Cisco IOU IPsec Site to Site VPN with RSA key

Physical Diagram is still same as before. Since pre-shared key ipsec is already configured and working properly. The only thing needs to do is to change authentication method and import peer’s public key. Of course have to generate your own private key and public first. Also, time on both devices will have to be synchronized.

R1(config)#crypto key generate rsa general-keys label R1
The name for the keys will be: R1
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

R1(config)#
*Feb 20 11:57:54.456:  RSA key size needs to be atleast 768 bits for ssh version 2
R1(config)#
*Feb 20 11:57:54.464: %SSH-5-ENABLED: SSH 1.5 has been enabled

R1#show crypto key mypubkey rsa R1
% Key pair was generated at: 19:57:54 CST Feb 20 2012
Key name: R1
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A28FA5 DC744F51
  02B0954B 6ED06BBE 8C30AE2E 7CEBBB82 861E9590 DF27CBED 8C26404F 5A42E174
  749CEBC6 427AC823 DD5E1FC1 9C467B70 18128E87 C7567565 D5020301 0001

R1(config)#crypto key pubkey-chain rsa 
R1(config-pubkey-chain)#addressed-key 2.2.2.2 encryption 
R1(config-pubkey-key)#key-string 
Enter a public key as a hexidecimal number ….
—Copy the whole public key from R2, which can be got by above steps on R2
R1(config-pubkey)#$886F70D 01010105 00034B00 30480241 00A1D58D A10F0D3C    
R1(config-pubkey)#$858EF64 1386DB4E FBD07BCE 3A149B48 6676CD75 CD69331A    
R1(config-pubkey)#$C8C10B60 876FA497 CCC86377 3C0FAF0A 354FED28 73020301 0001
R1(config-pubkey)#
R1(config-pubkey)#quit
R1(config-pubkey-key)#

R1#show crypto key pubkey-chain rsa address 2.2.2.2
Key address:          2.2.2.2          
 Usage: Encryption Key
 Source: Manually entered
 Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A1D58D A10F0D3C
  17A843C9 A2654A88 7858EF64 1386DB4E FBD07BCE 3A149B48 6676CD75 CD69331A
  4BBA6976 C8C10B60 876FA497 CCC86377 3C0FAF0A 354FED28 73020301 0001

R1#sh crypto key mypubkey rsa 
% Key pair was generated at: 19:57:54 CST Feb 20 2012
Key name: R1
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A28FA5 DC744F51
  02B0954B 6ED06BBE 8C30AE2E 7CEBBB82 861E9590 DF27CBED 8C26404F 5A42E174
  749CEBC6 427AC823 DD5E1FC1 9C467B70 18128E87 C7567565 D5020301 0001
% Key pair was generated at: 20:12:59 CST Feb 20 2012
Key name: R1.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CF0A3B C0AF2BE1
  40AF1DF0 9B600A1D A228CB74 E5D714BC D5561DC5 FB2936C9 0818F1D7 B650DAF8
  5B5BD010 3A4D5A4F D1B0C324 376FFD24 2567B79E 0BA019F5 1E664610 02AFF0FC
  848B99F2 2B2CEEC1 6086153D C6F2A83C 4442F6A8 49CB59DB AB020301 0001

—-Do upper similar steps on R2 to generate R2 own private key and public key, also import R1’s public key.

Troubleshooting ipsec issue.
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto engine
Crypto Engine debugging is on
R1#clear crypto session

Unfortunately, no matter how I tried to adjust configuration and debug packets, I still got following error:

“%CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 0) unable to decrypt (w/RSA private key) packet”

