# OSPF

OSPF Router IDs

Before a router can send any OSPF messages, it needs a 32-bit dotted-decimal router identifier (RID).
Election:

- RID configured using router-id _id_ subcommand (best practice).
- Use the highest IP address on any loopback interface
- Use the highest IP address on any non-loopback interface.

Details:

- The RID does not need to be matched by an OSPF network command.
- The RID election occurs when the OSPF process is started or restarted.
- If a router's RID changes, the rest of the routers in the same area will perform a new SPF calculation (Dijkstra algorithm).

Becoming Neighbors, Exchanging Databases, and Becoming Adjacent

OSPF encapsulates the five types of OSPF messages inside IP packets (IP protocol 89):

- Hello: Used to discover and monitor neighbors.
- Database Description (DBD): To exchange brief versions of each LSA (data structure inside the LSDB). Typically on initial topology exchange.
- Link-State Request (LSR): To request full details about one or more LSAs.
- Link-State Update (LSU): Contains fully detailed information about one or more LSAs (in response to an LSR).
- Link-State Acknowledgement (LSAck): To confirm receipt of an LSU.

OSPF neighbor states:

- Down: no hellos received for more than the dead interval.
- Attempt: sending hellos to a manually configured neighbor.
- Init: hello received but does not contain the own RID. Permanent state if parameters do not match.
- 2-way: hello received and contains the own RID. Permanent state of DRother neighbors.
- ExStart: DR election (if needed) and DBD sequence number negotiation.
- Exchange: DBD exchange.
- Loading: LSR, LSU and LSAck.
- Full: complete adjacency (identical LSDB) and routing table calculations begin.

Becoming Neighbors: The Hello Process

Hello messages major functions:

- Discover neighbors.
- Check parameters.
- Monitor health (heartbeat function).

OSPF routers listen for multicast Hello messages sent to 224.0.0.5.
To form a neighbor relationship, these parameters need to match:

- Authentication.
- Primary subnet and subnet mask.
- OSPF area.
- Area type (stub, NSSA, ...).
- Unique RIDs.
- OSPF Hello and Dead timers.
- MTU for successfully DBD exchange.

The hello interval defaults to 10 seconds on LAN interfaces and 30 secons on slower WAN interfaces.
The dead interval defaults to 4 times the hello interval.

Database Descriptor Exchange: Master/Slave Relationship

The router with the higher RID becomes the masters and initiates the database exchange.
The slaves acknowledge each packet received.
Only the master can increment sequence numbers in the DBD exchange (LSA headers) process.

Requesting, Getting, and Acknowledging LSAs

The sequence number permits to know if one LSA is newer than other.
Each sequence number is incremented every time the LSA changes.
New LSAs begin with sequence number 0x80000001 (negative number) and increase to 0x7fffffff (positive number).
LSUs can be acknowledged by the receiver repeating the exact same LSU back to the sender or sending back an LSAck packet.

DR Election on LANs

At boot, after receiving a hello with a 0.0.0.0 DR field, all routers wait the OSPF wait time, which is set to the same value as the dead time, before attempting to elect a DR.
If a router receives a hello with a RID DR field, the router does not have to wait before beginning the election process.

To elect a DR, routers look first the highest priority (1-255, 0 to do not claim as a DR candidate)an finally for the highest RID.
If a received hello implies a better potencial DR, the router stops claiming to want to be a DR. The router not claiming to be the DR, but the second best candidate becomes the BDR.
After DR and BDR election, there is not preemption, but if a DR fails, the BDR becomes the DR and a new BDR election occurs.

