VPN Certificates

Certificate Enrollment Protocol (CEP)

Guide to the Configuration of IP Security using a CA

The following is the generic instructions on configuration of IPSec using a CA (e.g. Entrust Authority Enrollment Server for VPN) with Cisco IOS (version 11.3(3) or later).

1. Use a CA configuring ISAKMP
   1. Create RSA key-pair(s) for the router

      (config)#cry key gen rsa usage-keys
      This command creates two key pairs for RSA."show cry key mypubkey rsa" will show your RSA public key(s)

   2. Request CA's certificate
      Now we need to configure the router to talk to a CA (e.g. Entrust Enrollment Server for VPN)
      1. Define the router's hostname and IP domain name
         

         (config)#ip domain-name entrust.com
         (config)#ip name-server 47.97.224.10

      2. Define a CA
         

         (config)#ip host WebServerName 47.97.226.153
         Web server name defined for the CA

      3. Declare a CA
         

         (config)#crypt ca identity EntrustCA
         EntrustCA is just an arbitrary name at here. This command puts you into the ca-identity mode.
         (ca-identity))#enrollment url http://WebServerName
         Specify the URL of the CA
         (ca-identity)#enrollment mode ra
         Specify Registration Authority mode, It's needed for the Enrollment Server for VPN.
         (ca-identity)#exit
         exit ca-identity mode

      4. Authenticate the CA
         

         (config)#cry ca authen EntrustCA
         Obtain the CA's certificate

      5. Request your router's certificate
         

         (config)#cry ca enroll EntrustCA
         This command causes your router to request as many certificates as there are RSA key pairs

      6. Save your configuration

         #copy run start

2. Configuring IPSec
   1. Create Crypto Access Lists
      

      (config)#access-list 101 permit ip host 47.97.239.171 host 47.97.236.242
      This command allows the routers to talk to one another.
      Here source = host 47.97.239.171
      dest = host 47.97.236.242

   2. Create IPSec transforms We create three transform sets and use the default tunnel mode.
      

      (config)#cry ipsec transform-set myset1 esp-rfc1829
      (cfg-crypto-trans)#exit
      (config)#cry ipsec transform-set myset2 ah-md5-hmac esp-des
      (cfg-crypto-trans)#exit
      (config)#cry ipsec transform-set myset3 ah-rfc1828
      (cfg-crypto-trans)#exit

   3. Create crypto map
      Telling the router that this crypto map will be an IPSec crypto map
      

      (config)#crypto map mycryptomap 10 ipsec-isakmp
      "10" is just a sequence number. This command puts you into the crypto map configuration mode.
      (config-crypto-map)#set peer 47.97.236.242
      specify the remote IPSec peer
      (config-crypto-map)#set transform-set myset1 myset2 myset3
      associate the transforms with the crypto map and definde the order of priority.
      (config-crypto-map)#match address 101
      Name an IPSec access list. This access list determines which traffic should be protected by IPSec.
      (config-crypto-map)#exit
      This command exit the crypto map configuration mode

   4. Apply crypto map to interface
      

      (config)#int e 0
      (config-if)#crypto map mycryptomap