IKEv1 で証明書認証を使う【Cisco IOS】
IKEv1 で認証に証明書を使用する設定を検証しました。
環境
site-a-rtr と site-b-rtr の間で Static VTI を利用して IPSec Tunnel を確立させます。IPSec SA を確立するための IKEv1 で証明書認証を設定しました。
site-a-rtr を例に設定を解説していきますが site-b-rtr の設定もほぼ同じです。異なるパラメータを設定する必要がある場合は別途記載します。
また、上記とは別に Ubuntu 20.04 にプライベート CA を構築しました。
root@77db231258fe:~# lsb_release -d Description: Ubuntu 20.04.3 LTS root@77db231258fe:~#
ルーターから CA への疎通性ありません。証明書のやり取りはコピー&ペーストで行いました。
証明書登録作業
プライベート CA の構築とルーターに証明書を登録します。
プライベート CA の構築
CA.pl を利用することで簡易なプライベート CA を構築することができます。
root@77db231258fe:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
====
openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a RSA private key
...................+++++
................................+++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:myrootca.example.co.jp
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
7d:3c:cf:bf:4c:52:4f:13:ae:05:d0:7b:8b:90:7d:62:7e:85:54:22
Validity
Not Before: Dec 27 14:00:07 2021 GMT
Not After : Dec 26 14:00:07 2024 GMT
Subject:
countryName = JP
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = myrootca.example.co.jp
X509v3 extensions:
X509v3 Subject Key Identifier:
08:CA:D1:7C:6E:A5:2F:8A:FD:80:82:9C:DD:13:15:FE:44:C5:AA:B7
X509v3 Authority Key Identifier:
keyid:08:CA:D1:7C:6E:A5:2F:8A:FD:80:82:9C:DD:13:15:FE:44:C5:AA:B7
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Dec 26 14:00:07 2024 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem
root@77db231258fe:~#
CA に必要なファイル群が./demoCA に配置されます。
root@77db231258fe:~# tree
.
`-- demoCA
|-- cacert.pem
|-- careq.pem
|-- certs
|-- crl
|-- crlnumber
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- 7D3CCFBF4C524F13AE05D07B8B907D627E855422.pem
|-- private
| `-- cakey.pem
`-- serial
5 directories, 9 files
root@77db231258fe:~#
./demoCA/cacert.pem が今回構築したCAの証明書になります。
プライベートCAの証明書をルーターに登録
プライベート CA の証明書をルーターに登録するために CA の証明書をメモしておきます。
root@77db231258fe:~# openssl x509 -in demoCA/cacert.pem -----BEGIN CERTIFICATE----- MIIDrTCCApWgAwIBAgIUfTzPv0xSTxOuBdB7i5B9Yn6FVCIwDQYJKoZIhvcNAQEL ** 省略 ** JcuITZvnfwU8Ye7iDcT2KTUd6RzGhFTR2AyQf+o5Pt6o -----END CERTIFICATE----- root@77db231258fe:~#
ルーターに trustpoint を作成してプライベート CA の証明書を登録します。
site-a-rtr(config)#
site-a-rtr(config)#
site-a-rtr(config)#crypto pki trustpoint mytp
site-a-rtr(ca-trustpoint)#
site-a-rtr(ca-trustpoint)#enrollment terminal pem
site-a-rtr(ca-trustpoint)#
site-a-rtr(ca-trustpoint)#crypto pki authenticate mytp
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIUfTzPv0xSTxOuBdB7i5B9Yn6FVCIwDQYJKoZIhvcNAQEL
** 省略 **
JcuITZvnfwU8Ye7iDcT2KTUd6RzGhFTR2AyQf+o5Pt6o
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
Fingerprint MD5: 754A6222 8E1B5196 BECFCDB2 6A04D0B4
Fingerprint SHA1: 37D5FBD8 69A755C9 51184215 13318A3A 9386BC01
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
site-a-rtr(config)#
site-a-rtr(config)#
ルーターで証明書署名要求(CSR) を生成
ルーターの証明書をプライベート CA に署名してもらうために、CSR を生成します。
証明書に使う rsa keypair を生成します。
site-a-rtr(config)#ip domain name example.co.jp site-a-rtr(config)#crypto key generate rsa signature label mytp-rsa-key The name for the keys will be: mytp-rsa-key Choose the size of the key modulus in the range of 360 to 4096 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) site-a-rtr(config)#
CSR を出力します。
site-b-rtr では CN=site-b-rtr.example.co.jp とします。