Designated Routers on WANs and OSPF Network Types

LAN interfaces default to use an OSPF network type of broadcast (elect a DR and dynamically find neighbors).
HDLC and PPP links use a network type of point-to-point (no DR is elected and neighbors found through hellos).
NBMA networks elect a DR/BDR and requires a manually neighbor command.
Interface type can be set with ip ospf network _type_ interface subcommand.
OSPF network types:

- Broadcast: Uses DR/BDR, 10 secs Hello interval, does not require neighbor command, more than two routers allowed.
- Point-to-point: Does not use DR/BDR, 10 secs Hello interval, does not require neighbor command, two routers allowed.
- NBMA: Uses DR/BDR, 30 secs Hello interval, requires neighbor command, more than two routers allowed.
- Point-to-multipoint: Does not use DR/BDR, 30 seconds Hello interval, does not require neighbor command, more than two routers allowed.
- Point-to-multipoint nonbroadcast: Does not use DR/BDR, 30 seconds Hello interval, requires neighbor command, more than two routers allowed.

Caveats Regarding OSPF Network Types over NBMA Networks

- Check default Hello/Dead timers.
- Check all routers use the neighbor command.
- The DR and BDR must have a PVC (Permanent Virtual Circuit) to every other router in the subnet (DBD and LSU packets).

Two simple options for making OSPF work over Frame Relay, both which do not require a DR or a neighbor command:

- If the design allows the use of point-to-pint subinterfaces, use those.
- If multipoint subinterfaces are needed, or if the configuration must not use subinterfaces, use ip ospf network point-to-multipoint.

Note: A router's neighbor priority setting is compared with the priority inside the Hello it receives from that neighbor. The larger of the two values is used.

Steady-State Operation

- Each router expects to receive Hellos from neighbors within the dead interval.
- Each router advertising an LSA refloods each LSA (after incrementing its sequence number by 1) based on the refresh interval (30 minutes by default).
- Each router expects to have its LSA refreshed within the maxage timer (60 minutes by default).

OSPF Design Terms

Using OSPF areas provides the following benefits:

- Smaller LSDB, requiring less memory.
- Faster SPF computation.
- A link failure in one area only requires a partial SPF computation in other areas.
- Routers may only be summarized at ABRs and ASBRs.

OSPF Path Selection Process

- OSPF always choose an intra-area router over an inter-area route for the same prefix, regardless of metric.
- ABRs ignore Type 3 LSAs learned in a non-area 0, preventing to choose a route that goes into a non-area 0 and then back into area 0.

LSA Types and Network Types

- LSA Type 1 (Router): One per router. Lists RID and all interface IP addresses.
- LSA Type 2 (Network): One per transit network. Created by the DR on the subnet. Represents the subnet and router interfaces connected to the subnet.
- LSA Type 3 (Net Summary): Created by the ABR. Defines the subnets in the origin area, cost, but no topology data.
- LSA Type 4 (ASBR Summary): Advertises a host route to reach the ASBR.
- LSA Type 5 (AS External): External routes injected into OSPF.
- LSA Type 6 (Group Membership): MOSPF.
- LSA Type 7 (NSSA External): Used in NSSA instead of a type 5 LSA.
- LSA Type 8 (External Attributes)
- LSA Type 9 (Opaque): Generic LSA used for OSPF extension.

A transit network is a network over which two or more OSPF routers have become neighbors.
A stub network is a network on which a router has not formed any neighbor relationships.

LSA Types 1 and 2

To signify a network that is down, the apropiate type 1 or 2 LSA is change to show a metric of 16.777.215 (2^24 - 1).

LSA Type 3 and Inter-Area Costs

Each type 3 LSA describes a single vector (subnet, mask, and ABR's cost to reach the subnet).

LSA Types 4 and 5, and External Route Types 1 and 2

External type 1 adds the internal and external metrics togheter to compute the metric.
External type 2 only uses the external metric to compute the metric.
ASBRs inject external routes using type 5 LSA that reach all areas.
When ABRs flood the type 5 LSA into another area, the ABRs create a type 4 LSA, listing the ABR's metric to reach the ASBR that created the type 5 LSA. E1 routes are calculated by adding the cost to reach the ASBR and the cost listed in type 5 LSA.

