This is a kickoff post for a series demonstrating the capabilities of FlexVPN server.
Since we’re building up this sample network from a clean sheet of paper, we’re going all in. We’re going to build ourselves a solid foundation, and then up the ante with high availability and integration with Identity Services Engine down the road.
The base build is going to use Next Generation Encryption (NGE), Elliptic curve certificates, and overlay routing design. We’ll also demonstrate how we can support a site with an older design (firewall w/crypto maps) with the exact same head end.
In this installment, we’re going to review the routing design, cryptography suite selection, and enroll our devices with shiny 384 bit elliptic curve certificates.
Included at the end of this post are links to useful documents.
Great slide deck on FlexVPN
Densemode Labbing Topology 1
Cisco Next Generation Encryption Techology Document
Tim Glen breaks down Diffie Hellman Groups
RFC 6379: Suite B Cryptographic Suites for IPsec
Elliptic Curve Cryptography
In this installment we’re going to take a quick look a the main configuration blocks for FlexVPN on Cisco IOS devices. then we will take advantage of smart defaults to turn up a tunnel with just a handful of commands.
Here’s the config from the video. As you can see it’s ridiculously easy to use. There’s 5 lines of config that relate to ipsec. That’s it.
Greetings fellow networkers,
In this installment of PKI for network engineers, we’re going to build up our two tier Elliptic Curve PKI hierarchy in one shot. There are a lot of tasks, but only a few of them differ from our RSA setup. I’ll highlight those below.
- Cryptographic service provider and Hash algorithm.
- I’m using ECDSA 384 and SHA384
- Although the Microsoft CA supports 521 bit EC Keys, Cisco IOS maxes at 384
- No NDES/SCEP. NDES supports RSA only for in-band device enrollment
- There is a new standard called EST (enrollment over secure transport)
- IOS and IOS-XE support EST as clients
- There’s an open source project called libEST you can use to test.
- Cisco ISE as of version 2.2 supports EST
- Web enrollment doesn’t support version 3 or 4 templates
- When duplicating templates, be aware of this fact
- Mind your signatures and public key algorithms.
- RSA public keys can be signed by a EC CA and vice versa. Keep this in mind when creating your templates and take care to test them and inspect your certificates to make sure you’re getting what you think you’re getting
Settings, scriptlets, helpful text blocks:
In this installment of the series, we set up the Active directory plumbing needed to do Certificate Autoenrollment for users and computers, and then we test it. In the vein of the series, rather than taking defaults which are often not the best idea in a production network, we build things up in a more realistic manner.
In addition to learning how to set up auto enrollment, if you follow along, you’ll get some practice in doing some basic windows sysadmin including creating users, groups and organizational units, creating group policy objects, and most importantly working with certificate templates.
As usual, I included some links of interest at the bottom.
configuring Certificate Autoenrollment: https://technet.microsoft.com/en-us/library/cc731522(v=ws.11).aspx
Troubleshooting Certificate Autoenrollment: