White Paper
Guide to configuring a Virtual Private Network using
Cisco ISR & ASR to conform to Commercial
Product Assurance guidance
Cisco Integrated Services Routers (ISR) Generation-2 (G2) & Aggregation Services
Routers (ASR) are certificated under CESG’s Certified Product Assurance (CPA)
scheme to provide a VPN at Foundation Grade.
This guide details the steps required to configure a Virtual Private Network (VPN)
using Cisco ISR / ASR routers that conforms to the Interim IPsec profile and CPA
configuration requirements.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
1
Introduction
This guide gives detailed steps to configure a site-to-site VPN using the CPA approved algorithms and security
characteristics for IPsec security gateways. Cisco best practice configuration is used to meet the stated
deployment guidelines. This document is a guide and should be used in conjunction with the CESG Security
Procedures for Cisco ISR Series & Cisco ASR Series, which can be found in the CSEG IA Portfolio.
The PSN Interim IPsec profile consists of an RFC-compliant implementation of IPsec with IKEv1 (RFCs 2408 and
2409 apply) using Extended Sequence Numbers, Encapsulating Security Payload (ESP – RFC 4303) and the
algorithms given below;
Table 1.
PSN Interim IPsec profile
Attribute
Algorithm
Encryption
Pseudo Random Function
Diffie-Hellman Group
Signature
AES128_ CBC
SHA-1
Group 5 (1536 bits)
RSA with X.509 certificates
At the time of writing the PSN Interim IPsec profile is the only certified profile for CPA use on Cisco ISR and ASR
routers.
The models certified for CPA are defined in the tables below.
Table 2.
Integrated Services Router certified models
Platform
Models
Integrated Services Router (ISR)
G2
Table 3.
800,1900,2900,3900,3900E,4451-X
Aggregation Services Router certified models
Platform
Aggregation Services Router
(ASR)
Embedded Services Processor
(ESP)
Models
1001,1002,1002-X,1004,1006,1013
ASR1000-ESP5, ASR1000-ESP10, ASR1000-ESP20,
ASR1000-ESP40, ASR1000-ESP100, ASR1000-ESP200
Cisco ASR 1000 Route Processor ASR1000-RP1, ASR1000-RP2
(RP)
For details on the compatiblility of components in the Aggregation Services Router please refer to the following;
http://www.cisco.com/en/US/products/ps9343/prod_qandas_list.html
The configuration guide is based on the following fictious topology;
2
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Figure 1.
Topology used
CA
203.0.113.1/30
0/1
0/0
R1
192.0.2.1/30
0/1
0/0
198.51.100.1/30
R2
The topology consists of two routers (R1 + R2) and a Certificate Authority (CA). All configurtion will be shown from
router R1.
3
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Download software for ISR / ASR Routers
All equipment should use at least the software version approved by CESG. The latest maintenance release should
be used when selecting an image. Details of the software can be found in the release notes. The ISR G2 routers
require IOS images and ISR-4451-X and the ASR requires IOS-XE images. Software should only be downloaded
rd
from Cisco.com and never from 3 party sites and all software should be verified after download.
Table 4.
Platform
Minimum approved software
Software
Integrated Service Router
15.1(4)M3
(ISR)
Aggregation Service Router
3.4(S)
(ASR)
Integrated Service Router
(ISR) 4451-X
3.9.1S
Table 5.
Platform
Recommended software
Software
Integrated Service Router
15.2(4)M4
(ISR)
Aggregation Service Router
3.7.4S
(ASR)
Integrated Service Router
(ISR) 4451-X
3.10.1S
The latest software can be downloaded from (CCO login required)
http://software.cisco.com/download/navigator.html
All files on CCO has a software checksum listed, to verify the checksum of a file on a flash memory file system or
compute a Message Digest 5 (MD5) signature for a file, use the verify command in privileged EXEC mode. This
can be used to guarantee that a file has not been altered since downloading and has been downloaded
successfully without errors.
