# Site-to-site IPsec VPN with certificates


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24

[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Certificate signing request (CSR)

ROUTER-1# clock set 21:00:00 7 Oct 2012
ROUTER-1(config)# hostname router-1
router-1(config)# ip domain-name lab.net
router-1(config)# crypto pki trustpoint INCAWETRUST
router-1(ca-trustpoint)# enrollment terminal pem
router-1(ca-trustpoint)# fqdn router-1.lab.net
router-1(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
router-1(ca-trustpoint)# revocation-check none
router-1(ca-trustpoint)# rsakeypair router-1.lab.net 1024
router-1(config)# crypto key zeroize rsa
router-1(config)# crypto key generate rsa general-keys label router-1.lab.net export modulus 1024
router-1(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
% The subject name in the certificate will include: router-1.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
ROUTER-2# clock set 21:02:00 7 Oct 2012
ROUTER-2(config)# hostname router-2
router-2(config)# ip domain-name lab.net
router-2(config)# crypto pki trustpoint INCAWETRUST
router-2(ca-trustpoint)# enrollment terminal pem
router-2(ca-trustpoint)# fqdn router-2.lab.net
router-2(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
router-2(ca-trustpoint)# revocation-check none
router-2(ca-trustpoint)# rsakeypair router-2.lab.net 1024
router-2(ca-trustpoint)# crypto key generate rsa general-keys label router-2.lab.net export modulus 1024
router-2(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net    
% The subject name in the certificate will include: router-2.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

CA configuration

LINUX-CA# mkdir /etc/ssl/CA
LINUX-CA# mkdir /etc/ssl/newcerts
LINUX-CA# echo '01' > /etc/ssl/CA/serial
LINUX-CA# touch /etc/ssl/CA/index.txt
LINUX-CA# cat /etc/ssl/openssl.cnf
...
[ CA_default ]

dir             = /etc/ssl
database        = $dir/CA/index.txt
certificate     = $dir/certs/cacert.pem
serial          = $dir/CA/serial
private_key     = $dir/private/cakey.pem
...
string_mask = default
...

LINUX-CA# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
...................++++++
................++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:MY_SECRET
Verifying - Enter PEM pass phrase:MY_SECRET
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CAnet
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:canet.lab.net
Email Address []:root@lab.net

LINUX-CA# mv cakey.pem /etc/ssl/private/.
LINUX-CA# mv cacert.pem /etc/ssl/certs/.
LINUX-CA# cat /etc/ssl/certs/cacert.pem
-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Signing CSR

