This is lab part 3 to verify three different  ipsec vpn authentication methods: Pre-share key, RSA key and CA. First two parts has been listed in previous posts. Here is last part – external CA.

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 1

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 2

This time, I will use CA signed certificates to build IPSec site to site vpn between two Cisco Routers. Topology is same as before and IOS info is in the following:

——————————————–

R2# sh ver
Cisco IOS Software, 2600 Software (C2691-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Mon 30-Apr-07 16:48 by prod_rel_team

ROM: ROMMON Emulation Microcode
ROM: 2600 Software (C2691-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)

R2 uptime is 9 minutes
System returned to ROM by unknown reload cause – suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System restarted at 22:40:33 UTC Tue Feb 28 2012
System image file is “tftp://255.255.255.255/unknown”

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 2691 (R7000) processor (revision 0.1) with 124928K/6144K bytes of memory.
Processor board ID ZZZZZZZZZXX
R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
18 FastEthernet interfaces
6 Serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity enabled.
55K bytes of NVRAM.
16384K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

——————————————–

XCA will be used to generate Private key and Certifications for CA, R1 and R2.

Step1 : Using XCA to create a new CA

a. After installed XCA, create a new database with password.
b. Click New Certificate:

 c. Change subject and generate a new private key

 d. Click ok to generate new CA as shown in following screenshot.

Step2: Create CSR for both Routers:

Step3: Sign CSR to get Certifications:

Step4: Export Certifications with PKCS #12 format. You will get R1.p12 and R2.p12 files:

Step5: Import Certification to each of router

R1(config)#crypto pki trustpoint CA-VPN
R1(ca-trustpoint)#revocation-check none

R1(config)#crypto ca import CA-VPN pkcs12 tftp: Cisco

% Importing pkcs12…
Address or name of remote host []? 1.1.1.1
Source filename [trustpoint]? R1.p12
Reading file from tftp://1.1.1.1/R1.p12
Loading R1.p12 from 1.1.1.1 (via FastEthernet0/0): !
[OK – 1245 bytes]

CRYPTO_PKI: Imported PKCS12 file successful

Step6: Verify and Test:

show crypto pki trustpoints
show crypto pki certificates

R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/44 ms
R2#show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: P1-P2-Map, local addr 12.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
   current_peer 12.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 12.1.1.2, remote crypto endpt.: 12.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xCDFDE82C(3455969324)

     inbound esp sas:
      spi: 0xD5799FF1(3581517809)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: 3, crypto map: P1-P2-Map
        sa timing: remaining key lifetime (k/sec): (4603613/2710)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCDFDE82C(3455969324)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: 4, crypto map: P1-P2-Map
        sa timing: remaining key lifetime (k/sec): (4603613/2709)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R2#