site-a-rtr(config)#crypto pki trustpoint mytp site-a-rtr(ca-trustpoint)#subject-name CN=site-a-rtr.example.co.jp site-a-rtr(ca-trustpoint)#revocation-check none site-a-rtr(ca-trustpoint)#rsakeypair mytp-rsa-key site-a-rtr(ca-trustpoint)#crypto pki enroll mytp % Start certificate enrollment .. % The subject name in the certificate will include: CN=site-a-rtr.example.co.jp % The subject name in the certificate will include: site-a-rtr.example.co.jp % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- MIIBrTCCARYCAQAwTDEhMB8GA1UEAxMYc2l0ZS1hLXJ0ci5leGFtcGxlLmNvLmpw ** 省略 ** Km1r+edxafhgYgdXhKpVB//EQXSF41V6WFJAgwM/zb1UkctkKyO0dnnII/05tH8Q Qg== -----END CERTIFICATE REQUEST----- ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: no site-a-rtr(config)#
-----BEGIN CERTIFICATE REQUEST----- から -----END CERTIFICATE REQUEST----- までが CSR となるのでメモしておきます。
ルーターの証明書を署名
ルーターの CSR をプライベート CA に取り込みます。
root@77db231258fe:~# cat << 'EOF' > site-a-rtr.csr > -----BEGIN CERTIFICATE REQUEST----- > MIIBrTCCARYCAQAwTDEhMB8GA1UEAxMYc2l0ZS1hLXJ0ci5leGFtcGxlLmNvLmpw ** 省略 ** > Km1r+edxafhgYgdXhKpVB//EQXSF41V6WFJAgwM/zb1UkctkKyO0dnnII/05tH8Q > Qg== > -----END CERTIFICATE REQUEST----- > EOF root@77db231258fe:~#
プライベート CA でルーターの証明書を発行します。
root@77db231258fe:~# openssl ca -in site-a-rtr.csr -policy policy_anything -out site-a-rtr.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
7d:3c:cf:bf:4c:52:4f:13:ae:05:d0:7b:8b:90:7d:62:7e:85:54:23
Validity
Not Before: Dec 29 00:07:54 2021 GMT
Not After : Dec 29 00:07:54 2022 GMT
Subject:
commonName = site-a-rtr.example.co.jp
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F9:2B:6B:F6:86:ED:23:8F:42:DF:BE:C6:17:50:5C:CF:0F:F5:E1:3E
X509v3 Authority Key Identifier:
keyid:08:CA:D1:7C:6E:A5:2F:8A:FD:80:82:9C:DD:13:15:FE:44:C5:AA:B7
Certificate is to be certified until Dec 29 00:07:54 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@77db231258fe:~#
発行された証明書を確認します。
root@77db231258fe:~# openssl x509 -in site-a-rtr.crt -----BEGIN CERTIFICATE----- MIIDDjCCAfagAwIBAgIUfTzPv0xSTxOuBdB7i5B9Yn6FVCMwDQYJKoZIhvcNAQEL ** 省略 ** llRtLbuzhfRTYrUY0qHl64Lx -----END CERTIFICATE----- root@77db231258fe:~#
-----BEGIN CERTIFICATE----- から -----END CERTIFICATE----- までが site-a-rtr の証明書となるのでメモしておきます。
発行された証明書をルーターに登録
site-a-rtr(config)#crypto pki import mytp certificate Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- MIIDDjCCAfagAwIBAgIUfTzPv0xSTxOuBdB7i5B9Yn6FVCMwDQYJKoZIhvcNAQEL ** 省略 ** llRtLbuzhfRTYrUY0qHl64Lx -----END CERTIFICATE----- quit Received General Purpose certificate for signature keypair Do you wish to accept this certificate? [yes/no]: yes % Router Certificate successfully imported site-a-rtr(config)#
登録内容が正しいことを確認します。
site-a-rtr#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 7D3CCFBF4C524F13AE05D07B8B907D627E855423
Certificate Usage: General Purpose
Issuer:
cn=myrootca.example.co.jp
o=Internet Widgits Pty Ltd
st=Some-State
c=JP
Subject:
Name: site-a-rtr.example.co.jp
cn=site-a-rtr.example.co.jp
Validity Date:
start date: 00:07:54 UTC Dec 29 2021
end date: 00:07:54 UTC Dec 29 2022
Associated Trustpoints: mytp
CA Certificate
Status: Available
Certificate Serial Number (hex): 7D3CCFBF4C524F13AE05D07B8B907D627E855422
Certificate Usage: General Purpose
Issuer:
cn=myrootca.example.co.jp
o=Internet Widgits Pty Ltd
st=Some-State
c=JP
Subject:
cn=myrootca.example.co.jp
o=Internet Widgits Pty Ltd
st=Some-State
c=JP
Validity Date:
start date: 14:00:07 UTC Dec 27 2021
end date: 14:00:07 UTC Dec 26 2024
Associated Trustpoints: mytp
site-a-rtr#
これで証明書の登録は完了です。
IKEv1 の設定
証明書登録作業はインタラクティブな設定が多いので configuration mode の出力を掲載していましたが、これ以降は config をそのまま掲載します。
ISAKMP profile
isakmp profile に証明書を登録した trustpoint を紐付けます。site-a-rtr の設定では、 match identity に site-b-rtr の FQDN である site-b-rtr.example.co.jp を指定します。site-b-rtr の match identity には site-a-rtr の FQDN を指定します。
crypto isakmp profile isakmp-profile1 self-identity fqdn ca trust-point mytp match identity host site-b-rtr.example.co.jp