LINUX-CA# cat router-1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-1.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-1.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:05:16 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:24:69:e9:69:df:be:2e:5f:f6:0d:d1:ae:99:
                    82:56:62:70:71:4f:6b:96:c9:29:6a:ff:94:41:86:
                    92:a2:83:20:d6:83:fd:56:10:17:f1:73:dd:88:99:
                    d2:ae:cf:8d:fc:19:7a:0b:5b:ea:fa:49:7c:09:91:
                    eb:33:be:c1:6e:2a:a2:8d:7d:db:79:cc:2f:32:64:
                    27:00:43:35:a1:33:a4:4b:df:a5:10:2a:14:59:5e:
                    af:a4:04:61:a1:0f:24:c8:0c:1c:7c:86:03:84:b8:
                    2f:52:9c:ae:80:09:aa:6f:3e:64:76:63:bd:fc:4c:
                    14:b1:2d:ad:34:e6:85:48:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         84:65:11:b5:db:df:f4:ce:d5:3c:d7:a4:d3:10:b8:cc:d5:c5:
         35:c3:7e:95:e6:d2:0b:e2:a9:0e:f6:b4:e7:a4:00:f4:0b:d2:
         04:a3:b1:bc:ba:44:4d:6a:a9:a2:f2:84:ea:5b:70:97:52:46:
         1b:fd:86:74:7f:75:88:50:6e:10:59:c5:20:84:a6:b4:8f:59:
         30:7f:8c:a7:7e:13:60:85:de:5a:a4:8f:ce:05:ba:7c:c6:84:
         fd:10:d0:86:c0:f3:b6:49:02:da:7b:9c:29:c8:8a:d9:7d:c3:
         d1:51:cd:0e:f4:b1:4a:2d:6c:26:16:06:ba:19:c2:79:8e:3f:
         e3:4e
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# cat router-2.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-2.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-2.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:06:24 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:f9:76:12:60:11:73:d6:20:49:12:85:d2:bd:
                    68:ec:94:c4:a6:0a:53:c6:50:bb:ae:55:b3:a7:2a:
                    67:bc:4a:45:94:29:bc:14:50:ac:cf:ef:79:d2:4b:
                    33:10:cb:56:c9:aa:64:5a:36:fd:99:28:12:ff:ed:
                    f9:91:a9:47:04:28:be:a6:14:b6:b3:ee:2f:70:86:
                    95:22:78:ee:b9:40:b1:1a:5b:53:bd:b2:43:2e:c1:
                    9c:e2:c2:0c:d1:fe:b6:cf:c7:e0:32:66:0f:f7:a8:
                    8e:96:2c:a9:bf:35:ac:83:64:ad:74:d9:f7:05:b8:
                    3f:79:2c:26:31:e0:07:70:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         55:06:3f:87:2a:2b:a3:a4:e3:c9:c2:26:34:f5:e6:36:d0:52:
         08:41:4b:0c:34:48:b9:9e:2d:b6:ad:33:02:a3:2c:84:78:ed:
         a5:9c:f3:cf:1e:6b:6a:da:58:93:d4:22:25:91:37:44:5b:84:
         76:40:e4:b1:55:94:1d:70:55:ce:06:c3:7e:2d:0f:b7:51:63:
         fc:74:1f:e4:34:4f:38:45:16:8e:bd:fe:36:7b:c0:ba:97:ce:
         97:d5:0e:16:1b:a4:46:e1:a8:3a:5f:77:a7:9b:c4:3c:e5:78:
         58:d4:5f:f5:c6:91:05:5a:b5:2c:93:8b:c1:65:f3:45:6f:0f:
         7f:22
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# ls -l /etc/ssl/newcerts
total 8
-rw-r--r-- 1 root root 3104 oct  7 21:05 01.pem
-rw-r--r-- 1 root root 3104 oct  7 21:06 02.pem

Importing CA certificate

router-1(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
router-2(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Importing signed certificate

router-1(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----

% Router Certificate successfully imported
router-2(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----

% Router Certificate successfully imported

Configuring static crypto maps

router-1(config)# crypto isakmp policy 1
router-1(config-isakmp)# authentication rsa-sig
router-1(config-isakmp)# encryption aes
router-1(config-isakmp)# group 2
router-1(config-isakmp)# lifetime 86400
router-1(config)# crypto isakmp aggressive-mode disable
router-1(config)# crypto isakmp enable
router-1(config)# ip access-list extended CRYPTO_ACL
router-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-1(config-crypto-map)# set peer 12.12.12.2
router-1(config-crypto-map)# match address CRYPTO_ACL
router-1(config-crypto-map)# set transform-set TRANSFORM_SET
router-1(config-crypto-map)# set pfs group2
router-1(config)# interface fa0/0
router-1(config-if)# crypto map CRYPTO_MAP
router-1(config-if)# ip nat outside
router-1(config)# interface fa0/1
router-1(config-if)# ip nat inside
router-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
router-1(config)# ip access-list extended ACL_NONAT
router-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config-ext-nacl)# permit ip any any
router-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload
router-2(config)# crypto isakmp policy 1
router-2(config-isakmp)# authentication rsa-sig
router-2(config-isakmp)# encryption aes
router-2(config-isakmp)# hash sha
router-2(config-isakmp)# group 2
router-2(config-isakmp)# lifetime 86400
router-2(config)# crypto isakmp aggressive-mode disable
router-2(config)# crypto isakmp enable
router-2(config)# ip access-list extended CRYPTO_ACL
router-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-2(config-crypto-map)# set peer 12.12.12.1
router-2(config-crypto-map)# match address CRYPTO_ACL
router-2(config-crypto-map)# set transform-set TRANSFORM_SET
router-2(config-crypto-map)# set pfs group2
router-2(config)# interface fa0/0
router-2(config-if)# crypto map CRYPTO_MAP
router-2(config-if)# ip nat outside
router-2(config)# interface fa0/1
router-2(config-if)# ip nat inside
router-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
router-2(config)# ip access-list extended ACL_NONAT
router-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config-ext-nacl)# permit ip any any
router-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

No comments: