[c-nsp] Cisco site-to-site VPN with self signed certificates

Bagosi Rómeó Romeo.Bagosi at integris.hu
Mon Jul 16 04:31:57 EDT 2007 

Hi experts!

I want to set up a Cisco site-to-site VPN with self-signed certificates. I've searched a lot, but I didn't find any documentation about this situation.

I want to set up the following:

Cisco ASA 5510 (7.1(2)) ------------------------ Cisco PIX 515e (PIX Version 7.0(4))
                                        Internet (VPN)
       outside (192.168.1.1)   ----------------  outside (192.168.1.2)

I've configured self-signed certificates with ASDM and the VPN with VPN wizard on the both devices.
But what's the next step? Because the VPN doesn't works:(
I know that I have to do something to authenticate and verify the other peers certificate, but I don't know how and I've doesn't found anything. 

Here is the interesting part of the configs (without sensitive information):

-----------------------------------------------------------------------------------

ASA Version 7.1(2) 
!
hostname first-vpn
domain-name vpn.hu
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 10.240.1.0 255.255.255.0 10.240.22.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.240.1.0 255.255.255.0 host 192.168.1.2 
access-list outside_nat0_inbound extended permit ip interface outside 10.240.22.0 255.255.255.0 
access-list outside_nat0_inbound extended permit ip interface outside host 192.168.1.2 
access-list outside_cryptomap_20 extended permit ip 10.240.1.0 255.255.255.0 10.240.22.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 10.240.1.0 255.255.255.0 host 192.168.1.2 
access-list outside_cryptomap_20 extended permit ip interface outside 10.240.22.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip interface outside host 192.168.1.2 
!
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_inbound outside
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.1.2 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set trustpoint asatrustpoint
crypto map outside_map interface outside
crypto ca trustpoint asatrustpoint
 enrollment self
 email something at something.com
 subject-name O=Some Corp.,C=SO,L=Somewhere
 serial-number
 ip-address 192.168.1.1
 crl configure
!
crypto ca certificate chain asatrustpoint
 certificate 31
    308202b0 30820219 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    -------------------- output omitted ---------------
    03e0e80d 4ff8b1af 0bddd73f 4dfc8460 89981bc3 d95050dd d4c23f77 220c8bd1 
    a8fde202 2af567e8 aee80532 cd6def3a 4babe9e3
  quit
!
isakmp identity auto 
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 trust-point asatrustpoint

--------------------------------------------------------------------------------------------------------------

PIX Version 7.0(4) 
!
hostname pix
domain-name something.hu
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
access-list inside_nat0_outbound extended permit ip 10.240.22.0 255.255.255.0 10.240.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.240.22.0 255.255.255.0 host 192.168.1.1 
access-list outside_nat0_inbound extended permit ip interface outside 10.240.1.0 255.255.255.0 
access-list outside_nat0_inbound extended permit ip interface outside host 192.168.1.1 
access-list outside_cryptomap_20 extended permit ip 10.240.22.0 255.255.255.0 10.240.1.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 10.240.22.0 255.255.255.0 host 192.168.1.1 
access-list outside_cryptomap_20 extended permit ip interface outside 10.240.1.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip interface outside host 192.168.1.1 
!
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_inbound outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.1.1 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set trustpoint pixtrustpoint
crypto map outside_map interface outside
!
crypto ca trustpoint pixtrustpoint
 enrollment self
 email something at somewhere.hu
 subject-name O=Something,C=VA,L=Somewhere2
 serial-number
 ip-address 192.168.1.2
 crl configure
!
crypto ca certificate chain pixtrustpoint
 certificate 31
    30820276 308201df a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    --------------- output omitted ----------------------------
    0bd620f6 395757b1 5782944c 0f0ed59c 1f151aa9 65a1ea3a ad8e2c0d cfe52279 
    6b629bfc 18eb56c9 c9609460 a4b7eb63 efad58d6 de857c53 3e3d
  quit
!
isakmp identity auto 
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 trust-point pixtrustpoint

---------------------------------------------------------------------------------------------------------------

What I have to do next?

Please help me!


Thank you!
Romeo Bagosi

More information about the cisco-nsp mailing list