With preshared keys, the preshared keys must be configured
on both the PIX Firewall and the peer. With RSA signatures, you must configure
the PIX Firewall and its peer to obtain certificates from a CA.
Configuring Preshared Keys
Configure the IKE preshared key by completing the following
substeps.
Step 2.3.1: Specify the ISAKMP identity for the
PIX using the configuration mode isakmp identity
command. When two peers use IKE to establish IPSec security associations,
each peer sends its ISAKMP identity to the remote peer. The identity can be
configured as the PIX hostname (default), the PIX IP address, or a define
key-id. Use the no form of the command to reset the ISAKMP identity to the
default value of the host name. The syntax and two examples follow.
Pix(config)# isakmp identity {address | hostname | key-id} [key-id-string]
Pix(config)# isakmp identity address
Pix(config)# isakmp identity key-id cisco123Reliability will increase if the PIX Firewall and its peer’s
identities are set using the same method to avoid an IKE negotiation failure
caused by either peer not recognizing its peer’s identity. If the host name is
used as the key-string in the isakmp key
command, using the host name would make sense.
Step 2.3.2: (Optional.) Define a name-to-address
mapping similar to the IP Host command in the router IOS commands using the name command. Use the no
form of the command to remove a name-to-address mapping. The syntax and an
example follow.
Pix(config)# name ip_addr name
Pix(config)# name 1.1.40.110 seattle
This step isn’t necessary if host names are resolved using a DNS
server.
Step 2.3.3: Use the isakmp key
command to specify a preshared authentication key and associate the key with an
IPSec peer address or host name. You would configure the preshared key at both
peers whenever you specify preshared key in an IKE policy. Otherwise, the policy
can’t be used because it won’t be submitted for matching by the IKE process. Use
the no form of the command to delete a preshared authentication key and its
associated IPSec peer address. The syntax and two examples follow.
Pix(config)# isakmp key key-string address peer_addr [netmask mask] [no-xauth] [no-config-mode]
Pix(config)# isakmp key cisco123 address 1.1.100.40
Pix(config)# isakmp key cisco456 address 0.0.0.0 netmask 0.0.0.0
The following are some things to consider with the isakmp key command:
-
The peer-addr can be a host or a
wildcard address.
-
If no netmask is defined, the default 255.255.255.255 is
used. The wildcard netmask, 0.0.0.0, allows any IPSec peer with the valid
preshared key to be a valid peer. Cisco strongly recommends using a unique key
for each peer.
-
While it’s possible for the PIX Firewall or any IPSec peer
to use the same authentication key with multiple peers, this isn’t as secure as
using a unique authentication key for each pair of peers.
-
The preshared keystring must be
configured identically at both peers.
-
The keystring can be any combination
of alphanumeric characters up to 128 bytes.
-
You can use the peer’s host name for the preshared key. This
would seem to make the most sense with remote access implementations.
-
Preshared keys are easy to configure, but not very
scalable.
Step 2.3.4: (Optional.) To see the IKE entries,
use the show isakmp command. The following is an example of
the output after the policies created earlier:
Pix(config)# show isakmp
isakmp enable outside
isakmp key ******** address 1.1.100.40 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 100 authentication rsa-sig
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 10000
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 1
isakmp policy 200 lifetime 86400
Pix(config)#
Configuring CAs
The following steps are used to enable the PIX Firewall to
interoperate with a CA and obtain PIX Firewall certificate(s).
|
Note |
The PIX Firewall clock must be set to Greenwich Mean Time
(GMT), month, day, and year before configuring CA. Otherwise, the CA might
reject certificates based on a bad timestamp. The PIX Firewall uses the clock to
make sure a CRL isn’t expired. |
Step 2.3.1: Use the hostname
command to configure the PIX Firewall host name. The syntax and examples
follow.
pixfirewall(config)# hostname name
pixfirewall(config)# hostname Pix
Pix(config)#
Step 2.3.2: Use the domain-name command to configure the PIX Firewall domain name.
The syntax and an example follow.
Pix(config)# domain-name name
Pix(config)# domain-name test.com
Step 2.3.3: Use the ca generate
rsa key command to configure the generation of the RSA key pair(s). The
syntax and an example follow.
Pix(config)# ca generate rsa key key_modulus_size
Pix(config)# ca generate rsa key 512
In the example, one general purpose RSA key pair is to be
generated with a key modulus set to 512.
The following is an example of using the show ca
mypubkey rsa to see the RSA key pair(s).
Pix(config)# show ca mypubkey rsa
% Key pair was generated at: 15:46:58 UTC Jan 26 2003
Key name: Pix.test.com
Usage: General Purpose Key
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c11fac 224f11ea
05b81343 6f14e27c 1be96be3 11a5b63b 8ca615c8 39a1844f 89cc48ec 0039423c
1aeb56b8 c07f3da4 e496c23e d291d458 7aef9c57 cb0ff327 bd020301 0001
Pix(config)#
Step 2.3.4: Use the ca identity
command to declare a CA. The syntax and an example follow.
Pix(config)# ca identity ca_nickname ca_ipaddr [:ca_script_location] [ldap_ip addr]
Pix(config)# ca identity testca.test.com 1.1.100.100
In the example, 1.1.100.100 is the IP address of the CA,
testca.test.com.
Step 2.3.5: Use the ca
configure command to configure the parameters of communication between the
PIX Firewall and the CA. Use the no form of the command to reset the
communication parameters to the default value. The syntax and an example
follow.
Pix(config)# ca configure ca_nickname {ca | ra} retry_period retry_count [crloptional]
Pix(config)# ca configure testca.test.com ca 1 15 crloptional
Use the show ca configure command to display the
current settings stored in RAM.
Step 2.3.6: Use the ca
authenticate command to allow the PIX to authenticate its CA by obtaining
the CA’s self-signed certificate, which contains the CA’s public key. When using
the RA mode (ca configure command) and when issuing the ca authenticate command, the RA signing and
encryption certificates will be returned from the CA, as well as the CA
certificate. The syntax and an example follow.
Pix(config)# ca authenticate ca_nickname [fingerprint]
Pix(config)# ca authenticate testca.test.com 0123456789ABCDEF0123
The optional fingerprint (0123456789ABCDEF0123), when used,
authenticates the CA’s public key within its certificate. The PIX will discard
the CA certificate if this fingerprint doesn’t match the fingerprint in the CA’s
certificate.
Step 2.3.7: Use the ca enroll
command to request signed certificates from your CA for all PIX RSA key pairs. One command gets all pairs. Contact
the CA administrator before running this command because the administrator must
authenticate the PIX Firewall manually before granting its certificate(s). The
syntax and an example follow.
Pix(config)# ca enroll ca_nickname challenge_password [serial] [ipaddress]
Pix(config)# ca enroll testca.test.com mypassword1234567 serial ipaddress
|
Note |
This password is most important and is required to revoke a
certificate. Note this password and store it in a safe
place. |
Step 2.3.8: Use the show ca
certificate to verify the process was successful.
The following is sample output from the show ca certificate command including a PIX Firewall general purpose
certificate and the RA and CA public-key certificates:
Pix(config)# show ca certificate
Subject Name
Name: Pix.test.com
IP Address: 1.1.1.1
Status: Available
Certificate Serial Number: 47d16514
Key Usage: General Purpose
RA Signature Certificate
Status: Available
Certificate Serial Number: 47d165f7
Key Usage: Signature
CA Certificate
Status: Available
Certificate Serial Number: 47d165e2
Key Usage: Not Set
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 47d165f6
Key Usage: Encryption
Step 2.3.9: Save the configuration:
Sections
Comments (0 posted)
Syndication