R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

Feb 28 23:03:53.243: ISAKMP:(0): SA request profile is (NULL)
Feb 28 23:03:53.247: ISAKMP: Created a peer struct for 12.1.1.1, peer port 500
Feb 28 23:03:53.247: ISAKMP: New peer created peer = 0x64937F58 peer_handle = 0x80000004
Feb 28 23:03:53.251: ISAKMP: Locking peer struct 0x64937F58, refcount 1 for isakmp_initiator
Feb 28 23:03:53.251: ISAKMP: local port 500, remote port 500
Feb 28 23:03:53.255: ISAKMP: set new node 0 to QM_IDLE
Feb 28 23:03:53.255: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6418E444
Feb 28 23:03:53.259: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 28 23:03:53.263: ISAKMP:(0):No pre-shared key with 12.1.1.1!
Feb 28 23:03:53.267: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 28 23:03:53.271: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 28 23:03:53.271: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 28 23:03:53.275: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 28 23:03:53.275: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Feb 28 23:03:53.279: ISAKMP:(0): beginning Main Mode exchange
Feb 28 23:03:53.283: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 28 23:03:53.283: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 28 23:03:53.367: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 28 23:03:53.375: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 28 23:03:53.375: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Feb 28 23:03:53.387: ISAKMP:(0): processing SA payload. message ID = 0
Feb 28 23:03:53.391: ISAKMP:(0): proce.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/56/140 ms
R2#ssing vendor id payload
Feb 28 23:03:53.391: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 28 23:03:53.395: ISAKMP (0:0): vendor ID is NAT-T v7
Feb 28 23:03:53.395: ISAKMP : Scanning profiles for xauth …
Feb 28 23:03:53.399: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Feb 28 23:03:53.399: ISAKMP:      encryption DES-CBC
Feb 28 23:03:53.399: ISAKMP:      hash SHA
Feb 28 23:03:53.403: ISAKMP:      default group 1
Feb 28 23:03:53.403: ISAKMP:      auth RSA sig
Feb 28 23:03:53.403: ISAKMP:      life type in seconds
Feb 28 23:03:53.403: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Feb 28 23:03:53.403: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 28 23:03:53.403: ISAKMP:(0): processing vendor id payload
Feb 28 23:03:53.403: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Feb 28 23:03:53.407: ISAKMP (0:0): vendor ID is NAT-T v7
Feb 28 23:03:53.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 28 23:03:53.407: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Feb 28 23:03:53.411: ISAKMP (0:0): constructing CERT_REQ for issuer [email protected],cn=IOUCA.test.com,ou=IT,o=GD,st=ON,c=CA
Feb 28 23:03:53.411: ISAKMP:(0): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Feb 28 23:03:53.411: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 28 23:03:53.411: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 28 23:03:53.415: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Feb 28 23:03:53.507: ISAKMP (0:0): received packet from 12.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Feb 28 23:03:53.515: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 28 23:03:53.515: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Feb 28 23:03:53.527: ISAKMP:(0): processing KE payload. message ID = 0
Feb 28 23:03:53.547: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 28 23:03:53.547: ISAKMP:(1003): processing CERT_REQ payload. message ID = 0
Feb 28 23:03:53.551: ISAKMP:(1003): peer wants a CT_X509_SIGNATURE cert
Feb 28 23:03:53.555: ISAKMP:(1003): peer wants cert issued by [email protected],cn=IOUCA.test.com,ou=IT,o=GD,st=ON,c=CA
Feb 28 23:03:53.555:  Choosing trustpoint CA-VPN as issuer
Feb 28 23:03:53.555: ISAKMP:(1003): processing vendor id payload
Feb 28 23:03:53.555: ISAKMP:(1003): vendor ID is Unity
Feb 28 23:03:53.555: ISAKMP:(1003): processing vendor id payload
Feb 28 23:03:53.555: ISAKMP:(1003): vendor ID is DPD
Feb 28 23:03:53.555: ISAKMP:(1003): processing vendor id payload
Feb 28 23:03:53.555: ISAKMP:(1003): speaking to another IOS box!
Feb 28 23:03:53.555: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 28 23:03:53.559: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM4

Feb 28 23:03:53.567: ISAKMP:(1003):Send initial contact
Feb 28 23:03:53.583: ISAKMP:(1003):My ID configured as IPv4 Addr, but Addr not in Cert!
Feb 28 23:03:53.583: ISAKMP:(1003):Using FQDN as My ID
Feb 28 23:03:53.583: ISAKMP:(1003):SA is doing RSA signature authentication using id type ID_FQDN
Feb 28 23:03:53.583: ISAKMP (0:1003): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2.gd.com
        protocol     : 17
        port         : 500
        length       : 17
Feb 28 23:03:53.583: ISAKMP:(1003):Total payload length: 17
Feb 28 23:03:53.587: ISAKMP (0:1003): constructing CERT payload for [email protected],cn=R2.gd.com,ou=GD,o=IT,st=ON,c=CA
Feb 28 23:03:53.591: ISAKMP:(1003): using the EXAMPLE-VPN trustpoint’s keypair to sign
Feb 28 23:03:53.643: ISAKMP:(1003): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 28 23:03:53.643: ISAKMP:(1003):Sending an IKE IPv4 Packet.
Feb 28 23:03:53.647: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 28 23:03:53.647: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM5

Feb 28 23:03:53.811: ISAKMP (0:1003): received packet from 12.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 28 23:03:53.819: ISAKMP:(1003): processing ID payload. message ID = 0
Feb 28 23:03:53.819: ISAKMP (0:1003): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R1.gd.com
        protocol     : 17
        port         : 500
        length       : 17
Feb 28 23:03:53.827: ISAKMP:(0):: peer matches *none* of the profiles
Feb 28 23:03:53.827: ISAKMP:(1003): processing CERT payload. message ID = 0
Feb 28 23:03:53.831: ISAKMP:(1003): processing a CT_X509_SIGNATURE cert
Feb 28 23:03:53.863: ISAKMP:(1003): peer’s pubkey isn’t cached
Feb 28 23:03:53.887: ISAKMP:(1003): OU = IT
Feb 28 23:03:53.887: ISAKMP:(0):: peer matches *none* of the profiles
Feb 28 23:03:53.891: ISAKMP:(1003): processing SIG payload. message ID = 0
Feb 28 23:03:53.895: ISAKMP:(1003):SA authentication status:
        authenticated
Feb 28 23:03:53.895: ISAKMP:(1003):SA has been authenticated with 12.1.1.1
Feb 28 23:03:53.899: ISAKMP: Trying to insert a peer 12.1.1.2/12.1.1.1/500/,  and inserted successfully 64937F58.
Feb 28 23:03:53.903: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 28 23:03:53.903: ISAKMP:(1003):Old State = IKE_I_MM5  New State = IKE_I_MM6