Stubby Areas

- Stub: Stops type 5 LSAs, does not stop type 3 LSAs, does not create type 7 LSAs.
- Totally stubby: Stops type 5 LSAs, stops type 3 LSAs, does not create type 7 LSAs.
- NSSA: Stops type 5 LSAs, does not stop type 3 LSAs, creates type 7 LSAs.
- Totally NSSA: Stops type 5 LSAs, stops type 3 LSAs, creates type 7 LSAs.

- Stub: area _area-id_ stub
- Totally stubby: area _area-id_ stub no-summary
- NSSA: area _area-id_ nssa
- Totally NSSA: area _area-id_ nssa no-summary

Graceful Restart

Also known as nonstop forwarding (NSF), takes advantage of modern router architectures using separate routing and forwarding planes.
It is possible to continue forwarding without loops while routing process restarts, assuming:

- The router to restart must notify its neighbors sending a "grace LSA".
- The LSDB remains stable during the restart.
- All neighbors support, and are configured for, graceful restart.
- The restart takes place within a "grace period"

This feature is enabled by default and the following commands disable the cisco and IETF versions:
nsf cisco helper disable
nsf ietf helper disable

Choosing the Best Type of Path

Routers ignore the cost and choose the best route based on the following order of precedence:

- Intra-area routes
- Inter-area routes
- E1 routes
- E2 routes

Best-Path Side Effects of ABR Loop Prevention

OSPF applies Split Horizon so an LSA is not advertised into one nonbackarea and then advertised back into the backbone area.
ABRs ignore LSA creates by other ABRs, when learned through a nonbackbone area, when calculating leas-cost paths.

OSPF Configuration

ip ospf dead-interval minimal hello-multiplier 4: 250 ms hello interval and 1 seconds dead interval.
ip ospf priority 255: Maximum priority value to become the DR.
router-id 1.1.1.1: RID manually configured, removing any reliance on an interface address.
The no-summary command option used in stub/nssa areas is only necessary in ABRs.
clear ip ospf process: All OSPF processes are cleared. DOWN -> INIT -> 2WAY -> EXSTART -> EXCHANGE -> LOADING -> FULL
The auto-cost reference-bandwidth 10000 command change the reference bandwidth from 100Mbps (10^8 / bandwidth) to 10.000Mbps (10^10 / bandwidth).
The following list summarizes how IOS chooses OSPF interfaces costs:

- neighbor _RID_ cost _value_ OSPF command.
- ip ospf cost _value_ interface command.
- Default OSPF reference bandwidth.
- Changed OSPF reference bandwidth (auto-cost reference-bandwidth).

Alternatives to the OSPF Network Command

The network 10.3.0.0 0.0.255.255 area 3 OSPF command.
The ip ospf 1 area 3 interface command.
With the first one, OSPF advertises secondary subnets that are matched by the command as stub networks.
With the second one, OSPF advertises all subnets on the interface (primary and secondary as stub networks).

OSPF Filtering

There are three major types of OSPF filtering:

- Filtering routes, not LSAs.
- ABR type 3 LSA filtering.
- ABR using the area range no-advertise option.

Filtering Routes Using the distribute-list Command

With OSPF, the distribute-list command filters what ends up in the IP routing table and does not filter inbound LSAs.
Router(config)# ip prefix-list PREFIX_LIST seq 5 deny 10.1.1.0/24        
Router(config)# ip prefix-list PREFIX_LIST seq 10 permit 0.0.0.0/0 le 32
Router(config)# router ospf 1
Router(config-router)# distribute-list prefix PREFIX_LIST in fa0/0
Router(config)# access-list 2 permit 2.2.2.2
Router(config)# access-list 11 permit 10.1.1.0 0.0.0.255
Router(config)# route-map ROUTE_MAP deny 10
Router(config-route-map)# match ip address 11
Router(config-route-map)# match ip route-source 2
Router(config)# route-map ROUTE_MAP permit 20
Router(config)# router ospf 1
Router(config-router)# distribute-list route-map ROUTE_MAP in