Cisco IOS software on ISR-G2 provides the ability to verify digitally signed software. The command show
software authenticity <image name> displays information about the software image. The command
show software authenticity running displays information related to software authentication for the
current ROMmon and the Cisco IOS image file used for booting. The display includes image credential information,
the key type used for verification, signature information, and other attributes in the signature envelope.
For additional details of digitally signed Cisco software for the ISR generation 2 routers
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sys-image-mgmt/configuration/15-mt/sysimgmgmt-dgtly-sgndsw.html
Please note that for ISR G2 the Security license is required to utilise IPsec VPN technology. The ASR requires the
Advanced IP Services or Advanced Enterprise Services license to utilise IPSEC VPN technology.
4
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Router bootstrap configuration
The device will need some base configuration before the VPN is configured, this configuration is mandatory for the
device to generate an RSA keypair and also have access to an authenticated accurate time source for accurate
verification of certificate attributes.
Please note: the device hardening should also be deployed before the device is connected to the network.
Configure hostname and domain name
hostname R1
ip domain-name <domain name>
Generate RSA public/private keypair to be used for PKI operations, please note a keypair size of 2048 bit. Here a
label of r1.cisco.com is used to identify the key pair.
crypto key generate rsa general-keys modulus 2048 label r1.cisco.com
Authenticated time should be enabled if possible, in the example authenticated NTP is received from the service
provider network.
ntp
ntp
ntp
ntp
authentication-key 1 md5 <password>
authenticate
trusted-key 1
server 192.0.2.2 key 1
An access-control-list is used to only allow traffic from the defined NTP Server.
access-list 1 permit 192.0.2.2
ntp access-group peer 1
Correct NTP operation can be verified with the show ntp status command to confirm that the time is
synchronized.
R1#show ntp status
Clock is synchronized, stratum 2, reference is 192.0.2.2
<removed>
An access-control-list should be configured on the less trusted interface to only allow traffic from permitted hosts,
the following access-control-list allows ESP and IKE traffic from the tunnel peer and also returning HTTP traffic
from the certificate authority for certificate revocation checking. If NAT is used on the service provider network UDP
port 4500 should be allowed from the peer device.
ip access-list extended outside_in
remark ESP for IPSEC tunnel
permit esp host 198.51.100.1 host 192.0.2.1
remark UDP for IKE traffic
permit udp host 198.51.100.1 eq isakmp host 192.0.2.1 eq isakmp
remark UDP for NAT-T IKE traffic
permit udp host 198.51.100.1 eq non500-isakmp host 192.0.2.1 eq non500-isakmp
remark HTTP for CRL checking
permit tcp host 203.0.113.1 eq www host 192.0.2.1 established
remark default deny all with log
deny
ip any any log
This access-control-list should be applied to the less trusted interface.
interface GigabitEthernet0/0
ip access-group outside_in in
5
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Certificate enrolment
The following describes how to manually configure the device to enroll into a Public Key Infrastructure (PKI). If
automatic enrolment is required using Simple Certificate Enrolment Protocol (SCEP), please consult the following.
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book.html
Configure a local trustpoint to be used for PKI enrolment. This is configured to use manual enrolment via the
terminal (cut&paste), shown below. The subject name is created in x.500 format and the RSA keypair generated
earlier with label of r1.cisco.com is used.
crypto pki trustpoint ca
enrollment terminal
subject-name cn= r1, ou=cisco.com
revocation-check crl
rsakeypair r1.cisco.com
The certificate of the certificate authority must be installed into the router; this can be achieved by using the
command crypto pki authenticate ca and entering the certificate of the certificate authority in PEM
format. The fingerprint aka hash, can be manually verified with the hash presented by the certificate authority
administrator.
R1(config)#crypto pki authenticate ca
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE----MIICBzCCAXCgAwIBAgIBATANBgkqhkiG9w0BAQQFADAXMRUwEwYDVQQDEwxjYS5j
<removed>
-----END CERTIFICATE----Certificate has the following attributes:
Fingerprint MD5: F740295B C50434C1 2EF71D04 5BFADA2E
Fingerprint SHA1: 99AD68A8 DCDCCAF7 BB1D5D60 91554DE4 9D83D0AA
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
Although this certificate will not show in the running-configuration it will be stored in non-volatile ram (nvram).