Feb 28 23:03:53.911: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 28 23:03:53.911: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_I_MM6

Feb 28 23:03:53.915: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 28 23:03:53.915: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Feb 28 23:03:53.919: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of -1497599522
Feb 28 23:03:53.923: ISAKMP:(1003):QM Initiator gets spi
Feb 28 23:03:53.927: ISAKMP:(1003): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
Feb 28 23:03:53.927: ISAKMP:(1003):Sending an IKE IPv4 Packet.
Feb 28 23:03:53.931: ISAKMP:(1003):Node -1497599522, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Feb 28 23:03:53.931: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Feb 28 23:03:53.935: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 28 23:03:53.939: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Feb 28 23:03:53.983: ISAKMP (0:1003): received packet from 12.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
Feb 28 23:03:53.995: ISAKMP:(1003): processing HASH payload. message ID = -1497599522
Feb 28 23:03:53.995: ISAKMP:(1003): processing SA payload. message ID = -1497599522
Feb 28 23:03:53.999: ISAKMP:(1003):Checking IPSec proposal 1
Feb 28 23:03:53.999: ISAKMP: transform 1, ESP_DES
Feb 28 23:03:53.999: ISAKMP:   attributes in transform:
Feb 28 23:03:54.003: ISAKMP:      encaps is 1 (Tunnel)
Feb 28 23:03:54.003: ISAKMP:      SA life type in seconds
Feb 28 23:03:54.003: ISAKMP:      SA life duration (basic) of 3600
Feb 28 23:03:54.007: ISAKMP:      SA life type in kilobytes
Feb 28 23:03:54.007: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Feb 28 23:03:54.011: ISAKMP:      authenticator is HMAC-SHA
Feb 28 23:03:54.015: ISAKMP:(1003):atts are acceptable.
Feb 28 23:03:54.019: ISAKMP:(1003): processing NONCE payload. message ID = -1497599522
Feb 28 23:03:54.023: ISAKMP:(1003): processing ID payload. message ID = -1497599522
Feb 28 23:03:54.023: ISAKMP:(1003): processing ID payload. message ID = -1497599522
Feb 28 23:03:54.039: ISAKMP:(1003): Creating IPSec SAs
Feb 28 23:03:54.039:         inbound SA from 12.1.1.1 to 12.1.1.2 (f/i)  0/ 0
        (proxy 1.1.1.0 to 2.2.2.0)
Feb 28 23:03:54.039:         has spi 0x2F50201E and conn_id 0
Feb 28 23:03:54.039:         lifetime of 3600 seconds
Feb 28 23:03:54.039:         lifetime of 4608000 kilobytes
Feb 28 23:03:54.039:         outbound SA from 12.1.1.2 to 12.1.1.1 (f/i) 0/0
        (proxy 2.2.2.0 to 1.1.1.0)
Feb 28 23:03:54.039:         has spi  0x9FC207B5 and conn_id 0
Feb 28 23:03:54.039:         lifetime of 3600 seconds
Feb 28 23:03:54.039:         lifetime of 4608000 kilobytes
Feb 28 23:03:54.043: ISAKMP:(1003): sending packet to 12.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
Feb 28 23:03:54.043: ISAKMP:(1003):Sending an IKE IPv4 Packet.
Feb 28 23:03:54.047: ISAKMP:(1003):deleting node -1497599522 error FALSE reason “No Error”
Feb 28 23:03:54.051: ISAKMP:(1003):Node -1497599522, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Feb 28 23:03:54.055: ISAKMP:(1003):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