OSPF ABR LSA Type 3 Filtering

The next command filters type 3 LSA going out of area 3:

Router(config)# ip prefix-list PREFIX_LIST seq 5 deny 10.3.2.0/23        
Router(config)# ip prefix-list PREFIX_LIST seq 10 permit 0.0.0.0/0 le 32
Router(config)# router ospf 1
Router(config-router)# area 3 filter-list prefix PREFIX_LIST out

The next command filters type 3 LSA going into area 0:

Router(config-router)# area 0 filter-list prefix PREFIX_LIST in

Filtering Type 3 LSAs with the area range Command

The next command filters type 3 LSA going out of area 3:

Router(config-router)# area 3 range 10.3.2.0 255.255.254.0 not-advertise

The area range command, without the not-advertise option, performs route summarization.

Virtual Link Configuration

OSPF requires that each nonbackbone area be connected to area 0.
OSPF also requires that each router within an area have a contiguous intra-area path to the other routers in the same area.
It is important when authenticating virtual links to remember that the virtual links themselves area in area 0.

Router1(config)# router ospf 1
Router1(config-router)# area 3 virtual-link 3.3.3.3
Router3(config)# router ospf 1
Router3(config-router)# area 3 virtual-link 1.1.1.1

Configuring OSPF Authentication

Basic rules:

- There are three types: type 0 (none), type 1 (clear text) and type 2 (MD5).
- Authentication is enabled using the following interface commands:
!Type 0
ip ospf authentication mull
!Type 1
ip ospf authentication
ip ospf authentication-key SECRET_KEY
!Type 2
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 SECRET_KEY
- The default authentication is type 0.
- The default authentication can be redefined for all interfaces using the following commands under router ospf:
!Type 1
area _num_ authentication
!Type 2
area _num_ authentication message-digest
- Multiple keys are allowed per interface. OSPF sends multiple copies of each message (one for each key).
- Virtual links have no underlying interface so they are configured under router ospf:
!Type 0
area _num_ virtual-link _RID_ authentication null
!Type 1
area _num_ virtual-link _RID_ authentication authentication-key SECRET_KEY
!Type 2
area _num_ virtual-link _RID_ authentication message-digest message-digest-key 1 md5 SECRET_KEY
- The interface authentication takes precedence over router ospf authentication.

OSPF Stub Router Configuration

OSPF converges faster than BGP. Using the stub router feature on ASBRs the metrics are advertised with infinite cost for a configured time period or until BGP convergence is complete.
Under router ospf:

max-metric router-lsa on-startup _seconds_
max-metric router-lsa on-startup wait-for-bgp

OSPF Timer Summary

- MaxAge: The maximum time an LSA can be in the LSDB, without receiving a newer copy, before it is removed. Default is 3600 seconds.
- LSRefresh: Time interval per LSA to reflood an identical LSA. Prevents the expiration of MaxAge. Default is 1800 seconds.
- Hello: Default is 10 or 30 seconds.
- Dead: Time interval in which a Hello should be received from a neighbor. Default is 4 times the hello interval.
- Wait: Time a router will wait after reaching a 2WAY state for asserting a DR. Default is 4 times the hello interval.
- Retransmission: The time between sending an LSU, not receiving an ack, and resending the LSU. Default is 5 seconds.

