Using an Encrypted Tunnel to Obtain Certificates

This section shows an example of how to perform CA enrollment and certificate requests via a site-to-site VPN tunnel between two firewall units (firewall 1 and 2). In the illustrated example, the CA server with which both firewall units will enroll and from which both units request their certificates reside within the DMZ network of one firewall (firewall 1). firewall 2 is shown to perform its CA enrollment and certificate request via an encrypted tunnel. To accomplish this, a tunnel between the two VPN peers has to first be established using a pre-share key as the device authentication method. Once a tunnel is established, firewall 2 can perform its CA enrollment and certificate request via the tunnel.

The example configuration steps are shown to be performed on firewall 1 and 2 in two phases—Phase 1 and Phase 2. Phase 1 involves the following:

  • Configuring the firewall units to establish a tunnel using a pre-shared key

  • Enrolling and requesting the CA-signed certificates

The goal of the Phase 1 configurations is to successfully enroll the firewall with the CA server and obtain the CA-signed certificate. The order of the configurations for Phase 1 is important. To configure firewall1 before firewall 2. After Phase 1 is completed, proceed to Phase 2 configurations, which involves the following:

  • Clearing the IKE and IPSec SAs on both units

  • Configuring the firewall units to establish a tunnel using digital certificates

The order of configurations during Phase 2 is not important. You can perform Phase 2 configurations on firewall 2 before performing the Phase 2 configurations on firewall 1.

The example CA server address is to be used for example purposes only.

Configuring firewall 1 to Obtain Certificate via Encrypted Tunnel

Phase 1

The order of the configurations for Phase 1 is important. To configure firewall1 before firewall 2.

Follow these steps to configure firewall 1:

  1. Define a host name:
    hostname NewYork

  2. Define the domain name:
    domain-name example.com

  3. To configure an IKE policy:
    isakmp enable outside
    isakmp policy 8 auth pre-share
    isakmp key cisco address 209.165.200.229 netmask 255.255.255.255

  4. Create a partial access list:
    access-list 90 permit ip host 10.1.0.2 host 209.165.200.229

  5. To configure NAT 0:
    nat ( dmz) 0 access-list 90

  6. To configure a transform set that defines how the traffic will be protected:
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

  7. Define a crypto map:
    crypto map toSanJose 20 ipsec-isakmp
    crypto map toSanJose 20 match address 90
    crypto map toSanJose 20 set transform-set strong
    crypto map toSanJose 20 set peer 209.165.200.229

  8. Apply the crypto map to the outside interface:
    crypto map toSanJose interface outside

  9. Tell the firewall to implicitly permit IPSec traffic:
    sysopt connection permit-ipsec

  10. Generate the firewall RSA key pair:
    ca generate rsa key 512

    This command is entered at the command line and does not get stored in the configuration.

  11. Define CA-related enrollment commands:
    ca identity abcd 10.1.0.2:/certsrv/mscep/mscep.dll
    ca configure abcd ra 1 20 crloptional

    These commands are stored in the configuration.

    The ca identity command shown is specific to the Microsoft CA. The ca identity you use depends on the CA you are using.

  12. Get the public key and the certificate of the CA server:
    ca authenticate abcd

    This command is entered at the command line and does not get stored in the configuration.

  13. Contact the CA administrator and send the certificate request:
    ca enroll abcd cisco

    "cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.

  14. Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
    ca save all
    write memory

Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.

Phase 2

Follow these steps to configure firewall 1:

  1. Clear the IPSec SAs:
    clear ipsec sa

  2. Clear the ISAKMP SAs:
    clear isakmp sa

  3. Create a partial access list:
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

  4. To configure NAT 0:
    nat (inside) 0 access-list 90

  5. Specify the authentication method of rsa-signatures for the IKE policy:
    isakmp policy 8 auth rsa-sig

Configuring firewall 2 to Obtain Certificate via Encrypted Tunnel

Phase 1

The order of the configurations for Phase 1 is important. Before configuring firewall 2 for Phase 1, configure firewall1 for Phase 1.

Follow these steps to configure firewall 2:

  1. Define a host name:
    hostname SanJose

  2. Define the domain name:
    domain-name example.com

  3. To configure an IKE policy:
    isakmp enable outside
    isakmp policy 8 auth pre-share
    isakmp key cisco address 209.165.201.8 netmask 255.255.255.255

  4. Create a partial access list:
    access-list 80 permit ip host 209.165.200.229 host 10.1.0.2

  5. To configure NAT 0:
    nat (inside) 0 access-list 80

  6. To configure a transform set that defines how the traffic will be protected:
    crypto ipsec transform-set strong esp-3des esp-sha-hmac

  7. Define a crypto map:
    crypto map newyork 20 ipsec-isakmp
    crypto map newyork 20 match address 80
    crypto map newyork 20 set transform-set strong
    crypto map newyork 20 set peer 209.165.201.8

  8. Apply the crypto map to the outside interface:
    crypto map newyork interface outside

  9. Tell the firewall to implicitly permit IPSec traffic:
    sysopt connection permit-ipsec

  10. Generate the firewall RSA key pair:
    ca generate rsa key 512

    This command is entered at the command line and does not get stored in the configuration.

  11. Define CA-related enrollment commands:
    ca identity abcd 10.1.0.2:/certsrv/mscep/mscep.dll
    ca configure abcd ra 1 20 crloptional

    These commands are stored in the configuration.

    The ca identity command shown is specific to the Microsoft CA. The ca identity you use depends on the CA you are using.

  12. Authenticate the CA by obtaining its public key and its certificate:
    ca authenticate abcd

    This command is entered at the command line and does not get stored in the configuration.

  13. Request signed certificates from the CA for the firewall's RSA key pair. Before entering this command, contact the CA administrator because they will have to authenticate the firewall manually before granting its certificate:
    ca enroll abcd cisco

    "cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.

  14. Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
    ca save all
    write memory

Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.

Phase 2

Follow these steps to configure firewall 2:

  1. Clear the IPSec SAs:
    clear ipsec sa

  2. Clear the ISAKMP SAs:
    clear isakmp sa

  3. Create a partial access list:
    access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0

  4. Specify the authentication method of rsa-signatures for the IKE policy:
    isakmp policy 8 auth rsa-sig