The router can now be enrolled to the CA using the command crypto pki enroll ca. This will create a
certificate signing request.
R1(config)#crypto pki enroll ca
% Start certificate enrollment ..
% The subject name in the certificate will include: r1.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIICgzCCAWsCAQAwHTEbMBkGCSqGSIb3DQEJAhYMcjEuY2lzY28uY29tMIIBIjAN
<removed>
The certificate signing request can then be processed by the certificate authority where an identity certificate will be
granted, these steps are out of scope of this document.
Once the certificate has been issued by the certificate authority it can be imported using the command crypto
pki import ca certificate. The following example uses base-64 format, however PEM or PKCS12 can be
used.
6
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
R1(config)#crypto pki import ca certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE----MIICgDCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAXMRUwEwYDVQQDEwxjYS5j
<removed>
IcmucHIsD1ZvMh+TLyHc3XqCBmA=
-----END CERTIFICATE----% Router Certificate successfully imported
The certificate can be verified with the command show crypto pki certificates verbose trustpointname.
R1#show crypto pki certificates verbose ca
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 04
Certificate Usage: General Purpose
Issuer:
cn=CA
Subject:
Name: R1
hostname=R1
cn=r1
ou=cisco.com
Validity Date:
start date: 13:27:25 JST Aug 15 2013
end
date: 13:27:25 JST Aug 15 2014
<removed>
7
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Virtual Private Network configuration
Configure an ISAKMP policy to use the defined interim profile. The lifetime is set to 82800 seconds (23 hours)
since at Foundation Grade the product is required to check certificate revocations at least once per 24 hours and
terminate any connections where the certificate has been revoked. As the certificate revocation check is performed
in the IKE exchange, to achieve a check every 24 hours the IKE lifetime is to 82800 seconds as the CRL check will
be performed on rekey of the IPSEC SA (which has a maximum lifetime of 1 hour), when a new IKE SA is required
to be established.
crypto isakmp policy 10
encr aes
group 5
lifetime 82800
The default authentication method of RSA-Signature & default intergrity algorithm of SHA-1 is not shown in the
running configuration, using the command show crypto isakmp policy.
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm:
keys).
hash algorithm:
authentication method:
Diffie-Hellman group:
lifetime:
AES - Advanced Encryption Standard (128 bit
Secure Hash Standard
Rivest-Shamir-Adleman Signature
#5 (1536 bit)
82800 seconds, no volume limit
An IPSEC transform set must be created to use AES in CBC mode, with SHA-1 integrity.
crypto ipsec transform-set esp-sha esp-aes esp-sha-hmac
An IPSEC profile is required, that will reference the transform set. Perfect forward secrecy is used to ensure a new
Diffie-Hellman exchange occurs on rekey of an IPSEC SA, using Diffie-Hellman group5.
crypto ipsec profile interim_prime
set transform-set esp-sha
set pfs group5
A tunnel interface is required to be configured with a source and destination IP addresses, this must use a local
interface as a source and the IP address of the peer router. This tunnel must be protected with the IPSEC profile
created earlier.
interface Tunnel1
ip address 10.10.10.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 198.51.100.1
tunnel protection ipsec profile interim_prime
Once the tunnel is correctly configured and the peer router is correctly configured, an IKE Security Association will
be created. This can be verified with the command show crypto isakmp sa.
R1#show crypto isakmp sa detail
<removed>
IPv4 Crypto ISAKMP SA
C-id Local
Lifetime Cap.
Remote
1004 192.0.2.1
00:47:45
198.51.100.1
I-VRF
Status Encr Hash Auth DH
ACTIVE aes
sha
rsig 5
8
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Engine-id:Conn-id =
SW:4
IPv6 Crypto ISAKMP SA
An IPSEC Security Association will be built, this can be verified with the command show crypto ipsec sa.