R1#ping 2.2.2.2 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

*Feb 20 12:32:57.499: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 12.1.1.1, remote= 12.1.1.2,
    local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4)
*Feb 20 12:32:57.499: select crypto engine: ce_engine[2] does not  accept the capabilities
*Feb 20 12:32:57.499: select crypto engine: ce_engine[2] does not  accept the capabilities
*Feb 20 12:32:57.499: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 12.1.1.1, remote= 12.1.1.2,
    local_proxy= 1.1.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 2.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 20 12:32:57.499: ISAKMP:(0): SA request profile is (NULL)
*Feb 20 12:32:57.499: ISAKMP: Created a peer struct for 12.1.1.2, peer port 500
*Feb 20 12:32:57.499: ISAKMP: New peer created peer = 0xB5F85C90 peer_handle = 0x8000000B
*Feb 20 12:32:57.499: ISAKMP: Locking peer struct 0xB5F85C90, refcount 1 for isakmp_initiator
*Feb 20 12:32:57.499: ISAKMP: local port 500, remote port 500
*Feb 20 12:32:57.499: select crypto engine: ce_engine[2] does not  accept the capabilities
*Feb 20 12:32:57.499: ISAKMP: set new node 0 to QM_IDLE    
*Feb 20 12:32:57.499: ISAKMP:(0):insert sa successfully sa = B563A678
*Feb 20 12:32:57.499: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 20 12:32:57.499: ISAKMP:(0):found peer pre-shared key matching 12.1.1.2
*Feb 20 12:32:57.499: select crypto engine: ce_engine[2] does not  accept the capabilities
*Feb 20 12:32:57.499: ISAKMP:(0):incorrect policy settings. Unable to initiate.
*Feb 20 12:32:57.499: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 20 12:32:57.499: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb 20 12:32:57.499: ISAKMP: Unlocking peer struct 0xB5F85C90 for isadb_unlock_peer_delete_sa(), count 0
*Feb 20 12:32:57.499: ISAKMP: Deleting peer node by peer_reap for 12.1.1.2: B5F85C90
*Feb 20 12:32:57.499: ISAKMP:(0):purging SA., sa=B563A678, delme=B563A678
*Feb 20 12:32:57.499: ISAKMP:(0):purging node 172968404
*Feb 20 12:32:57.499: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 20 12:32:57.499: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 20 12:32:57.499: IPSEC(key_engine): got a queue event with 1 KMI message(s)…..
Success rate is 0 percent (0/5)

————————————————————————————–

Cause :
Basically, it is incorrectly RSA key caused decryption failed on the peer. After review all steps again, I found I was using show crypto key mypubkey rsa label R1 to generate key. It looks like router only accept the key which generated by full domain name. To fix issue, we need to use crypto key generate rsa to generate R1.test.com key. After re-generate key again, all looks fine.

R1#sh crypto key mypubkey rsa
% Key pair was generated at: 19:57:54 CST Feb 20 2012
Key name: R1
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A28FA5 DC744F51
  02B0954B 6ED06BBE 8C30AE2E 7CEBBB82 861E9590 DF27CBED 8C26404F 5A42E174
  749CEBC6 427AC823 DD5E1FC1 9C467B70 18128E87 C7567565 D5020301 0001
% Key pair was generated at: 21:13:01 CST Feb 20 2012
Key name: R1.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B81668 4937CAC9
  8B996057 48180B77 B19C3177 119EE6A4 4B79D41C 8FCDF0EC 44F7415D 2E7BE8A4
  3FE8BC6A E554586F ECAE5EDA C45A1E26 8A57C64C C7296E4B 0A14582D 021D2CF1
  0A9C903C 1EFF9283 E9E2B28C 5C07F11E 42045F04 956B10FA A9020301 0001
% Key pair was generated at: 21:14:05 CST Feb 20 2012
Key name: R1.test.com
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E1BF42 30D90C58 
  AA2E7978 44D0706E DDFA8A87 5C8C2C72 D33A5030 A5902E9B E156AD48 94E7364F 
  8D0E3880 78CEFFD4 5CB75C2C DFF6586C E5168D7C 57B495CF 99020301 0001

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
12.1.1.1        12.1.1.2        QM_IDLE           1001 ACTIVE
———————————————————————————————-

R1#sh run
Building configuration…

Current configuration : 2445 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
!      
!
ip cef
ip domain name test.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
crypto isakmp policy 10
 authentication rsa-encr
!
!      
crypto ipsec transform-set P2-Transform esp-des esp-sha-hmac
!
crypto map P2-Transform 10 ipsec-isakmp
 set peer 12.1.1.2
 set transform-set P2-Transform
 match address acl_vpn
!
!
crypto key pubkey-chain rsa
 addressed-key 12.1.1.2 encryption
  address 12.1.1.2
  key-string
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00EFFA4A B7F46348 
   6FDE6D35 C9FA3F48 75EC7F85 080AFB77 1306A1E1 81936A60 FE95A7AA 278516AB 
   87E7E70E AB957573 7B25508C 35DA3972 3CA6C5BB EB52C3BE F3020301 0001
  quit
!
!
ip ssh version 1
!
!
!
!      
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!      
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 ip address 12.1.1.1 255.255.255.0
 crypto map P2-Transform
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 2.2.2.0 255.255.255.0 12.1.1.2
!
ip access-list extended acl_vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
exception data-corruption buffer truncate
end

By Jon

Leave a Reply