remove these keys? [yes/no]: yes | |
| ciscoasa(config)# end | |
| * Create a trustpoint on the Cisco ASA | |
| ciscoasa# conf t | |
| ciscoasa(config)# crypto ca trustpoint trustpoint-exampledomain | |
| # Note that by default, the OU will be the tunnel-group name, so watch out for spaces and such | |
| ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa.exampledomain.net,OU=insant-issue-00,O=EXAMPLE ORG,C=US,St=Tennesee,L=Nashville,[email protected] | |
| ciscoasa(config-ca-trustpoint)# keypair exampledomain-keypair | |
| ciscoasa(config-ca-trustpoint)# email [email protected] | |
| ciscoasa(config-ca-trustpoint)# id-usage ssl-ipsec | |
| ciscoasa(config-ca-trustpoint)# client-types ipsec | |
| ciscoasa(config-ca-trustpoint)# accept-subordinates | |
| ciscoasa(config-ca-trustpoint)# end | |
| * Create an identity certificate (and CSR) for the ASA | |
| cicsoasa(config)# crypto ca trustpoint trustpoint-exampledomain | |
| ciscoasa(config-ca-trustpoint)# enrollment terminal | |
| ciscoasa(config-ca-trustpoint)# end | |
| cicsoasa# conf t | |
| cicsoasa(config)# crypto ca enroll trustpoint-exampledomain | |
| % Start certificate enrollment .. | |
| % The subject name in the certificate will be: CN=ciscoasa.exampledomain.net,OU=insant-issue-00,O=EXAMPLE ORG,C=US,St=Tennesee,L=Nashville,[email protected] | |
| % The fully-qualified domain name in the certificate will be: ciscoasa.exampledomain.net | |
| % Include the device serial number in the subject name? [yes/no]: no | |
| Display Certificate Request to terminal? [yes/no]: yes | |
| Certificate Request follows: | |
| -----BEGIN CERTIFICATE REQUEST----- | |
| MIIDdzCCAl8CAQAwgdQxJTAjBgkqhkiG9w0BCQEWFnN5c2FkbWluQGVmdHNvdXJj | |
| ZS5jb20xEjAQBgNVBAcTCU5hc2h2aWxsZTERMA8GA1UECBMIVGVubmVzZWUxCzAJ | |
| BgNVBAYTAlVTMRMwEQYDVQQKEwpFRlQgU291cmNlMRgwFgYDVQQLEw9pbnNhbnQt | |
| aXNzdWUtMDAxIDAeBgNVBAMTF2VmdC1hc2EwMS5lZnRkb21haW4ubmV0MSYwJAYJ | |
| KoZIhvcNAQkCFhdFRlQtQVNBMDEuZWZ0ZG9tYWluLm5ldDCCASIwDQYJKoZIhvcN | |
| AQEBBQADggEPADCCAQoCggEBALdzN/QbVma4PYaNdZi23I3DrpjPxp7GqwxXhb1n | |
| RtvKBmXxzGYCWFVX35un+L9BgIQXkai81Gy3scrscYYM4KBoHlHBJxlSRAdDHEHB | |
| zzMBgq0UPTWBH04kGWYa5+uBanWRMZNeU72TQfgv/jmR5OHDGbexKchiWtZmXrkz | |
| PqMdelqBJqwQY1QknFmib3su6hAjliia+5AdFwUX9YdxhhYp1taHCK4Ch1/U9/gl | |
| 6RmC5WbLtOD0wIGTQwz6iuzzBD0nSL2TcPau5BZGo25UXR3wAr026Sark8nCGfLn | |
| zwHfuS4dy2Yn7aRRbBkL9Y+6JtgWaMruOXclHzfQDdG0atECAwEAAaBdMFsGCSqG | |
| SIb3DQEJDjFOMEwwDgYDVR0PAQH/BAQDAgWgMDoGA1UdEQQzMDGBFnN5c2FkbWlu | |
| QGVmdHNvdXJjZS5jb22CF0VGVC1BU0EwMS5lZnRkb21haW4ubmV0MA0GCSqGSIb3 | |
| DQEBBAUAA4IBAQBXty2CHBcRYHeFtxdsUSslMl5FHZUMpx2mp9iqr6XghEg9F8de | |
| xH15OwMlyq6gj5fT2PjISU+1iK0aUWopDLR05K2AqO3c6TxS2pVT6d2a+USwCNeh | |