# Site-to-site IPsec VPN with certificates


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24

[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Certificate signing request (CSR)

ROUTER-1# clock set 21:00:00 7 Oct 2012
ROUTER-1(config)# hostname router-1
router-1(config)# ip domain-name lab.net
router-1(config)# crypto pki trustpoint INCAWETRUST
router-1(ca-trustpoint)# enrollment terminal pem
router-1(ca-trustpoint)# fqdn router-1.lab.net
router-1(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
router-1(ca-trustpoint)# revocation-check none
router-1(ca-trustpoint)# rsakeypair router-1.lab.net 1024
router-1(config)# crypto key zeroize rsa
router-1(config)# crypto key generate rsa general-keys label router-1.lab.net export modulus 1024
router-1(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
% The subject name in the certificate will include: router-1.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
ROUTER-2# clock set 21:02:00 7 Oct 2012
ROUTER-2(config)# hostname router-2
router-2(config)# ip domain-name lab.net
router-2(config)# crypto pki trustpoint INCAWETRUST
router-2(ca-trustpoint)# enrollment terminal pem
router-2(ca-trustpoint)# fqdn router-2.lab.net
router-2(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
router-2(ca-trustpoint)# revocation-check none
router-2(ca-trustpoint)# rsakeypair router-2.lab.net 1024
router-2(ca-trustpoint)# crypto key generate rsa general-keys label router-2.lab.net export modulus 1024
router-2(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net    
% The subject name in the certificate will include: router-2.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

CA configuration

LINUX-CA# mkdir /etc/ssl/CA
LINUX-CA# mkdir /etc/ssl/newcerts
LINUX-CA# echo '01' > /etc/ssl/CA/serial
LINUX-CA# touch /etc/ssl/CA/index.txt
LINUX-CA# cat /etc/ssl/openssl.cnf
...
[ CA_default ]

dir             = /etc/ssl
database        = $dir/CA/index.txt
certificate     = $dir/certs/cacert.pem
serial          = $dir/CA/serial
private_key     = $dir/private/cakey.pem
...
string_mask = default
...

LINUX-CA# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
...................++++++
................++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:MY_SECRET
Verifying - Enter PEM pass phrase:MY_SECRET
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CAnet
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:canet.lab.net
Email Address []:root@lab.net

LINUX-CA# mv cakey.pem /etc/ssl/private/.
LINUX-CA# mv cacert.pem /etc/ssl/certs/.
LINUX-CA# cat /etc/ssl/certs/cacert.pem
-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Signing CSR

LINUX-CA# cat router-1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-1.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-1.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:05:16 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:24:69:e9:69:df:be:2e:5f:f6:0d:d1:ae:99:
                    82:56:62:70:71:4f:6b:96:c9:29:6a:ff:94:41:86:
                    92:a2:83:20:d6:83:fd:56:10:17:f1:73:dd:88:99:
                    d2:ae:cf:8d:fc:19:7a:0b:5b:ea:fa:49:7c:09:91:
                    eb:33:be:c1:6e:2a:a2:8d:7d:db:79:cc:2f:32:64:
                    27:00:43:35:a1:33:a4:4b:df:a5:10:2a:14:59:5e:
                    af:a4:04:61:a1:0f:24:c8:0c:1c:7c:86:03:84:b8:
                    2f:52:9c:ae:80:09:aa:6f:3e:64:76:63:bd:fc:4c:
                    14:b1:2d:ad:34:e6:85:48:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         84:65:11:b5:db:df:f4:ce:d5:3c:d7:a4:d3:10:b8:cc:d5:c5:
         35:c3:7e:95:e6:d2:0b:e2:a9:0e:f6:b4:e7:a4:00:f4:0b:d2:
         04:a3:b1:bc:ba:44:4d:6a:a9:a2:f2:84:ea:5b:70:97:52:46:
         1b:fd:86:74:7f:75:88:50:6e:10:59:c5:20:84:a6:b4:8f:59:
         30:7f:8c:a7:7e:13:60:85:de:5a:a4:8f:ce:05:ba:7c:c6:84:
         fd:10:d0:86:c0:f3:b6:49:02:da:7b:9c:29:c8:8a:d9:7d:c3:
         d1:51:cd:0e:f4:b1:4a:2d:6c:26:16:06:ba:19:c2:79:8e:3f:
         e3:4e
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# cat router-2.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-2.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-2.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:06:24 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:f9:76:12:60:11:73:d6:20:49:12:85:d2:bd:
                    68:ec:94:c4:a6:0a:53:c6:50:bb:ae:55:b3:a7:2a:
                    67:bc:4a:45:94:29:bc:14:50:ac:cf:ef:79:d2:4b:
                    33:10:cb:56:c9:aa:64:5a:36:fd:99:28:12:ff:ed:
                    f9:91:a9:47:04:28:be:a6:14:b6:b3:ee:2f:70:86:
                    95:22:78:ee:b9:40:b1:1a:5b:53:bd:b2:43:2e:c1:
                    9c:e2:c2:0c:d1:fe:b6:cf:c7:e0:32:66:0f:f7:a8:
                    8e:96:2c:a9:bf:35:ac:83:64:ad:74:d9:f7:05:b8:
                    3f:79:2c:26:31:e0:07:70:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         55:06:3f:87:2a:2b:a3:a4:e3:c9:c2:26:34:f5:e6:36:d0:52:
         08:41:4b:0c:34:48:b9:9e:2d:b6:ad:33:02:a3:2c:84:78:ed:
         a5:9c:f3:cf:1e:6b:6a:da:58:93:d4:22:25:91:37:44:5b:84:
         76:40:e4:b1:55:94:1d:70:55:ce:06:c3:7e:2d:0f:b7:51:63:
         fc:74:1f:e4:34:4f:38:45:16:8e:bd:fe:36:7b:c0:ba:97:ce:
         97:d5:0e:16:1b:a4:46:e1:a8:3a:5f:77:a7:9b:c4:3c:e5:78:
         58:d4:5f:f5:c6:91:05:5a:b5:2c:93:8b:c1:65:f3:45:6f:0f:
         7f:22
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# ls -l /etc/ssl/newcerts
total 8
-rw-r--r-- 1 root root 3104 oct  7 21:05 01.pem
-rw-r--r-- 1 root root 3104 oct  7 21:06 02.pem

Importing CA certificate

router-1(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
router-2(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Importing signed certificate

router-1(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----

% Router Certificate successfully imported
router-2(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----

% Router Certificate successfully imported

Configuring static crypto maps

router-1(config)# crypto isakmp policy 1
router-1(config-isakmp)# authentication rsa-sig
router-1(config-isakmp)# encryption aes
router-1(config-isakmp)# group 2
router-1(config-isakmp)# lifetime 86400
router-1(config)# crypto isakmp aggressive-mode disable
router-1(config)# crypto isakmp enable
router-1(config)# ip access-list extended CRYPTO_ACL
router-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-1(config-crypto-map)# set peer 12.12.12.2
router-1(config-crypto-map)# match address CRYPTO_ACL
router-1(config-crypto-map)# set transform-set TRANSFORM_SET
router-1(config-crypto-map)# set pfs group2
router-1(config)# interface fa0/0
router-1(config-if)# crypto map CRYPTO_MAP
router-1(config-if)# ip nat outside
router-1(config)# interface fa0/1
router-1(config-if)# ip nat inside
router-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
router-1(config)# ip access-list extended ACL_NONAT
router-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config-ext-nacl)# permit ip any any
router-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload
router-2(config)# crypto isakmp policy 1
router-2(config-isakmp)# authentication rsa-sig
router-2(config-isakmp)# encryption aes
router-2(config-isakmp)# hash sha
router-2(config-isakmp)# group 2
router-2(config-isakmp)# lifetime 86400
router-2(config)# crypto isakmp aggressive-mode disable
router-2(config)# crypto isakmp enable
router-2(config)# ip access-list extended CRYPTO_ACL
router-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-2(config-crypto-map)# set peer 12.12.12.1
router-2(config-crypto-map)# match address CRYPTO_ACL
router-2(config-crypto-map)# set transform-set TRANSFORM_SET
router-2(config-crypto-map)# set pfs group2
router-2(config)# interface fa0/0
router-2(config-if)# crypto map CRYPTO_MAP
router-2(config-if)# ip nat outside
router-2(config)# interface fa0/1
router-2(config-if)# ip nat inside
router-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
router-2(config)# ip access-list extended ACL_NONAT
router-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config-ext-nacl)# permit ip any any
router-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