The use of the correct algorithms in the transform set and the use of Perfect Forward Secrecy can be verified.
Traffic being encrypted and decrypted can be confirmed.
R1#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.0.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.0.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (198.51.100.1/255.255.255.255/47/0)
current_peer 198.51.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 355, #pkts encrypt: 355, #pkts digest: 355
#pkts decaps: 355, #pkts decrypt: 355, #pkts verify: 355
<removed>
local crypto endpt.: 192.0.2.1, remote crypto endpt.: 198.51.100.1
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel1
current outbound spi: 0x351E7E2C(891190828)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xC37C99C7(3279722951)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map:
Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4499851/2764)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
To view the Certificate Revocation List used use the command show crypto pki crls
R1#show crypto pki crls
CRL Issuer Name:
cn=CA
LastUpdate: 12:54:12 JST Aug 30 2013
NextUpdate: 18:54:12 JST Aug 30 2013
Retrieved from CRL Distribution Point:
9
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Secure management and monitoring
Regular audit log review should occur, with accurate timestamps enabled using the following commands.
service timestamps debug datetime msec
service timestamps log datetime msec
Please refer to the Cisco IOS Embedded Syslog Manager Command Reference for details of configuring message
logging.
http://www.cisco.com/en/US/docs/ios-xml/ios/esm/command/esm-cr-a1.html
Using TACACS+ for Authentication, Authorization and Accounting (AAA), commands can be locked down so only
privileged users are able to configure certain features on the device. The following link provides details of enabling
TACACS+ on IOS.
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-mt/sec-cfg-tacacs.html
For example TACACS+ could be configured to accept any “crypto” command executed within global configuration
from only approved users using AAA.
Local user accounts should be configured should the TACACS+ server become unavailable. The secret command
should be used to select what method for local password storage should be used.
R1(config)#username user_name secret password
Cisco IOS can be configured to authenticate users that are permitted to access the device, additionally
Authorization can be used to limit commands to a user, or group that the user belongs. Please refer to the
Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T, for further
information;
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-mt/sec-usr-aaa-15-mt-book.html
Role Based Access Control (RBAC) can be employed to limit commands uses are allowed to run. The Role-Based
CLI Access feature allows the network administrator to define "views," which are a set of operational commands
and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config)
mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration
information; that is, a view can define what commands are accepted and what configuration information is visible.
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli.html?referring_site
=bodynav
As per Cisco best practice, secure protocols should be used for monitoring and management access. If the device
it to be managed inband then only HTTPS, SSH and SNMPv3 should be used.
Secure shell (SSH)
Generate a RSA keypair to be used for SSH access
crypto key generate rsa general-keys label sshkey modulus 2048
ip ssh rsa keypair-name sshkey
Enable SSH version 2
ip ssh version 2
For further information on configuring SSH;
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/sec_usr_ssh/configuration/15-mt/sec-usr-ssh-15-mtbook.html
10
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Please note to disable all remote login methods except SSH access on the virtual terminal access lines, please
enter the command transport input ssh under all the virtual terminal lines.
line vty 0 <last line number>
transport input ssh
SNMPv3
Simple Network Management Protocol version 3 (SNMPv3) should be used for secure management, this requires
a local username to be configured along with a group and views. Example configuration is shown below to create a
user, group and views.
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
group V3Group v3 priv read V3Read write V3Write
user V3User V3Group v3 auth sha password priv aes 128 password
view V3Read iso included
view V3Write iso included
host <IP_address> version 3 auth V3User
enable traps
For further information on configuring SNMPv3;
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/snmp/configuration/15-mt/snmp-15-mt-book.html
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) can be used for administration. This is enabled using the following
command.
ip http secure-server
Additional information on HTTPS;
http://www.cisco.com/en/US/partner/docs/ios-xml/ios/https/configuration/15-mt/nm-https-sc-ssl3.html
By default Cisco routers have a number of services enabled that have security weaknesses; these should be
disabled if they are not required.