| uRO0aALwhEkj6a5qj0AnSYtzQqthA1hlnsfa4U5DyoNbvM7CQvCi/dwauB0ZQ5M/ | |
| ITFv084eypObsgaQ9WgaiUNrABhRnfDJiGg/uYR1X+iunnGu2DZu7/+6vKjP9oTN | |
| c86Kz+UBiPMeU/36yKCzmip+fX+192RJ8ZvtIkJhkHlgStZbJsru12PoaYEj8ZmD | |
| IdnUOh9tHFaS8b6fw+hGM9PQsBVmoiU+CCHZ | |
| -----END CERTIFICATE REQUEST----- | |
| Redisplay enrollment request? [yes/no]: no | |
| cicsoasa(config)# end | |
| * Sign the ASA identity CSRs with the Intermediate CA | |
| [ openssl instructions for signing a csr ] | |
| * Import the Intermediate CA into the trustpoint | |
| (config)# crypto ca authenticate trustpoint-exampledomain | |
| Enter the base 64 encoded CA certificate. | |
| End with the word "quit" on a line by itself | |
| -----BEGIN CERTIFICATE----- | |
| MIIFoTCCBUugAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMCVVMx | |
| EjAQBgNVBAgTCVRlbm5lc3NlZTESMBAGA1UEBxMJTmFzaHZpbGxlMRMwEQYDVQQK | |
| EwpFRlQgU291cmNlMSMwIQYDVQQLExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0 | |
| eTEeMBwGA1UEAxMVcm9vdC1jYS5lZnRzb3VyY2UuY29tMTIwMAYJKoZIhvcNAQkB | |
| FiNjZXJ0aWZpY2F0ZS5hdXRob3JpdHlAZWZ0c291cmNlLmNvbTAeFw0wODEyMjQx | |
| ODM0NDJaFw0xMTEyMjQxODM0NDJaMIG2MQswCQYDVQQGEwJVUzESMBAGA1UECBMJ | |
| VGVubmVzc2VlMRMwEQYDVQQKEwpFRlQgU291cmNlMSswKQYDVQQLEyJJbnRlcm1l | |
| ZGlhdGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR0wGwYDVQQDExRtaWQtY2EuZWZ0 | |
| ZG9tYWluLm5ldDEyMDAGCSqGSIb3DQEJARYjY2VydGlmaWNhdGUuYXV0aG9yaXR5 | |
| QGVmdGRvbWFpbi5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDO | |
| WWiXwnEGdOeWwhXomKoV/+KC6F8Q+qVctpVTG9OsvonhU3OyEaPaqRz2a+kL+thU | |
| j3lmcpUWIC6I7JzfHEEFeNEGqLjrzAMjeFJxUvF+A9+3bvXFVBAOqMg44JePp0Ts | |
| U9OqCvaG9fl+uL3t5VJd7htkOkVjn3wyl0C1/27ekrEYUHsL68/hx3EVfU0l/LZQ | |
| ET7WVmd9Cu17XK+f0Th5lkozUlc2FhlvkPU6uu4JG+AUEOJ1WVxkGXN3eEB2j46N | |
| QghgsDuwq5RUDQs+rx7DdI50xTWNfosuItJ9Wfz3dVlx11wZ82Mihp7hu0+Ck2lI | |
| 8mmzIJB3pPOQtBGhwbMCBh1ACJYG5Ej/FAziZ3G3TY1jZSLOlIZ8N2W0vM7riB8i | |
| RDdhQMbT5zCbtaRYC/VCe5AiOgTSLAmBLylq9jinpFipFc6yHDKCZlx1cIRItwt+ | |
| osz0BKK4VZ+XZe/LtWTt814v12cMoflwCYK2La/CSi5cR+x2neA0wuY8CL5y04Y2 | |
| AFJ9LnD+nvHghbqhQobLsRByNU3MUdJIaeDj3NiQOs1RS+zlmtGTPD2IGV6BjhXH | |
| 9lVLlYD4HS5k4Cm7aag740wNPsBAsl4iR33s9VaNJe5oSEZ7uO3/RKTkqQtCcmjQ | |
| bChODLlcdvgSpEG4GGOpnW11e1D8VqV/O0chARqwPwIDAQABo4IBazCCAWcwHQYD | |
| VR0OBBYEFEPcuzK30pH8aLP0r7WNwMkzsrqkMIH4BgNVHSMEgfAwge2AFH+2jK5G | |
| fqml8Ihhv2CvwX8f9DwcoYHJpIHGMIHDMQswCQYDVQQGEwJVUzESMBAGA1UECBMJ | |
| VGVubmVzc2VlMRIwEAYDVQQHEwlOYXNodmlsbGUxEzARBgNVBAoTCkVGVCBTb3Vy | |
| Y2UxIzAhBgNVBAsTGlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR4wHAYDVQQD | |
| ExVyb290LWNhLmVmdHNvdXJjZS5jb20xMjAwBgkqhkiG9w0BCQEWI2NlcnRpZmlj | |
