This chapter looked at steps involved in configuring IPSec for CA support. The steps and related commands are summarized in the following task list:
Task 1 Prepare for IKE and IPSec
Step 1–1 Plan for CA support
Step 1–2 Determine the IKE (IKE phase one) policies
Step 1–3 Determine the IPSec (IKE phase two) policies
Step 1–4 Check the current configuration
show running-configuration
show isakmp [policy]
show crypto map
Step 1–5 Ensure the network works without encryption
ping
Step 1–6 Ensure access control lists are compatible with IPSec
show access-lists
Task 2 Configure CA support
Step 2–1 Manage the NVRAM memory usage (Optional)
crypto ca certificate query
Step 2–2 Set the router’s time and date
ntp broadcast client
sntp broadcast client
clock set
Step 2–3 Configure the router’s host name and domain name
hostname
ip domain-name
ip host
Step 2–4 Generate an RSA key pair
crypto key generate rsa
Step 2–5 Declare a CA
crypto ca identity
enrollment url
query url
crl optional
enrollment mode ra
enrollment retry count
enrollment retry period
Step 2–6 Authenticate the CA
crypto ca authenticate
Step 2–7 Request your own certificate
crypto ca enroll
Step 2–8 Save the configuration
copy running-config startup-config
Step 2–9 Monitor and maintain CA interoperability (Optional)
Request a CRL
crypto ca crl request
Delete your router’s RSA keys:
crypto key zeroize rsa
Delete both public and private certificates from the configuration:
no certificate certificate-serial-numberno crypto ca identity
Delete peer’s public keys:
no named-key key-nameno addressed-key key-address
Step 2–10 Verify the CA support configuration
show crypto ca certificates
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
Task 3 Configure IKE
Step 3–1 Enable or disable IKE
crypto isakmp enable
Step 3–2 Create IKE policies
crypto isakmp policy
authentication
encryption
hash
group
lifetime
Step 3–3 Configure preshared keys
crypto isakmp key
Step 3–4 Verify the IKE configuration
show crypto isakmp policy
Task 4 Configure IPSec
Step 4–1 Configure transform set suites
crypto ipsec transform-set
Step 4–2 Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
Step 4–3 Configure crypto ACLs
access-list
Step 4–4 Configure crypto maps
crypto map
Step 4–5 Apply the crypto maps to the interface
interface
crypto map
Task 5 Test and verify IPSec
Step 5–1 Display the configured IKE policies
show crypto isakmp policy
Step 5–2 Display the configured transform sets
show crypto ipsec transform set
Step 5–3 Display the current state of the IPSec SAs
show crypto ipsec sa
Step 5–4 Display the configured crypto maps
show crypto map
Step 5–5 Debug IKE events
debug crypto isakmp
Step 5–6 Debug IPSec events
debug crypto ipsec
1.? |
A digital certificate is conceptually most like which type of document?
|
|
2.? |
Which of the following is not a common name for a database service running on an existing or dedicated server that allows users to submit and retrieve digital certificates?
|
|
3.? |
What does the acronym PKI stand for?
|
|
4.? |
Digital certificates are generated by which of the following?
|
|
5.? |
When checking a certificate against a CRL, what happens if a match occurs?
|
|
6.? |
Which of the following is a server that acts as a proxy for the CA, so CA functions can continue when the CA is offline or otherwise unavailable?
|
|
7.? |
Which of the following is an initiative for furthering open development for certificate-handling protocols that can help ensure interoperability with devices from many vendors?
|
|
8.? |
Which of the following is not a CA provider supported by the Cisco IOS?
|
|
9.? |
Which is the IKE keyword for CA support authentication method?
|
|
10.? |
Which command specifies that certificates and CRLs should not be stored locally, but should be retrieved from the CA as needed?
|
|
11.? |
In the following command, what does the word “six” represent? Rtr1(config)#clock timezone CST -6
|
|
12.? |
Given the following command, how many RSA key pairs will be generated? Rtr1(config)#crypto key generate rsa usage-keys
|
|
13.? |
Which command is used to define the CA?
|
|
14.? |
Which command removes all certificates associated with the CA—the router’s certificate, the CA certificate, and any RA certificates?
|
|
15.? |
Which of the following is not required for CA support on Cisco IOS devices?
|
|
Answers
1.? |
C. Passport |
2.? |
B. CRL |
3.? |
C. Public Key Infrastructures |
4.? |
B. Certificate authority |
5.? |
C. The certificate is rejected—it has been revoked |
6.? |
D. RA |
7.? |
D. SCEP—Simple Certificate Enrollment Protocol |
8.? |
B. Symantic |
9.? |
A. rsa-sig |
10.? |
D. crypto ca certificate query |
11.? |
C. Six hours behind UTC/GMT |
12.? |
B. 2 |
13.? |
B. crypto ca identity |
14.? |
B. no crypto ca identity |
15.? |
B. Special-usage keys ordered |