The following global services should be disabled on the router if configured and are not required;
PAD--Enables all packet assembler and disassembler (PAD) commands and connections between PAD
devices and access servers. If enabled, it can leave your device vulnerable to attacks.
no service pad
Bootp Server--Bootp is an insecure protocol that can be exploited for an attack.
no ip bootp server
HTTP Server--Without secure-http or authentication embedded in the HTTP server with an associated
ACL, the HTTP server is insecure and can be exploited for an attack. (If you must enable the HTTP
server, you are prompted for the proper authentication or access list.)
no ip http server
CDP--If a large number of Cisco Discovery Protocol (CDP) packets are sent to the router, the available
memory of the router can be consumed.
11
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
no cdp run
Source Routing--Provided only for debugging purposes, so source routing should be disabled in all other
cases. Otherwise, packets may slip away from some of the access control mechanisms that some of the
access control mechanisms that they should have gone through
no ip source-route
The service password-encryption command--Prevents passwords from being visible in the
configuration.
The service tcp-keepalives-in and service tcp-keepalives-out commands--Ensures that
abnormally terminated TCP sessions are removed.
Interface configuration
ICMP redirects-- Does not add a useful functionality to a correctly configured to network and has the
potential to be used by attackers.
no ip redirects
ICMP unreachables-- Internet Control Management Protocol (ICMP) unreachables are a known cause for
some ICMP-based denial of service (DoS) attacks and can be used by an attacker to glean information
about permitted traffic in an access-control-list.
no ip unreachables
Proxy-Arp-- Proxy-Arp requests are a known cause for DoS attacks because the available bandwidth and
resources of the router can be consumed in an attempt to respond to the repeated requests that are sent
by an attacker. Proxy-arp can also be used to map internal networks.
no ip proxy-arp
Maintenance Operations Protocol (MOP) service—MOP was developed by Digital Equipment Corporation
to be used for remote communications between hosts and servers. Cisco IOS software routers implement
MOP to gather configuration information when communicating with DECNet networks. This should be
disabled.
no mop enabled
12
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
To view the open ports issue the command show control-plane host open-ports command.
R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot
Local Address
Foreign Address
tcp
*:22
*:0
tcp
*:23
*:0
udp
*:123
*:0
udp
*:4500
*:0
udp
*:500
*:0
Service
SSH-Server
Telnet
NTP
ISAKMP
ISAKMP
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
13
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Physical security
Where there is a requirement for greater physical security, opacity shields and tamer proof seals can be deployed.
Opacity shields are available on the Cisco 1921, 2900, and 3900 ISRs that meet the Federal Information
Processing Standards Publications (FIPS) 140-3 Level 2 opacity requirement.
http://www.cisco.com/en/US/prod/collateral/modules/ps10598/ordering_guide_c07_557736_ps10536_Products_Da
ta_Sheet.html
Tamper evidence seals for the ISR G2 Series are detailed under the section “Module Opacity and Tamper
Evidence”, from the following;
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1521.pdf
Tamper evidence seals for the ASR Series are detailed under the section “Physical Security”, from the following;
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1390.pdf
14
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Secure disposal
Prior to disposal all secrets must be removed from the device. This requires all certificates and, where possible,
keys to be deleted prior to disposal.
Certificates can be removed using the command no crypto pki trustpoint <trustpoint name>.
R1(config)#no crypto pki trustpoint ca
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.
Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.
Certificates stored on the device can be shown using the command show crypto pki certificates.
To delete all RSA keys from your router, use the command crypto key zeroize.
R1(config)#crypto key zeroize
% All keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
The configuration can be removed using the command write erase to clear remove the startup-configuration
file and then initiating a reload of the device.
R1#write erase
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
R1#reload
*Sep
8 14:14:12.580: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
R1#reload
Proceed with reload? [confirm]
Please consult CESG guidance for additional information on secure disposal.
15
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Printed in USA
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
CXX-XXXXXX-XX
10/11
16
© Copyright 2024 Paperzz