• No results found

DMVPN Migration from Preshared Authentication to Digital Certificates

In document Cisco.press.pki.Uncovered.feb.2011 (Page 147-152)

Example 6-18 illustrates how to migrate a spoke router that has a DMVPN tunnel to the hub (using a preshared key) to a DMVPM tunnel that uses digital certificates for authen- tication. Table 6-4 lists the devices used for this example.

Table 6-4 Devices for Illustrating Migration of Spoke Router

Description Device Name

Spoke 1 r35-1-1020

Headend s-dmvpn-headend

Sub-ca1 ra-subca

ptg

Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 131

crypto keyring giraffe

pre-shared-key address 192.168.159.242 key CISCO !

crypto isakmp policy 1 encr 3des

hash md5

authentication pre-share group 2

crypto isakmp profile r35-profile keyring giraffe

match identity host domain cisco.com

match identity address 192.168.159.242 255.255.255.255 !

!

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport

!

crypto ipsec profile ESE_DMVPN set transform-set 3DES_MD5 set isakmp-profile r35-profile ! interface Tunnel10 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNGET ip nhrp map multicast dynamic ip nhrp map 10.0.0.4 192.168.159.242 ip nhrp map multicast 192.168.159.242 ip nhrp network-id 1234 ip nhrp holdtime 90 ip nhrp nhs 10.0.0.4 ip nhrp registration timeout 30 ip nhrp shortcut

ip ospf network broadcast tunnel source 192.168.134.146 tunnel mode gre multipoint tunnel key 1234

tunnel protection ipsec profile ESE_DMVPN

The s-dmvpn-headend configuration has two ISAKMP policies: The first is used to match the spokes with preshared keys, and the second is used to match the digital certificates. By having both policies, the dmvpn-headend can establish tunnels with spokes having

ptg

either preshared keys or digital certificates. This policy is used until all the spokes are migrated to digital certificates. When the migration finishes, the dmvpn-headend can have only the ISAKMP policy, as shown in Example 6-17.

Note The ISAKMP profile provides a template for matching identities. In Example 6-19, the ISAKMP profile matches either domain name or preshared secret.

Example 6-19 Illustration of the Relevant DMVPN Hub Configuration

crypto keyring zebra

pre-shared-key address 192.168.187.190 key CISCO pre-shared-key address 192.168.187.194 key CISCO pre-shared-key address 192.168.134.146 key CISCO !

crypto isakmp policy 1 ! The first policy is meant for pre-shared authentication. encr 3des

hash md5

authentication pre-share group 2

!

crypto isakmp policy 2 ! The second policy for rsa-signature authentication encr 3des

hash md5 group 2 !

crypto keyring giraffe

pre-shared-key address 192.168.159.242 key CISCO !

crypto isakmp profile dmvpn-profile

! The isakmp profile will match either pre-shared key or keyring zebra configured on the hub.

keyring giraffe

match identity host domain cisco.com

match identity address 192.168.134.146 255.255.255.255 !

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac mode transport

!

crypto ipsec profile ESE_DMVPN set transform-set 3DES_MD5 set isakmp-profile dmvpn-profile

ptg

Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 133

With the preceding configuration of the hub router, the spoke can establish the DMVPN tunnel with the hub router. The show commands verify the following:

■ The DMVPN tunnel is up.

■ The tunnel uses preshared key for authentication.

Example 6-20 Verifying the DMVPN Status

r35-1-1020# show crypto isakmp sa IPv4 Crypto ISAKMP SA

dst src state conn-id slot status 192.168.159.242 192.168.134.146 QM_IDLE 4001 0 ACTIVE r35-1-1020# show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

4001 192.168.134.146 192.168.159.242 ACTIVE 3des md5 psk 2 23:51:08 Engine-id:Conn-id = AIM-VPN/EPII-PLUS:1

IPv6 Crypto ISAKMP SA r35-1-1020#

The following steps illustrate the process of migrating from the preshared key implemen- tation to a certificate-based authentication environment.

Step 1. As shown in previous examples, configure the spoke to obtain a certificate by enrolling with a subordinate CA server. To accomplish this task, r35-1-1020 should enroll with ra-subca.

Example 6-21 Configuring the Trust Point on the spoke r35-1-1020

crypto pki trustpoint ra

enrollment url http://192.168.159.243:12345 serial-number

ip-address 192.168.134.146 revocation-check none

ptg

rsakeypair ra

auto-enroll 80 regenerate !

Step 2. Change the ISAKMP policy on the spoke to use RSA signatures.

Example 6-22 Configuring ISAKMP Policy on the Spoke

crypto isakmp policy 1 encr 3des

hash md5 group 2

Step 3. Flap the tunnel so that the DMVPM tunnel tries to establish with the new authentication method, which is digital signatures.

Example 6-23 Flapping the Tunnel

r35-1-1020(config)# interface tunnel 1 shut

no shut

Step 4. Verify that the DMVPN tunnel is established and also if it has used digital signatures for authentication.

Example 6-24 Verifying the DMVPN Tunnel

r35-1-1020# show crypto isakmp sa IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.159.242 192.168.134.146 QM_IDLE 4003 0 ACTIVE r35-profile IPv6 Crypto ISAKMP SA

r35-1-1020# show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

ptg

Chapter 6: Integration in Large-Scale Site-to-Site VPN Solutions 135

4003 192.168.134.146 192.168.159.242 ACTIVE 3des md5 rsig 2 23:53:33 Engine-id:Conn-id = AIM-VPN/EPII-PLUS:3

IPv6 Crypto ISAKMP SA r35-1-1020#

The spoke has successfully established a DMVPN tunnel to the headend router using dig- ital certificates.

GETVPN PKI Design and Leading Practices

In document Cisco.press.pki.Uncovered.feb.2011 (Page 147-152)