- Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN – HA Deployment
- Using PKI Build Route-Based IPSec VPN between Juniper SRX
- Certification based Cisco IPSec VPN Down caused by ‘signature invalid’
- Troubleshooting Symantec Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)
- Using Symantec Verisign SSL Certificate for Check Point SSL VPN Mobile Access Portal
- Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN
- Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) – Using Two Different CA Certificates
This post is mainly used to document the steps how to built a Third Party Based Certificates IPSec VPN, including how to submit gateway’s CSR to Symantec and get your certs signed by Symantec CA and how to install those signed certs on your gateways. The first 8 steps are same for both for standalone deployment and high availability implementation. Only difference will be at step 9 for only used in high availability configuration.
Here are all steps:
M-16th(config)#crypto key generate rsa general-keys label M-16th.test.com modulus 2048 exportable
The name for the keys will be: M-16th.test.com % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable… [OK] (elapsed time was 0 seconds) |
note: Please always use 2048 or higher key. Most of public certificates companies do not support any key less than 2048 bits now.
M-16th#show crypto key mypubkey all
% Key pair was generated at: 14:57:23 EDT Jul 24 2012 Key name: TP-self-signed-3560658343 Key type: RSA KEYS Storage Device: private-config Usage: General Purpose Key Key is not exportable. Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 0098EA03 0D5BD6B5 6EBDA599 28071B27 40A162FB 247927AB 3834F338 A36CE905 3E6A0AD2 BFB1F9CA BBF4E6A2 91C839B1 374CEA0F FEF63026 90AD641C 1674066F 2A7A92FF 3C28D56B 3E022446 B7CA5F1F DD9AD7A1 BFF96C6E 6B4F6F5A D1EE5541 3CDC0090 82B3545C 052A483C CB201EA4 50000035 5A15C29C 2B359EDA 7C5EE5C0 39020301 0001 % Key pair was generated at: 13:02:18 EST Dec 15 2014 Key name: TP-self-signed-3560658343.server Key type: RSA KEYS Temporary key Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DB7517 9CF9611C AC80D3E6 69132768 9F5B0304 78B045FC F5A977F3 0526520C 64C60BA4 FCCA8C63 3DFC2552 36204A58 64F68227 5F3940E3 68287B47 1D9B1769 8E4AB4CD 7CDF21DD 0C43251F A36E956F 57A0769C A4395572 1111E008 46C09AE5 23020301 0001 % Key pair was generated at: 14:01:03 EST Dec 15 2014 Key name: M-16th.test.com Key type: RSA KEYS Storage Device: private-config Usage: General Purpose Key Key is exportable. Key Data: 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00BD5C8B 863706DC E787D3CD 298E8DF9 00A7C9F6 49B4E0E2 76D1AC0C DEA184D2 8929AC9E 2A15A5E8 70A3898B 769CF6DA 60464B7D BB30A468 188AFE7E A747DA9F C792D643 F2015AAE 9F991278 8BF16BE2 71020FE3 5275C651 A02B26B7 3D128FFE 7030567F 86029725 3711CF8B 76089C0E 1E607829 346BD5A2 4E0B3F2A B2618673 11020301 0001 |
2. Create Trustpoint on Your Routers
M-16th(config)#crypto pki trustpoint Verisign2014
M-16th(ca-trustpoint)#enrollment terminal M-16th(ca-trustpoint)#subject-name CN=M-16th.test.com,OU=IT,O=TT,C=CA,ST=Ontario,L=Markham M-16th(ca-trustpoint)#rsakeypair M-16th.test.com M-16th(ca-trustpoint)#fqdn M-16th.test.com M-16th(ca-trustpoint)#revocation-check none M-16th(ca-trustpoint)#exit |
3. Create CSR (certificate service request)
M-16th(config)#crypto pki enroll Verisign2014
