howto/IPsecWithPublicKeys/CiscoIOSExample.md
... ...
@@ -0,0 +1,132 @@
1
+# IPsec with public key authentication on Cisco IOS
2
+## Setup
3
+### Generate an RSA keypair
4
+_Note: You may already have completed this step, since it's required to enable SSH._
5
+
6
+1. Configure a hostname and domain name.
7
+
8
+ Router#conf t
9
+ Router(config)#hostname foo
10
+ foo(config)#ip domain-name bar
11
+
12
+2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
13
+
14
+ foo(config)#crypto key generate rsa general-keys modulus 2048
15
+ % The key modulus size is 2048 bits
16
+ % Generating 2048 bit RSA keys, keys will be non-exportable...
17
+ foo(config)#exit
18
+
19
+### Exchange public keys with your peer
20
+1. Display the public key. Send the key data portion to your peer.
21
+
22
+ foo#show crypto key mypubkey rsa foo.bar
23
+ % Key pair was generated at: 19:24:02 UTC Jul 19 2014
24
+ Key name: foo.bar
25
+ Storage Device: not specified
26
+ Usage: General Purpose Key
27
+ Key is not exportable.
28
+ Key Data:
29
+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
30
+ 00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
31
+ 83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
32
+ FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
33
+ CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
34
+ D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
35
+ 1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
36
+ C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
37
+ F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
38
+ 8F020301 0001
39
+
40
+2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
41
+
42
+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
43
+
44
+## Configuration
45
+### Configure the phase 1 IKE parameters
46
+In this example, we'll use the following settings:
47
+
48
+| Key | Value |
49
+| :------------ | :------------ |
50
+| Encryption | AES-128 |
51
+| Hash | HMAC-SHA1 |
52
+| DH Group | 5 (modp1536) |
53
+| Lifetime | 28800 seconds |
54
+| Peer address | 192.0.2.2 |
55
+| Local address | 192.0.2.1 |
56
+
57
+1. Add your peer's public key
58
+
59
+ foo#conf t
60
+ Enter configuration commands, one per line. End with CNTL/Z.
61
+ foo(config)#crypto key pubkey-chain rsa
62
+ foo(config-pubkey-chain)#addressed-key 192.0.2.2
63
+ foo(config-pubkey-key)#key
64
+ foo(config-pubkey-key)#key-string
65
+ Enter a public key as a hexidecimal number ....
66
+
67
+ foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
68
+ foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
69
+ foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
70
+ foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
71
+ foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
72
+ foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
73
+ foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
74
+ foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
75
+ foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
76
+ foo(config-pubkey)#D5020301 0001
77
+ foo(config-pubkey)#quit
78
+ foo(config-pubkey-key)#exit
79
+ foo(config-pubkey-chain)#exit
80
+
81
+2. Configure an ISAKMP policy
82
+
83
+ foo(config)#crypto isakmp policy 10
84
+ foo(config-isakmp)#encryption aes
85
+ foo(config-isakmp)#hash sha
86
+ foo(config-isakmp)#group 5
87
+ foo(config-isakmp)#lifetime 28800
88
+ foo(config-isakmp)#authentication rsa-sig
89
+ foo(config-isakmp)#exit
90
+
91
+3. All done! Configure the phase 2 parameters as you otherwise would.
92
+
93
+## Full GRE/IPsec example
94
+ crypto key pubkey-chain rsa
95
+ addressed-key 192.0.2.2
96
+ address 192.0.2.2
97
+ key-string
98
+ 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
99
+ 00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
100
+ 33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
101
+ FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
102
+ 065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
103
+ 0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
104
+ F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
105
+ F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
106
+ E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
107
+ D5020301 0001
108
+ quit
109
+ !
110
+ crypto isakmp policy 10
111
+ encr aes
112
+ group 5
113
+ lifetime 28800
114
+ !
115
+ crypto ipsec transform-set tset esp-aes esp-sha-hmac
116
+ mode transport
117
+ !
118
+ crypto ipsec profile FOO
119
+ set transform-set tset
120
+ set pfs group5
121
+ !
122
+ interface Tunnel0
123
+ ip address 10.1.2.0 255.255.255.254
124
+ ip mtu 1400
125
+ tunnel source 192.0.2.1
126
+ tunnel destination 192.0.2.2
127
+ tunnel protection ipsec profile FOO
128
+ !
129
+ interface FastEthernet0/0
130
+ description WAN
131
+ ip address 192.0.2.1 255.255.255.0
132
+ duplex full
... ...
\ No newline at end of file