R1#sh run
Building configuration…

Current configuration : 5322 bytes
!
! Last configuration change at 22:41:38 UTC Tue Feb 28 2012
! NVRAM config last updated at 22:41:39 UTC Tue Feb 28 2012
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip domain name gd.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint CA-VPN
 revocation-check none
 rsakeypair CA-VPN
!
!
crypto pki certificate chain CA-VPN
 certificate 02
  30820242 308201AB A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  6C310B30 09060355 04061302 4341310B 30090603 55040813 024F4E31 0B300906
  0355040A 13024744 310B3009 06035504 0B130249 54311730 15060355 0403130E
  494F5543 412E7465 73742E63 6F6D311D 301B0609 2A864886 F70D0109 01160E61
  646D696E 40746573 742E636F 6D301E17 0D313230 32323631 32303530 305A170D
  31333032 32363132 30353030 5A306231 0B300906 03550406 13024341 310B3009
  06035504 0813024F 4E310B30 09060355 040A1302 4744310B 30090603 55040B13
  02495431 12301006 03550403 13095231 2E67642E 636F6D31 18301606 092A8648
  86F70D01 09011609 52314067 642E636F 6D30819F 300D0609 2A864886 F70D0101
  01050003 818D0030 81890281 8100CA0A 54AE595E 801B2C6A A17BD53E EB2DCFE2
  6024860B 5129AEDA D47D275E F734EA92 2F10CBC2 F85CCBD0 306AA185 EA754449
  6DF36140 FCC22B15 75F8D037 F937381F 8FA7A21E 58659BD4 CCC1EEA5 5DB1F974
  3B6A7AD5 A7EF3210 3F89ED90 83E5B664 415B2BD9 F897C6C3 5006F5EF AD66476B
  D6612696 70488749 3EF15737 8AF30203 01000130 0D06092A 864886F7 0D010105
  05000381 8100A469 1FCF0C5B 270CFD73 20FBA365 7BF161DD D067D56C AEB9AA75
  A8726E7B D0D98A71 686723A7 3A11FAD5 A270A6D8 ECDABBFE 3508FD2D 98D9363D
  A4C825FE A0316093 25F0B74E FB338E88 A76F9FB8 DCE2AD64 8D36D8BA 6D38A247
  9B41D785 6D6C4568 696B740A EC3564C4 13E6E010 C745D1C2 9BA2C3C7 32DF393B
  0CC89CDB DDB1
  quit
 certificate ca 01
  3082028D 308201F6 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  6C310B30 09060355 04061302 4341310B 30090603 55040813 024F4E31 0B300906
  0355040A 13024744 310B3009 06035504 0B130249 54311730 15060355 0403130E
  494F5543 412E7465 73742E63 6F6D311D 301B0609 2A864886 F70D0109 01160E61
  646D696E 40746573 742E636F 6D301E17 0D313230 32323631 31343230 305A170D
  32323032 32363131 34323030 5A306C31 0B300906 03550406 13024341 310B3009
  06035504 0813024F 4E310B30 09060355 040A1302 4744310B 30090603 55040B13
  02495431 17301506 03550403 130E494F 5543412E 74657374 2E636F6D 311D301B
  06092A86 4886F70D 01090116 0E61646D 696E4074 6573742E 636F6D30 819F300D
  06092A86 4886F70D 01010105 0003818D 00308189 02818100 D9212BBE A32192CA
  8D70EB0E AEDFA75C EA8C9246 2DE029C2 F49437CD 68A642B3 BFE6C8D0 5690A00B
  A1754E59 0D325D14 5559C2B6 1F9E4B25 84833FF8 E6655095 5F1145AF 950F4268
  025A1BED 963A62AA 8E3097B0 617683AB 1B9F2BC4 795E9FDA 2D75A45B E8189352
  EB6830C2 9DC5ECF6 36FD17E0 229CCF87 57042DE7 1EF0AE67 02030100 01A33F30
  3D300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 14E1EDA6
  1FF8FD33 EAB1F0CE 68A3003C 0A33EB05 D3300B06 03551D0F 04040302 0106300D
  06092A86 4886F70D 01010505 00038181 00878CFA 9EE53C82 9870147C 7CCC2495
  071E6F25 56A5D0BA 94FA3BCE D429E02C 443B1830 762AE21A AAA9A809 CA1F534E
  7396AC3B 98983729 08974DB3 849173CC 640F4E48 8A664153 D42987FD CD46874B
  90090B32 36086E9D F39FF6B8 5EB0030D CDD4BEEA 4249C6EB ED09061F 881C7C23
  07CEE9A3 331091C6 7C8F4616 959844E4 85
  quit
!
!
!
!
!
crypto isakmp policy 10
!
!
crypto ipsec transform-set P2-Transform esp-des esp-sha-hmac
!
crypto map P2-Transform 10 ipsec-isakmp
 set peer 12.1.1.2
 set transform-set P2-Transform
 match address acl_vpn
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
 ip address 12.1.1.1 255.255.255.0
 no fair-queue
 clock rate 2000000
 crypto map P2-Transform
!
interface FastEthernet1/0
 no switchport
 ip address 10.50.2.100 255.255.255.0
!
interface FastEthernet1/1
!

interface Vlan1
 no ip address
!
ip route 0.0.0.0 0.0.0.0 10.50.2.1
ip route 2.2.2.0 255.255.255.0 12.1.1.2
!
!
ip http server
no ip http secure-server
!
ip access-list extended acl_vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
ntp master
!
end

R1#

By Jon

One thought on “Cisco IOU IPsec Site to Site VPN with External Third Party CA (XCA) – Part 3”

Leave a Reply