% Start certificate enrollment .. % The subject name in the certificate will include: CN=M-16th.test.com,OU=IT,O=TT,C=CA,ST=Ontario % The subject name in the certificate will include: M-16th.test.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: MIIC6TCCAdECAQAwgYIxEDAOBgNVBAgTB0udGFyaW8xCzAJBgNVBAYTAkNBMQww CgYDVQQKDANHJkQxCzAJBgNVBAsTAklUMR8HQYDVQQDExZNYXJraGFtLTE2dGgu Z2ktZGUuY29tMSUwIwYJKoZIhvcNAQkCFhZNYXJraGFtLTE2dGguZ2ktZGUuY29t MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIICgKCAQEA0jql8eHa4JSOAsOATxHo Jj89HgioOCA5gsvJeFoHcKlwMUq1hG285ITuauAjUzOfpNIR1ZHbcBnPslGVWjq 7Q4TN/aY3w5zGDoyeMiIs93q+QUwA4G4TqjNPHMbw6ze9GJSdGH1QlExmisUv3KX qvB4W4TQJH7i3Gg0mko+J913KpedmmGcHYju0cffitVrAMRqIE6NRlYWIcTQFVw JNS8LQBGvKb9RhDTH35dscGlcPos3nIcA66u3B8= —End – This line not part of the certificate request— Redisplay enrollment request? [yes/no]: no |
This csr is the one you will submit it to your CA, which is Symantec in this case. They will verify the information your provides in the CSR, then sign it and return a signed certificate to you.You can import it into the gateway by following steps below:
Your download certificates package should include intermediateCA.cer, ssl_certificate.cer and some other getting_started documents.
5. Install Intermediate / Root Certificate(s)
Tricky part is in this Intermediate CA Certificates page. There are two different RSA Intermediate CA Certificates, one is primary, and another is secondary. Which one should we choose? Let me try first one which is primary. (Unfortunately I got error message during installing actual signed device SSL certificate. The error message is “% Failed to parse or verify imported certificate”. You will see that later. In next screenshot, I have marked which one is right one for this post.
M-16th(config)#crypto pki authenticate Verisign2014
Enter the base 64 encoded CA certificate. End with a blank line or the word “quit” on a line by itself —–BEGIN CERTIFICATE—– MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7aGY5eE43U68ZhjTresY8g3JbT5K lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/ —–END CERTIFICATE—– Trustpoint ‘Verisign2014’ is a subordinate CA and holds a non self signed cert Certificate has the following attributes: Fingerprint MD5: F91FFEE6 A36B9988 41D467DD E5F8977A Fingerprint SHA1: 32F30882 622B87CF 8856C63D B873DF08 53B4DD27 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. % Certificate successfully imported |
Note: Actually we are still not sure if we imported right CA certificate. It happened to me before. Symantec mailed me a wrong intermediate certificate. (Please check my previous post : Troubleshooting Symantec Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)) It will wait until next step to see if your SSL certificate matches with your intermediate certificate when you try to install your signed SSL certificate.
6. Install actual Signed SSL Certificate on Cisco Router
Link1: Symantec Intermediate CA Certificates
Link2: Intermediate CA Certificates: Secure Site/Managed PKI for SSL Standard Certificates
M-16th(config)#crypto pki import Verisign2014 certificate
Enter the base 64 encoded certificate. End with a blank line or the word “quit” on a line by itself MIIFgTCCBGmgAwIBAgIQKjCOdOIFbDkbDAxmz+KJjANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTsOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY9tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cgU2VydmVyIENBIC0gRzMwHhcNMTQwMzEw MDAwMDAwWhcNMTcwMzA5MjM1OT5WjCBuDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM B09udGFyaW8xEDAOBgNVBAcMB01hcmtoYW0xLzAtBgNVBAoMJkdpZXNlY2tlICYg hOfPbPdr7dX/ep5JELJUDaAl5AFiON75PYJBtUcrnYuduzqdpY51MV0lUXsa7GP 0kR0ngAfTotDmE76iV5Uno/FiJtVTTM0ZqidPWihJprmtNUjH8BnLO8jA3Kwqw qvKgAXbJnBOrYb7gGVlPC6r4LPhX7B6dwDaoRDpliSvGBpGAEx6POIW5tD8lvUW RCZisxlco3oFnxJj6V7hm17dzfnELz49Nisa4vcgfW9eI3Z+2gtM0fT5/oVGDKb 4zRQ+2tLUF72B1WlfFZ4YFl7/m7 % Failed to parse or verify imported certificate |
The installation failed. The CA certificate imported at Step 5 could not verify this signed SSL certificate. It means the CA certificate is wrong one.