| YXRlLmF1dGhvcml0eUBlZnRzb3VyY2UuY29tggkAn3F2z9TUppswDAYDVR0TBAUw | |
| AwEB/zA9BglghkgBhvhCAQQEMBYuaHR0cHM6Ly9wa2kuZWZ0c291cmNlLmNvbS9l | |
| ZnRzb3VyY2UuY29tX0NBLmNybDANBgkqhkiG9w0BAQUFAANBAMo4pbi0OF5iHRYb | |
| 0IwLV5viSbKv2y+om/fiPyf06CxEXXwXyVpyAjdFjgVB7CpvK04n1XLyx2oKUD75 | |
| YuI7jdk= | |
| -----END CERTIFICATE----- | |
| quit | |
| INFO: Certificate has the following attributes: | |
| Fingerprint: 0ef2b31d c2988a52 46a42171 b9dd88e9 | |
| Do you accept this certificate? [yes/no]: yes | |
| * Import the ASA's Identity Certificate into the trustpoint. | |
| ciscoasa(config)# crypto ca import trustpoint-exampledomain certificate | |
| ciscoasa(config)# crypto ca import trustpoint-exampledomain certificate | |
| % The fully-qualified domain name in the certificate will be: ciscoasa.exampledomain.net | |
| Enter the base 64 encoded certificate. | |
| End with the word "quit" on a line by itself | |
| -----BEGIN CERTIFICATE----- | |
| MIIFmzCCA4OgAwIBAgIBGDANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMCVVMx | |
| EjAQBgNVBAgTCVRlbm5lc3NlZTETMBEGA1UEChMKRUZUIFNvdXJjZTErMCkGA1UE | |
| CxMiSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eTEdMBsGA1UEAxMU | |
| bWlkLWNhLmVmdGRvbWFpbi5uZXQxMjAwBgkqhkiG9w0BCQEWI2NlcnRpZmljYXRl | |
| LmF1dGhvcml0eUBlZnRkb21haW4ubmV0MB4XDTEwMDExNDE2MjkwNFoXDTEzMDEx | |
| MzE2MjkwNFowgawxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhUZW5uZXNlZTESMBAG | |
| A1UEBxMJTmFzaHZpbGxlMRMwEQYDVQQKEwpFRlQgU291cmNlMRgwFgYDVQQLEw9p | |
| bnNhbnQtaXNzdWUtMDAxIDAeBgNVBAMTF2VmdC1hc2EwMS5lZnRkb21haW4ubmV0 | |
| MSUwIwYJKoZIhvcNAQkBFhZzeXNhZG1pbkBlZnRzb3VyY2UuY29tMIIBIjANBgkq | |
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt3M39BtWZrg9ho11mLbcjcOumM/Gnsar | |
| DFeFvWdG28oGZfHMZgJYVVffm6f4v0GAhBeRqLzUbLexyuxxhgzgoGgeUcEnGVJE | |
| B0McQcHPMwGCrRQ9NYEfTiQZZhrn64FqdZExk15TvZNB+C/+OZHk4cMZt7EpyGJa | |
| 1mZeuTM+ox16WoEmrBBjVCScWaJvey7qECOWKJr7kB0XBRf1h3GGFinW1ocIrgKH | |
| X9T3+CXpGYLlZsu04PTAgZNDDPqK7PMEPSdIvZNw9q7kFkajblRdHfACvTbpJquT | |
| ycIZ8ufPAd+5Lh3LZiftpFFsGQv1j7om2BZoyu45dyUfN9AN0bRq0QIDAQABo4G7 | |
| MIG4MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk | |
| IENlcnRpZmljYXRlMB0GA1UdDgQWBBTVYUeaDPhDFi3thrxgWiFSJF7NozAfBgNV | |
| HSMEGDAWgBRD3Lsyt9KR/Giz9K+1jcDJM7K6pDA9BglghkgBhvhCAQQEMBYuaHR0 | |
| cHM6Ly9wa2kuZWZ0c291cmNlLmNvbS9lZnRzb3VyY2UuY29tX0NBLmNybDANBgkq | |
| hkiG9w0BAQUFAAOCAgEALF28rqdPM7Sz/+1Zokmebm8MhHrc/UPObn3NMBDeKCRL | |
| uSeexzQMjZG0eBT+jZx7sWlEBZyRB1K05NWJT/dD22HXoh/ZPd20pDhzyxRaLtLO | |
| m6KrGDQXO4EdEAFbfRwmcDCSujvN4al/tLyXD/6dHGc4UeD/xDmW3n1evF4hopzU | |
| /2lS2D/hC0Q7mUvmh97uES6JgbBvEXKkd7zCkgL5vaOLI8rr24nw5mXmLLrAtc16 | |
| Hkf6NSC2QxDovNfGuxNzsr9wP99wjSSeTQSCukTPjzH8a/NNVMaq+2WT9ZT6UpYu | |
