1 / 20

Network Security 2

Network Security 2. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates. 5.2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates. Configuration Tasks. Prepare for ISAKMP and IPSec.

ralphvinci
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates

  2. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5.2 Configure an IOS Router Site-to-Site VPN Using Digital Certificates

  3. Configuration Tasks • Prepare for ISAKMP and IPSec. • Configure CA support. • Configure ISAKMP. • Configure IPSec. • Test and verify IPSec.

  4. Prepare for IPSec • Step 1 Plan for CA support • Step 2 Determine the ISAKMP (IKE phase one) policy • Step 3 Determine the IPSec (IKE phase two) policy • Step 4 Check the current configuration • Step 5 Ensure the network works without encryption • Step 6 Ensure that access lists are compatible with IPSec

  5. Configure the Router for CA Support • Step 1 Manage the non-volatile RAM (NVRAM) memory usage. • Step 2 Set the router time and date. • Step 3 Configure the router hostname and domain name. • Step 4 Generate an RSA key pair • Step 5 Declare a CA. • Step 6 Authenticate the CA. • Step 7 Request a certificate. • Step 8 Save the configuration. • Step 9 Monitor and maintain CA interoperability (Optional). • Step 10 Verify the CA support configuration.

  6. Create IKE Policies

  7. Configure IPSec Encryption • Configure transform set suites with the crypto ipsec transform-set command. • Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command. • Configure crypto access lists with the access-list command.

  8. Test and Verify IPSec • Display the configured transform sets • show crypto ipsec transform set • Display the current state of the IPSec SAs • show crypto ipsec sa • View the configured crypto maps • show crypto map • Debug IKE and IPSec traffic through the Cisco IOS • debug crypto ipseec • debug crypto isakmp • Debug CA events through the Cisco IOS • debug crypto key-exchange • debug crypto pki

  9. Module 5 – Configure Site-to-Site VPNs Using Digital Certificates 5.3 Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates

  10. CA Server Fulfilling Requests from IPSec Peers When using the PIX Security Appliance to implement IPSec VPNs using digital certificates, the CA server enrollment process can be largely automated so that it scales well to large deployments

  11. Enroll a PIX Security Appliance with a CA

  12. Generate an RSA Key Pair  • RSA Key pairs are generated with   • crypto key generate rsa • Generates one general purpose RSA key pair by default. • Default key modulus of 1024 • To view the created key pair • show crypto key mypubkey rsa • To remove RSA key pairs • crypto key zeroize rsa

  13. Obtain a Public Key and Certificate from the CA Server  • Create a trustpoint corresponding to the CA • crypto ca trustpoint trustpoint • To specify SCEP enrollment • enrollment url • To specify manual enrollment • enrollment terminal • Specify other characteristics for the trustpoint. • Obtain the CA certificate for the trustpoint • crypto ca authenticate. • Public key of the CA is included with this certificate.

  14. Request a Signed Certificate from the CA • Enroll the PIX with the trustpoint • crypto ca enroll • Before entering this command, contact the CA administrator because the administrator may need to authenticate the enrollment request manually before the CA grants its certificates.

  15. Verify that the CA Administrator Has Sent a Signed Certificate  • Verify that the enrollment process was successful • show crypto ca certificate • Output shows the details of the certificate issued for the PIX and the CA certificate for the trustpoint. • Save the configuration after the certificate has been received. • write memory 

  16. Q and A

More Related