# Group Encrypted Transport VPN (GETVPN)


Topology

+[ROUTER-0]
|
+[ROUTER-1]----[DEVICE-1]
|
+[ROUTER-2]----[DEVICE-2]
|
+[ROUTER-3]----[DEVICE-3]

[ROUTER-0] fa0/0: 1.2.3.254/24

[ROUTER-1] fa0/0: 1.2.3.1/24
[ROUTER-1] fa0/1: 123.0.1.254/24
[DEVICE-1] fa0/1: 123.0.1.1/24

[ROUTER-2] fa0/0: 1.2.3.2/24
[ROUTER-2] fa0/1: 123.0.2.254/24
[DEVICE-2] fa0/1: 123.0.2.1/24

[ROUTER-3] fa0/0: 1.2.3.3/24
[ROUTER-3] fa0/1: 123.0.3.254/24
[DEVICE-3] fa0/1: 123.0.3.1/24

Note 1: All IP addresses are public.
Note 2: Communication encrypted from DEVICE-X to DEVICE-Y between ROUTER-X and ROUTER-Y.
Note 3: Tunnel mode with header preservation (IP addresses are also used for IPsec packets).

GDOI server

ROUTER-0(config)# crypto isakmp policy 1
ROUTER-0(config-isakmp)# authentication pre-share
ROUTER-0(config-isakmp)# encryption aes
ROUTER-0(config-isakmp)# hash sha
ROUTER-0(config-isakmp)# group 2
ROUTER-0(config-isakmp)# lifetime 86400
ROUTER-0(config)# crypto isakmp aggressive-mode disable
ROUTER-0(config)# crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0
ROUTER-0(config)# crypto isakmp enable
ROUTER-0(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-0(config)# crypto ipsec profile PROFILE
ROUTER-0(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-0(ipsec-profile)# set pfs group2
ROUTER-0(config)# ip access-list extended CRYPTO_ACL
ROUTER-0(config-ext-nacl)# permit ip 123.0.0.0 0.0.255.255 123.0.0.0 0.0.255.255
ROUTER-0(config)# crypto gdoi group GDOI_GROUP
ROUTER-0(config-gdoi-group)# identity number 1
ROUTER-0(config-gdoi-group)# server local
ROUTER-0(gdoi-local-server)# rekey retransmit 10 number 3
ROUTER-0(gdoi-local-server)# rekey transport unicast
ROUTER-0(gdoi-local-server)# sa ipsec 1
ROUTER-0(gdoi-sa-ipsec)# profile PROFILE
ROUTER-0(gdoi-sa-ipsec)# match address ipv4 CRYPTO_ACL
ROUTER-0(gdoi-sa-ipsec)# replay time window-size 5
ROUTER-0(gdoi-local-server)# address ipv4 1.2.3.254

GDOI clients

Same configuration for all GDOI client routers.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto gdoi group GDOI_GROUP
ROUTER-1(config-gdoi-group)# identity number 1
ROUTER-1(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-1(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-1(config-crypto-map)# set group GDOI_GROUP
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto gdoi group GDOI_GROUP
ROUTER-2(config-gdoi-group)# identity number 1
ROUTER-2(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-2(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-2(config-crypto-map)# set group GDOI_GROUP
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto gdoi group GDOI_GROUP
ROUTER-3(config-gdoi-group)# identity number 1
ROUTER-3(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-3(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-3(config-crypto-map)# set group GDOI_GROUP
ROUTER-3(config)# interface fa0/0
ROUTER-3(config-if)# crypto map CRYPTO_MAP