| n6Dl1z/4pFimTjUN13aiZcjbzT4+NQrX7b3Wmi+RqEhVo1NR6ZAq/mY+ADO8i5TR | |
| 4OWA0q4qWmO7H26QGqOIwbLvfH3S32wpfcc++Q6JvLLXOmO3H+CrelG4wGpePL1z | |
| DS0OUU7fVX5Ls1iGX74wTmpS59OuAHbNpkedWWLi8ATozeHxuF9Xhil9dI7wgsI+ | |
| 81DMfVv+iA96rsTMjJPOI8lVqJGGoZvi2slIJND3ZXkEcXbGDRHCs527mE1cLASx | |
| Fn/P1WZ+GCTn7vgl4ACl6xofAm4YPH3Z8GbZdq8n/hQFErPD7BEm5nePhPJeWz2q | |
| GdWGaEHohqvTON+os+FLJCV0KNWGtUWPf/RocYcsJLr2gICctMeFGoa07OPvKiE= | |
| -----END CERTIFICATE----- | |
| quit | |
| INFO: Certificate successfully imported | |
| * Set up the trustpoint Certifitcate Revocation List (/*FIXME to use LDAP*/) | |
| ciscoasa(config)# crypto ca trustpoint trustpoint-exampledomain | |
| ciscoasa(config-ca-trustpoint)# revocation-check none | |
| ciscoasa(config-ca-trustpoint)# end | |
| * Inspect the trustpoint Certificates (optional, sanity check) | |
| ciscoasa# show crypto ca certificates trustpoint-exampledomain | |
| Certificate | |
| Status: Available | |
| Certificate Serial Number: 18 | |
| Certificate Usage: General Purpose | |
| Public Key Type: RSA (2048 bits) | |
| Issuer Name: | |
| [email protected] | |
| cn=mid-ca.exampledomain.net | |
| ou=Intermediate Certificate Authority | |
| o=EXAMPLE ORG | |
| st=Tennessee | |
| c=US | |
| Subject Name: | |
| [email protected] | |
| cn=ciscoasa.exampledomain.net | |
| ou=insant-issue-00 | |
| o=EXAMPLE ORG | |
| l=Nashville | |
| st=Tennesee | |
| c=US | |
| Validity Date: | |
| start date: 10:29:04 CST Jan 14 2010 | |
| end date: 10:29:04 CST Jan 13 2013 | |
| Associated Trustpoints: trustpoint-exampledomain | |
| CA Certificate | |
| Status: Available | |
| Certificate Serial Number: 02 | |
| Certificate Usage: General Purpose | |
| Public Key Type: RSA (4096 bits) | |
| Issuer Name: | |
| [email protected] | |
| cn=root-ca.example.org | |
| ou=Root Certificate Authority | |
| o=EXAMPLE ORG | |
| l=Nashville | |
| st=Tennessee | |
| c=US | |
| Subject Name: | |
| [email protected] | |
| cn=mid-ca.exampledomain.net | |
| ou=Intermediate Certificate Authority | |
| o=EXAMPLE ORG | |
| st=Tennessee | |
| c=US | |
| Validity Date: | |
| start date: 12:34:42 CST Dec 24 2008 | |
| end date: 12:34:42 CST Dec 24 2011 | |
| Associated Trustpoints: trustpoint-exampledomain | |
| * set up the isakmp (Phase 1) policy (if it doesn't already exist) | |
| # Note I set this to policy "5", because it's a pretty secure policy. | |
| # (the more secure, the lower they should be, so your appliances will agree to use more-secure first) | |
| # but run a "show run crypto isakmp" and ensure you're not overwriting one with the same number first. | |
| ciscoasa(config)# crypto isakmp policy 5 | |
| ciscoasa(config)# authentication rsa-sig | |