Based the TN 8530 – Why do I receive the error “Failed to parse or verify imported certificate” on a Cisco ASA?, this is the message to tell you the trustpoint certs you imported from previous step is a wrong one. To fix this error, you will have to delete whole trustpoint configuration by no command.
M-16th(config)#no crypto pki trustpoint Verisign2014
% Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority. Are you sure you want to do this? [yes/no]:yes |
M-16th(config)#crypto pki import Verisign2014 certificate Enter the base 64 encoded certificate. End with a blank line or the word “quit” on a line by itself —–BEGIN CERTIFICATE—– MIIFgTCCBGmgAwIBAgIQKjCOdOIFbDkbDAxmz+KJjANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTsOQYDVQQLEzJUZXJtcyBvZiB1c2Ug LmNvbS9TVlJTZWN1cmVHMy5jmwwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2MCow KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0g qyX0AWPYvnmlMHYGCCsGAQUBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AudmVyaXNpZ24uY29tMEAGCsGAQUFBzAChjRodHRwOi8vU1ZSU2VjdXJlLUcz LWFpYS52ZXJpc2lnbi5jb20vU1ZS2VjdXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUA A4IBAQCpZzArqkr+wlVsmCpgCe5MPMUw/SpQj0gV3zIv5oeMvDfpJN+olwhqJI hOfPbPdr7dX/ep5JELJUDaAl5AFiON75PYJBtUcrnYuduzqdpY51MV0lUXsa7GP 0kR0ngAfTotDmE76iV5Uno/FiJtVTTM0ZqidPWihJprmtNUjH8BnLO8jA3Kwqw qvKgAXbJnBOrYb7gGVlPC6r4LPhX7B6dwDaoRDpliSvGBpGAEx6POIW5tD8lvUW RCZisxlco3oFnxJj6V7hm17dzfnELz49Nisa4vcgfW9eI3Z+2gtM0fT5/oVGDKb 4zRQ+2tLUF72B1WlfFZ4YFl7/m7 —–END CERTIFICATE—– % Router Certificate successfully imported |
7. Verify Certificates
M-16th#show crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 2A308E74E2056C391B0C0C769B3F8A26 Certificate Usage: General Purpose Issuer: cn=VeriSign Class 3 Secure Server CA – G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign Inc. c=US Subject: Name: M-16th.test.com cn=M-16th.test.com ou=Terms of use at www.verisign.com/rpa (c)05 o=Giesecke & Devrient systems canada inc l=Markham st=Ontario c=CA CRL Distribution Points: http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl Validity Date: start date: 20:00:00 EDT Mar 9 2014 end date: 18:59:59 EST Mar 9 2017 Associated Trustpoints: Verisign2014 CA Certificate Status: Available Certificate Serial Number (hex): 6ECC7AA5A7032009B8CEBCF4E952D491 Certificate Usage: Signature Issuer: cn=VeriSign Class 3 Public Primary Certification Authority – G5 ou=(c) 2006 VeriSign Inc. – For authorized use only ou=VeriSign Trust Network o=VeriSign Inc. c=US Subject: cn=VeriSign Class 3 Secure Server CA – G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign Inc. c=US CRL Distribution Points: http://crl.verisign.com/pca3-g5.crl Validity Date: start date: 19:00:00 EST Feb 7 2010 end date: 18:59:59 EST Feb 7 2020 Associated Trustpoints: Verisign2014 Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: General Purpose Issuer: cn=IOS-Self-Signed-Certificate-3775191276 Subject: Name: IOS-Self-Signed-Certificate-3775191276 cn=IOS-Self-Signed-Certificate-3775191276 Validity Date: start date: 10:26:26 EST Jan 11 2012 end date: 19:00:00 EST Dec 31 2019 Associated Trustpoints: TP-self-signed-3775191276 Storage: nvram:IOS-Self-Sig#1.cer M-16th#dir nvram: Directory of nvram:/ 240 -rw- 10890 <no date> startup-config 241 —- 3921 <no date> private-config 242 -rw- 10890 <no date> underlying-config 1 -rw- 2945 <no date> cwmp_inventory 4 —- 0 <no date> rf_cold_starts 5 —- 117 <no date> persistent-data 6 -rw- 559 <no date> IOS-Self-Sig#1.cer 7 -rw- 0 <no date> ifIndex-table 8 -rw- 1413 <no date> VeriSignClas#8A26.cer 10 -rw- 1520 <no date> VeriSignClas#D491CA.cer |