IPsec profile / IPsec transform-set
ipsec profile に先に作成した isakmp profile を紐付けます。
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode tunnel crypto ipsec profile ipsec-profile1 set transform-set ESP-AES-SHA set isakmp-profile isakmp-profile1
show crypto ipsec profile <profile name> で設定内容を確認できます。
site-a-rtr#show crypto ipsec profile ipsec-profile1
IPSEC profile ipsec-profile1
ISAKMP Profile: isakmp-profile1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
ESP-AES-SHA: { esp-aes esp-sha-hmac } ,
}
site-a-rtr#
interface Tunnel0
Tunnel インターフェースに ipsec profile を紐付けます。
interface Tunnel0 ip address 10.0.0.0 255.255.255.254 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 203.0.113.1 tunnel protection ipsec profile ipsec-profile1 end
tunnel0 を no shut すると IKEv1 のセッションが開始されます。Protocol up になっていれば IPSec トンネルが確立できています。
site-a-rtr#show ip int brief tu 0 Interface IP-Address OK? Method Status Protocol Tunnel0 10.0.0.0 YES manual up up site-a-rtr#
疎通確認
IKEv1 SA
認証方式 (Auth) が証明書 (sig) の IKEv1 セッションが確立できていることが確認できました。
site-a-rtr#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1019 203.0.113.0 203.0.113.1 ACTIVE aes sha rsig 5 23:55:16
Engine-id:Conn-id = SW:19
1020 203.0.113.0 203.0.113.1 ACTIVE aes sha rsig 5 23:55:16
Engine-id:Conn-id = SW:20
IPv6 Crypto ISAKMP SA
site-a-rtr#
client1 と client2 の通信
client1 と client2 で通信を行い、パケットが暗号化できていることを確認します。
site-a-rtr から 172.16.0.0/24 への static route を設定します。
site-a-rtr#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/31 is directly connected, Tunnel0
L 10.0.0.0/32 is directly connected, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
S 172.16.0.0 [1/0] via 10.0.0.1
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, GigabitEthernet0/1
L 192.168.0.254/32 is directly connected, GigabitEthernet0/1
203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C 203.0.113.0/31 is directly connected, GigabitEthernet0/0
L 203.0.113.0/32 is directly connected, GigabitEthernet0/0
site-a-rtr#
site-b-rtr でも同様に 192.168.0.0/24 の static route を設定します。
site-b-rtr#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/31 is directly connected, Tunnel0
L 10.0.0.1/32 is directly connected, Tunnel0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, GigabitEthernet0/1
L 172.16.0.254/32 is directly connected, GigabitEthernet0/1
S 192.168.0.0/24 [1/0] via 10.0.0.0
203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C 203.0.113.0/31 is directly connected, GigabitEthernet0/0
L 203.0.113.1/32 is directly connected, GigabitEthernet0/0
site-b-rtr#
site-a-rtr gi 0/0 のパケットキャプチャを有効にした状態で client1 から client2 に ping します。
cisco@client1:~$ ip -4 a show dev ens2
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global ens2
valid_lft forever preferred_lft forever
cisco@client1:~$
cisco@client1:~$ ping -c 3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=62 time=4.92 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=62 time=5.27 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=62 time=14.3 ms
--- 172.16.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.921/8.154/14.269/4.325 ms
cisco@client1:~$
パケットが暗号化されて転送されていることが確認できました。暗号化されているので ICMP のパケットを観測することはできませんが、ESP ヘッダーの Security Parameter Index (SPI) が show crypto ipsec sa で出力される値と一致していることが確認できます。
site-a-rtr#show crypto ipsec sa interface tu 0
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 203.0.113.0
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 203.0.113.1 port 500
<-- snip -->
inbound esp sas:
spi: 0xBB80036A(3145728874) ※ここ
transform: esp-aes esp-sha-hmac ,
<-- snip -->
outbound esp sas:
spi: 0xF07EC953(4034840915) ※ここ
transform: esp-aes esp-sha-hmac ,
<-- snip -->
site-a-rtr#