| ciscoasa(config)# encryption aes-256 | |
| ciscoasa(config)# group 5 | |
| ciscoasa(config)# hash sha | |
| ciscoasa(config)# lifetime 86400 | |
| ciscoasa(config)# end | |
| * set up the security associations (Phase 2) (if it doesn't already exist) | |
| # Then set name "ESP-AES-256-SHA" is arbitrary, but putting meta-data in it will keep you sane | |
| ciscoasa(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac | |
| !!! errors out ciscoasa(config)# crypto ipsec transform-set ESP-AES-256-SHA mode tunnel | |
| * set up the group-policy | |
| [ group-policy configuration here ] | |
| * Create the tunnel-group | |
| ciscoasa(config)# tunnel-group instant-issue-00 type ipsec-l2l | |
| WARNING: L2L tunnel-groups that have names which are not an IP | |
| address may only be used if the tunnel authentication | |
| method is Digital Certificates and/or The peer is | |
| configured to use Aggressive Mode | |
| * Configure the tunnel-group's general attributes | |
| ciscoasa(config)# tunnel-group instant-issue-00 general-attributes | |
| ciscoasa(config-tunnel-general)# | |
| * Configure the tunnel-group's IPSec attributes | |
| ciscoasa(config)# tunnel-group instant-issue-00 ipsec-attributes | |
| ciscoasa(config-tunnel-ipsec)# peer-id-validate cert | |
| ciscoasa(config-tunnel-ipsec)# trust-point trustpoint-exampledomain | |
| ciscoasa(config-tunnel-ipsec)# end | |
| * Set up the tunnel-group-map rules (only needed if the OU of the remote ID cert is not the tunnel-group name) | |
| crypto ca certificate map DefaultCertificateMap 1 | |
| subject-name attr cn eq eft-ii-asa00.example.org | |
| subject-name attr cn co eft-ii-asa00.example.org | |
| crypto ca certificate map DefaultCertificateMap 10 | |
| crypto ca certificate chain example.org-root_ca | |
| * Create an object-group for your remote networks | |
| conf t | |
| object-group network instant-issue-remote-networks | |
| network-object 10.100.1.0 255.255.255.252 | |
| end | |
| * You'll want to not NAT traffic going from the inside interface of the ASA out to the remote site | |
| (add all networks you want to pass) | |
| ciscoasa(config)# access-list nonat_instant_issue_00 extended permit ip 10.100.0.0 255.255.255.0 object-group instant-issue-remote-networks | |
| ciscoasa(config)# nat (instant-issue-dmz) 0 access-list nonat_instant_issue_00 | |
| * Create the access-list for IPSec encapsulation | |
| ciscoasa(config)# access-list cryptomap_instant_issue_00 extended permit ip 10.100.0.0 255.255.255.0 object-group instant-issue-remote-networks | |
| * Set up the dynamic crypto map | |
| # Then cryptomap name "vpn" is arbitrary, but only one map can be applied per interface | |