crypto pki trustpoint Verisign2014
enrollment terminal fqdn 16th-M.test.com subject-name CN=16th-M.test.com,OU=IT,O=xx,C=CA,ST=Ontario revocation-check none rsakeypair 16th-M.test.com ! ! crypto pki certificate chain Verisign2014 certificate 04681FB41D03897F3C61766E1DD5C42F 30820581 30820469 A0030201 02021004 681FB41D 03897F3C 61766E1D D5C42F30 0D06092A 864886F7 0D010105 05003081 B5310B30 09060355 04061302 55533117 30150603 55040A13 0E566572 69536967 6E2C2049 6E632E31 1F301D06 0355040B 13165665 72695369 676E2054 72757374 204E6574 776F726B 313B3039 06035504 0B133254 65726D73 206F6620 75736520 61742068 74747073 3A2F2F77 77772E76 …… 6C2527B9 DEB78458 C61F381E A4C4CB66 quit ! ! Policy 5 is using default RSA-SIG authentication method. crypto isakmp policy 5 encr 3des hash md5 group 2 ! ! Policy 10 is using Pre-share key authentication method crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key PASSWORDWRONG address 10.9.8.1 crypto isakmp aggressive-mode disable ! crypto ipsec security-association idle-time 300 ! crypto ipsec transform-set Phase2 esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map VPN 10 ipsec-isakmp set peer 10.9.8.1 no set security-association idle-time set transform-set Phase2 match address protect ! ! ! ! interface GigabitEthernet0/1 ip address 10.9.8.2 255.255.255.200 ip flow ingress duplex auto speed auto crypto map VPN ! ip access-list extended protect permit ip 10.9.2.0 0.0.0.255 any permit ip 10.9.6.0 0.0.0.255 any permit ip 10.9.7.0 0.0.0.255 any permit ip 10.9.3.0 0.0.0.255 any ! ! ! Router1#show crypto isakmp sa detail Codes: C – IKE configuration mode, D – Dead Peer Detection K – Keepalives, N – NAT-traversal T – cTCP encapsulation, X – IKE Extended Authentication psk – Preshared key, rsig – RSA signature renc – RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 9023 10.9.8.2 10.9.8.1 ACTIVE 3des md5 rsig 2 05:37:02 Engine-id:Conn-id = SW:23 IPv6 Crypto ISAKMP SA Router1# |
9. High Availability Configuration
9.1 Stateless Failover Configuration
interface GigabitEthernet0/0
ip address 19.26.116.140 255.255.255.192
standby 199 ip 19.26.116.141
standby 199 preempt
standby 199 name VPNHA
standby 199 track 1 decrement 10
duplex auto
speed auto
crypto map vpn redundancy VPNHA
9.2 Stateful Failover Configuration
redundancy inter-device
scheme standby VPNHA
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 19.26.116.139
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 19.26.116.140
!
interface GigabitEthernet0/0
ip address 19.26.116.139 255.255.255.192
standby 199 ip 19.26.116.141
standby 199 priority 105
standby 199 preempt
standby 199 name VPNHA
standby 199 track 2 decrement 10
duplex auto
speed auto
crypto map vpn redundancy VPNHA stateful
Notes:
M-16th(config)#crypto pki export Verisign2014 pem terminal 3des cisco1234
% The specified trustpoint is not enrolled (VerisignCA1). % Only export the CA certificate in PEM format. % CA certificate: —–BEGIN CERTIFICATE—– MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6 bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4 Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y= —–END CERTIFICATE—– router#show crypto pki certificates |
Router(config)#crypto pki certificate validate Verisign2014
Chain has 2 certificates Certificate chain for Verisign2014 is valid |
Reference: