CCIE Security Lab: ASA to IOS IKEv2 tunnel – Part 1: Migration

In the previous post, I set up an IKEv1 tunnel between RTD-ASA and DMVPN-Hub2.

IKEv2 ASA to IOS tunnels

In this post, we’ll change it to an IKEv2 tunnel. For this to work, we will need to have in place a certificate authority, and an NTP server. CA-Flex will perform both of these functions. The Cisco doc this is here: Cisco ASA to IOS Site-to-Site IKEv2 tunnel.

We start by adding a new loopback to CA-Flex and setting up the NTP service.

Configuring NTP on Cisco IOS

CA-Flex(config)#int lo100    
CA-Flex(config-if)#ip add 80.2.10.1 255.255.255.255
CA-Flex(config)#router ospf 1
CA-Flex(config-router)#network 80.2.10.1 0.0.0.0 area 0
CA-Flex(config-router)#exit
CA-Flex(config)#ntp master 1
CA-Flex(config)#ntp source lo100
CA-Flex(config)#ntp authentication-key 1 md5 cisco
CA-Flex(config)#ntp authenticate
CA-Flex(config)#ntp trusted-key 1
CA-Flex(config)#

DMVPN-Hub2(config)#ntp server 80.2.10.1 key 1
DMVPN-Hub2(config)#ntp authentication-key 1 md5 cisco
DMVPN-Hub2(config)#ntp trusted-key 1
DMVPN-Hub2(config)#

RTD-ASA(config)# ntp server 80.2.10.1 key 1 prefer
RTD-ASA(config)# ntp authentication-key 1 md5 cisco
RTD-ASA(config)# ntp authenticate
RTD-ASA(config)# ntp trusted-key 1
RTD-ASA(config)#

After a little time, the clock on the ASA synchronized:

RTD-ASA# sh ntp stat
Clock is synchronized, stratum 3, reference is 80.2.10.1
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is db1cd4c0.b1a26267 (10:49:36.693 UTC Tue Jun 28 2016)
clock offset is -108.4542 msec, root delay is 4.82 msec
root dispersion is 15999.53 msec, peer dispersion is 15890.63 msec
RTD-ASA#

The IOS router (DMVPN-Hub2) took a long time, probably around fifteen minutes or so. I checked and double-checked the settings, and then turned on logging, and debugged NTP (debug ntp all). Eventually, it got there:

DMVPN-Hub2#sh ntp sta  
Clock is unsynchronized, stratum 3, reference is 80.2.10.1      
nominal freq is 1000.0003 Hz, actual freq is 1000.0003 Hz, precision is 2**14
ntp uptime is 230800 (1/100 of seconds), resolution is 1000
reference time is DB1CD9B4.5E24EDF7 (11:10:44.367 UTC Tue Jun 28 2016)
clock offset is 127.6537 msec, root delay is 5.57 msec
root dispersion is 163.01 msec, peer dispersion is 1.10 msec
loopfilter state is 'FREQ' (Drift being measured), drift is 0.000000000 s/s
system poll interval is 64, last update was 7 sec ago.
DMVPN-Hub2#
*Jun 28: NTP message sent to 80.2.10.1, from interface 'GigabitEthernet0/3' (10.1.3.3).
*Jun 28: NTP message received from 80.2.10.1 on interface 'GigabitEthernet0/3' (10.1.3.3).
*Jun 28: NTP Core(DEBUG): ntp_receive: message received
*Jun 28: NTP Core(DEBUG): ntp_receive: peer is 0x0D6B0F68, next action is 1.
*Jun 28: NTP Core(NOTICE): ntpd  PPM
*Jun 28: NTP: step(0x00000000.26AAF451): local_offset = 0x00000000.00000000, curtime = 0xDB1CD9F8.5DF3AEBF
*Jun 28: NTP Core(NOTICE): time reset 0.151046 s
*Jun 28: NTP Core(NOTICE): trans state : 5 
*Jun 28: NTP Core(INFO): 0.0.0.0 C69C 0C clock_step
*Jun 28: NTP Core(INFO): 0.0.0.0 C0AC 0C clock_step
*Jun 28: NTP message sent to 80.2.10.1, from interface 'GigabitEthernet0/3' (10.1.3.3).
*Jun 28: NTP message received from 80.2.10.1 on interface 'GigabitEthernet0/3' (10.1.3.3).
*Jun 28: NTP Core(DEBUG): ntp_receive: message received
*Jun 28: NTP Core(DEBUG): ntp_receive: peer is 0x0D6B0F68, next action is 1.
*Jun 28: NTP Core(DEBUG): Peer becomes reachable, poll set to 6.
*Jun 28: NTP Core(INFO): 80.2.10.1 E054 84 reachable
*Jun 28: NTP Core(INFO): 80.2.10.1 F66A 8A sys_peer
*Jun 28: NTP Core(NOTICE): Clock is synchronized.
Jun 28 11:11:54.511: NTP: Calendar updated.
DMVPN-Hub2#sh ntp sta
Clock is synchronized, stratum 3, reference is 80.2.10.1      
nominal freq is 1000.0003 Hz, actual freq is 999.8436 Hz, precision is 2**14
ntp uptime is 237700 (1/100 of seconds), resolution is 1001
reference time is DB1CD9F9.83E971D3 (11:11:53.515 UTC Tue Jun 28 2016)
clock offset is 1.7506 msec, root delay is 4.75 msec
root dispersion is 7940.04 msec, peer dispersion is 7937.56 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000156686 s/s
system poll interval is 64, last update was 7 sec ago.
DMVPN-Hub2#

I did find this useful article though explaining why it can take a while for NTP to update. Now we can set up CA-Flex to be a Certificate Authority (CA).

Configuring a CA on Cisco IOS.

IKEv2 likes certificates, so let’s create a certificate server. It also likes pre-shared-keys, but the CA should prove more interesting.

CA-Flex(config)#crypto key generate rsa label CA-Flex general-key mod 1024
The name for the keys will be: CA-Flex

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable... <== NOTICE THIS!!
[OK] (elapsed time was 1 seconds)

CA-Flex(config)#
Jun 28: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA-Flex(config)#crypto key export rsa CA-Flex pem url nvram: 3des cisco123
% RSA keypair 'CA-Flex' is not exportable.
CA-Flex(config)#crypto key generate rsa label CA-Flex general-key mod 1024 ?
  exportable  Allow the key to be exported
  on          create key on specified device.
  storage     Store key on specified device
  

CA-Flex(config)#$generate rsa label CA-Flex general-key mod 1024 export      
% You already have RSA keys defined named CA-Flex.
% They will be replaced.

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 1 seconds)

CA-Flex(config)#
Jun 28: %SSH-5-DISABLED: SSH 1.99 has been disabled
Jun 28: %SSH-5-ENABLED: SSH 1.99 has been enabled
CA-Flex(config)#crypto key export rsa CA-Flex pem url nvram: 3des cisco123
% Key name: CA-Flex
   Usage: General Purpose Key
Exporting public key...
Destination filename [CA-Flex.pub]? 
Writing file to nvram:CA-Flex.pub
Exporting private key...
Destination filename [CA-Flex.prv]? 
Writing file to nvram:CA-Flex.prv
CA-Flex(config)#crypto pki server CA-Flex
CA-Flex(cs-server)#issuer-name CN=CA-Flex.ccielab.local
CA-Flex(cs-server)#grant auto
CA-Flex(cs-server)#
Jun 28: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
CA-Flex(cs-server)#lifetime certificate 10
CA-Flex(cs-server)#lifetime ca-certificate 10
CA-Flex(cs-server)#cdp-url http://80.2.10.1/ca-flex.crl
CA-Flex(cs-server)#eku server-auth ipsec-end-system ipsec-tunnel ipsec-user
CA-Flex(cs-server)#database archive pem password cisco123
CA-Flex(cs-server)#database url pem nvram:
CA-Flex(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.
CA-Flex(cs-server)#
Jun 28: %PKI-6-CS_ENABLED: Certificate server now enabled.
CA-Flex(cs-server)#do sh crypto pki server
Certificate Server CA-Flex:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA-Flex.ccielab.local
    CA cert fingerprint: 2A8252E6 EB4D9723 8F4E3480 1602CEC3 
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 11:40:24 UTC Jul 8 2016
    CRL NextUpdate timer: 17:40:25 UTC Jun 28 2016
    Current primary storage dir: nvram:
    Current storage dir for .pem files: nvram:
    Database Level: Minimum - no cert data written to storage
CA-Flex(cs-server)#exit
CA-Flex(config)#ip http server
CA-Flex(config)#

Now we set up the routers for PKI. This bit was much harder than expected. I wrote this page twice while trying to get this to work, and in then end, I completely lost track of all the steps I took while troubleshooting, so please excuse the cut and paste job. I think part of the issue stems from trying to move from IKEv1 to IKEv2; the little remnants left behind made it messy. I think I’ll do another post starting with a clean slate and see if it is smoother.

Below we have the configurations for the ASA and the router.

ASA to IOS IKEv2 tunnel with PKI

 

ASA config:

object network Nat-Networks
 subnet 10.1.1.0 255.255.255.0
object network No-Nat-Networks
 host 1.1.1.1
object network No-Nat-Destination
 host 3.3.3.3
access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3 
access-list NONAT extended permit ip object No-Nat-Networks object No-Nat-Destination 
!
nat (Inside,Outside) source static No-Nat-Networks No-Nat-Networks destination static No-Nat-Destination No-Nat-Destination no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set VPN-transforms esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal Prop1
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map VPN_Map 1 match address IPSec-VPN-Traffic
crypto map VPN_Map 1 set peer 10.1.3.3 
crypto map VPN_Map 1 set ikev1 transform-set VPN-transforms
crypto map VPN_Map 1 set ikev2 ipsec-proposal DES AES256
crypto map VPN_Map 1 set trustpoint CA-Flex
crypto map VPN_Map interface Outside
crypto ca trustpoint CA-Flex
 enrollment url http://80.2.10.1:80
 crl configure
crypto ca trustpool policy
!
crypto isakmp identity hostname 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 14 5 2
 prf sha      
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha256 sha
 group 14 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev1 ikev2 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 10.1.3.3 type ipsec-l2l
tunnel-group 10.1.3.3 general-attributes
 default-group-policy GroupPolicy2
tunnel-group 10.1.3.3 ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate CA-Flex
!

IOS config:

crypto pki trustpoint CA-Flex
 enrollment url http://80.2.10.1:80
 usage ike
 fqdn dmvpn-hub2.ccielab.local
 revocation-check none
 rsakeypair DMVPN-Hub2
 eku request server-auth 
!
crypto pki certificate map CA-Flex-Map 10
 issuer-name co ca-flex
!
crypto ikev2 proposal AES256 
 encryption aes-cbc-256
 integrity sha1
 group 5 2 14
crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 5 2 14
!
crypto ikev2 policy 1 
 match fvrf any
 match address local 10.1.3.3
 proposal AES256
!
crypto ikev2 profile pro1
 match fvrf any
 match address local 10.1.3.3
 match identity remote fqdn RTD-ASA.ccielab.local
 match certificate CA-Flex-Map
 identity local fqdn dmvpn-hub2.ccielab.local
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-Flex
!
no crypto ikev2 http-url cert
!
crypto isakmp policy 10
 encr 3des
 group 5  
crypto isakmp invalid-spi-recovery
crypto isakmp profile VPN_Map
   keyring VPN_Keys
   match identity address 10.1.2.254 255.255.255.255 
!
crypto ipsec transform-set VPN-transforms esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto map VPN_Map 1 ipsec-isakmp 
 set peer 10.1.2.254
 set transform-set ESP-AES-SHA 
 set pfs group2
 set ikev2-profile pro1
 match address 101
!
access-list 101 permit ip host 3.3.3.3 host 1.1.1.1

So, there we have all the configs, we probably have more than we need, probably not using all of them, and it has not been a good learning experience. I would have certainly failed this bit in the lab exam. The next step is, therefore, to remove all the tunnel configs, and start from scratch. Repetition is good for the memory, and then I can properly lay out all the steps, along with explanations.

I got the desired result:

Local-1#ping 3.3.3.3 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
Local-1#

RTD-ASA# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
139751863        10.1.2.254/500          10.1.3.3/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/1577 sec
Child sa: local selector  1.1.1.1/0 - 1.1.1.1/65535
          remote selector 3.3.3.3/0 - 3.3.3.3/65535
          ESP spi in/out: 0xea2c233e/0x30cdff43  
RTD-ASA#

This is not enough, though, there is not enough time (or the help of Google) in the lab to blunder through. So, I will wipe the configs and start again. Until I get it right.