| # So entry numbers (1-65535 are used to have multiple tunnels | |
| - create the dynamic crypto map and set the reverse route | |
| ciscoasa(config)# crypto dynamic-map dynmap-instant-issue-00 100 set transform-set ESP-AES-256-SHA | |
| ciscoasa(config)# crypto dynamic-map dynmap-instant-issue-00 100 set reverse-route | |
| ciscoasa(config)# crypto dynamic-map dynmap-instant-issue-00 100 match address cryptomap_instant_issue_00 | |
| # use a sequence number higher than all the L2L connections. You don't want an L2L connection inadvertantly using the | |
| # dynamic-map reference | |
| - embed the dynamic crypto map into a static crypto-map to activate it | |
| ciscoasa(config)# crypto map vpn 65000 ipsec-isakmp dynamic dynmap-instant-issue-00 | |
| * Apply the static crypto map to the outside interface (if not already applied) | |
| ciscoasa(config)# crypto map vpn interface outside | |
| ciscoasa(config)# crypto isakmp enable outside | |
| ######################################## | |
| # Establishing the Tunnel | |
| * On the Linux Router | |
| /usr/local/sbin/tunnel | |
| racoonctl vpn-connect 74.255.130.2 | |
| ######################################## | |
| # Debugging | |
| tail -f /var/log/daemon.log /var/log/messages /var/log/syslog & | |
| racoon: ERROR: /etc/racoon/racoon.conf:2: "re" syntax error | |
| (correct errors in config) | |
| # racoonctl reload-config | |
| Jan 15 16:59:33 nomad racoon: ERROR: parse error is nothing, but yyerrorcount is 1. | |
| (I had to reboot the linux router here and then I started seeing isakmp phase 1 errors | |
| on the ASA. At least it's progress) | |
| # run a script session on your terminal: | |
| script isakmp-errors.out | |
| Script started, file is isakmp-errors.out | |
| # Then ssh into the ASA and | |
| debug crypto isakmp 255 | |
| # on the linux router: | |
| racoonctl vpn-connect 74.255.130.2 | |
| Error: Peer failed phase 1 authentication (certificate problem?) | |
| exit the ASA's ssh session, exit the script sesison and look in isakmp-errors.out for errors | |
| I found: | |
| Jan 18 08:34:01 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2 | |
| Jan 18 08:34:01 [IKEv1 DEBUG]: IP = 96.24.218.145, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 11 | |
| debug crypto ca 255 | |
| debug crypto ipsec 255 | |
| no debug crypto ca 255 | |
| no debug crypto ipsec 255 | |
| ######################################## | |
| # Sources: | |
| * Cisco ASA Configuration (Networking Professional's Library) -- Richard Deal | |
| * http://lzeit.blogspot.com/2009/02/setting-ip-ipsec-tunnel-from-linux-to.html -- Leonid Zeitlin | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment