- October 2, 2015
- Posted by: Syed Shujaat
- Category: Cisco, Networking Solutions
Jul 21, 2017 Peer public RSA key modulus values up to 4096 bits are automatically supported. The largest private RSA key modulus is 4096 bits. Therefore, the largest RSA private key a router may generate or import is 4096 bits. However, RFC 2409 restricts the private key size to 2048 bits or less for RSA encryption. May 20, 2014 Author, teacher, and talk show host Robert McMillen shows you how to use the Cisco ASA version 9 generate RSA keys command. I don't recall a command that shows the crypto key bit size. You can view the configured key by issuing the 'show crypto key mypubkey rsa' command. If you are unsure about the size of the key you can always create a new one to the size that you want.
Show crypto key mypubkey rsa: Shows information about the SSL certificate If you’d like to learn more about on how to configure SSH on a Cisco router I recommend you read through this documentation: Configuring Secure Shell on Routers and Switches Running Cisco IOS.
Use this command to generate RSA key pairs for your Cisco device (such as a router). keys are generated in pairs–one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
NOTE: Before issuing this command, ensure that your router has a hostname and IP domain name configured (with the hostname and ipdomain-name commands).
You will be unable to complete the cryptokeygeneratersacommand without a hostname and IP domain name. (This situation is not true when you generate only a named key pair.)
Here are the steps to Enable SSH and Crypto Key setup : 2 config must requried for SSH
1 Setup Local VTY line User ID and password
router (Config) # Line VTY 0 15
router (Config-line)# login local
router (Config-line)# Exit
!!! create local login ID/Pass
router (Config)# username [loginid] password [cisco]
router (Config)# username loginid1 password cisco1
2. router (Config)# ip domain-name example.com
router (Config)# crypto key generate rsa
how many bits in the modulus [512] :1024
router (Config)# ip ssh version2
router (Config)# CTRL Z
Note | Secure Shell (SSH) may generate an additional RSA key pair if you generate a key pair on a router having no RSA keys. The additional key pair is used only by SSH and will have a name such as {router_FQDN }.server. For example, if a router name is “router1.cisco.com,” the key name is “router1.cisco.com.server.” |
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However, a longer modules take longer to generate (see the table below for sample times) and takes longer to use.
The size of Key Modulus range from 360 to 2048. Choosing modulus greater than 512 will take longer time.
Router | 360 bits | 512 bits | 1024 bits | 2048 bits (maximum) |
---|---|---|---|---|
Cisco 2500 | 11 seconds | 20 seconds | 4 minutes, 38 seconds | More than 1 hour |
Cisco 4700 | Less than 1 second | 1 second | 4 seconds | 50 seconds |
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 2048 bits.
Syntax Description : Optional Strings to embed with SSH Crypto key
general-keys | (Optional) Specifies that a general-purpose key pair will be generated, which is the default. | ||
usage-keys | (Optional) Specifies that two RSA special-usage key pairs, one encryption pair and one signature pair, will be generated. | ||
signature | (Optional) Specifies that the RSA public key generated will be a signature special usage key. | ||
encryption | (Optional) Specifies that the RSA public key generated will be an encryption special usage key. | ||
labelkey-label | (Optional) Specifies the name that is used for an RSA key pair when they are being exported.If a key label is not specified, the fully qualified domain name (FQDN) of the router is used. | ||
exportable | (Optional) Specifies that the RSA key pair can be exported to another Cisco device, such as a router. | ||
modulusmodulus-size | (Optional) Specifies the IP size of the key modulus.By default, the modulus of a certification authority (CA) key is 1024 bits. The recommended modulus for a CA key is 2048 bits. The range of a CA key modulus is from 350 to 4096 bits.
| ||
storagedevicename: | (Optional) Specifies the key storage location. The name of the storage device is followed by a colon (:). | ||
redundancy | (Optional) Specifies that the key should be synchronized to the standby CA. | ||
ondevicename: | (Optional) Specifies that the RSA key pair will be created on the specified device, including a Universal Serial Bus (USB) token, local disk, or NVRAM. The name of the device is followed by a colon (:).Keys created on a USB token must be 2048 bits or less. |
Command | Description |
---|---|
copy | Copies any file from a source to a destination, use the copy command in privileged EXEC mode. |
cryptokeystorage | Sets the default storage location for RSA key pairs. |
debugcryptoengine | Displays debug messages about crypto engines. |
hostname | Specifies or modifies the hostname for the network server. |
ipdomain-name | Defines a default domain name to complete unqualified hostnames (names without a dotted-decimal domain name). |
showcryptokeymypubkeyrsa | Displays the RSA public keys of your router. |
show crypto pki certificates | Displays information about your PKI certificate, certification authority, and any registration authority certificates. |
IFM supplies network engineering services for $NZ180+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
Perhaps your visiting this page because you want to use the latest (as of 2015) cryptography standards available - Suite-B. Perhaps you are interested in fully migrating to IKEv2. Or perhaps you are one of the many people using the 'end of life' Cisco IPSec VPN Client, upgraded to Windows 10, and then found the support somewhat lacking. Perhaps you have come across some articles on the Internet showing solutions, but you don't have Cisco ISE, a RADIUS server or a certificate server, so they wont work for you. Or perhaps you just want to keep your Cisco technology current.
The first solution you should consider is using the Cisco SSL VPN technology. It doesn't use Suite-B cryptography, but it is much easier to setup. If you don't need super strong cryptography (and don't mind paying the licencing cost) then you should seriously consider this option (which Google can help you find the answers too).
You're still reading this article so that means you do want to use super strong cryptograpy or want to minimise additional licencing costs. This article will show you how to deploy a IKEv2 Suite-B Compliant VPN using the Cisco AnyConnect client (V3.1.12020 or newer) using nothing more than a Cisco IOS router running IOS V15.4(3)M4 or later. You need to be using a minimum of Windows 7 to make Suite-B work. This is perfect for small sites that are light on infrastructure.
If you don't currently have the Cisco AnyConnect client you will need to get a Cisco support contract (such as a SmartNet contract) to be able to download the client. If you need to upgrade the software on your router to 15.4(3)M4 then you will need the same support contract to download the new router software.
Note that AnyConnect with IKEv2 on IOS does not currently support the use of split-acls. Everything will get sent back to the router. If you want the user to have Internet access you'll need to NAT their traffic and send it back out to the Internet. Also note the use of certificates is compulsory. It is not possible to use usernames and passwords (IOS local authentication does not support EAP and AnyConnect only supports EAP for username/password authentication). You will also need a TFTP server on one machine to get certificates off the router. A great free TFTP server is tftpd32.
Basic IOS Functionality Needed
We need some basic fundamentals enabled.
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local
ip http server
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local
ip http server
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org
Its pretty critical that your router has at least the right date. Having the right time is even better. We have't configured the time zone, but make sure the date and time are about right before continuing (relative to the timezone displayed). If NTP above isn't working in your configuration above then manually set the date and time using the 'clock set ...' command.
REPEAT: DO NOT CONTINUE UNTIL THE DATE AND TIME ARE CORRECT
Certificate Server
You have to deploy certificates. There is no other way to get it going.
First define the new CA.
do mkdir flash:ca
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit
exit
crypto key generate rsa general modulus 4096 exportable label ca-server
do crypto pki server ca-server start
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit
exit
crypto key generate rsa general modulus 4096 exportable label ca-server
do crypto pki server ca-server start
Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients.Ideally you will have a DNS entry for this, but a static IP address should also be fine. The 'IP Address'below is the external public IPv4 address of the router.
crypto key generate rsa general modulus 4096 exportable label router
crypto pki trustpoint router
enrollment url http://<ip address>:80
ip-address <ip address>
fqdn <DNS entry pointing to router>
subject-name CN=<site name>,OU=user-vpn,O=<company name>
revocation-check crl
rsakeypair router
auto-enroll regenerate
hash sha512
exit
crypto pki authenticate router
crypto pki enroll router
crypto pki trustpoint router
enrollment url http://<ip address>:80
ip-address <ip address>
fqdn <DNS entry pointing to router>
subject-name CN=<site name>,OU=user-vpn,O=<company name>
revocation-check crl
rsakeypair router
auto-enroll regenerate
hash sha512
exit
crypto pki authenticate router
crypto pki enroll router
The certificate server should now have a pending request.
Once you can see the request number you can approve it.
do crypto pki server ca-server grant <request number>
Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:
Crypto Configuration
Below I have allowed for users VPNing in to get an IP address from 192.168.255.1 to 192.168.255.254. You can modify this to use a free IP address block at your site.
ip local pool vpnusers 192.168.255.1 192.168.255.254
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
crypto ikev2 policy default
match fvrf any
proposal default
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
crypto ikev2 profile staff
match certificate staff-certificate-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 1
no crypto ikev2 http-url cert
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
crypto ikev2 policy default
match fvrf any
proposal default
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
crypto ikev2 profile staff
match certificate staff-certificate-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 1
no crypto ikev2 http-url cert
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff
Replace GigabitEthernet0/0 below with whatever is your outside interface which has a public IPv4 address on it. If you are using the zone based firewall then make the below Virtual-Template belong to the 'inside' zone. If you want the user to have Internet access while VPN'ed in then make this the inside NAT interface.
interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff
Take a break, you have now completed the main config on the router, and its time to move onto configuration relating to the client.
Client Related Configuration
This section needs to be repeated for each user you want to be able to VPN in.
We are going to generate the entire certificate on the IOS CA server for the client, and then export it as a chain (including the CA certificate) so we can import it in one step on the client.
Replace [email protected] with the email address of the person you are giving access to. It doesn't have to be an email address actually, but that is my preference.
crypto key generate rsa general modulus 4096 exportable label [email protected]
crypto pki trustpoint [email protected]
enrollment url http://<ip address>:80
serial-number none
fqdn none
ip-address none
subject-name [email protected]
revocation-check none
rsakeypair [email protected]
auto-enroll
hash sha512
crypto pki trustpoint [email protected]
enrollment url http://<ip address>:80
serial-number none
fqdn none
ip-address none
subject-name [email protected]
revocation-check none
rsakeypair [email protected]
auto-enroll
hash sha512
We'll now install the CA certificate into new trustpoint for the user and request the certificate.
The certificate server should now have a pending request.
Once you can see the request number you can approve it.
do crypto pki server ca-server grant <request number>
Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:
Now we need to export the new certificate as a chain (including the CA certificate) to your TFTP server. Replace 1.1.1.1 with the IP address of your TFTP server. The password is used to encrypt the key and is needed when you import it on the client. The password is not used after that. I have now discovered another way of doing this and that is to export the certificate to a USB memory key. The first line below demonstrates the export to a TFTP server, and the second to a USB memory key plugged into the first USB slot on the router.
crypto pki export [email protected] pkcs12 tftp://1.1.1.1/user.pfx password <password>
crypto pki export [email protected] pkcs12 usbflash0:/user.pfx password <password>
crypto pki export [email protected] pkcs12 usbflash0:/user.pfx password <password>
Now copy this file to the end users machine. Double click on the user.pfx file. Enter the password and let the wizard automatically select the certificate store to put the certificates into. Allow it to import extended attributes, and allow it to mark the private key as exportable.
Now we have to delete the user key off the router! Sounds bizarre I know, but the user can not VPN while it still exists on the router.
Now install the AnyConnect client on the users computer, if it is not installed already. Then we need to create an XML profile for your router. Copy and paste the below profile into notepad. Replace 'Company' with a nice name for the VPN entry as it appears in AnyConnect. I'm not sure if this field supports spaces, so I would avoid using spaces. Change vpn.example.com to the external DNS entry pointing to your router. It is likely to work if you put the routers outside public IPv4 address instead but I have not tested this.
Crypto Key Generate Rsa Ssh
<?xml version='1.0' encoding='UTF-8'?>
<AnyConnectProfile xmlns='http://schemas.xmlsoap.org/encoding/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd'>
<ServerList>
<HostEntry>
<HostName>Company</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
<AnyConnectProfile xmlns='http://schemas.xmlsoap.org/encoding/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd'>
<ServerList>
<HostEntry>
<HostName>Company</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Cisco Switch Generate Rsa Key
Now save this file to %ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile and call it something like 'Company.xml' where Company is a short name for your company. If AnyConnect is already running you need to quit it and start it running again so that it reads the profile directory. With any luck your new profile will appear in the drop down box and you can click on 'Connect' to connect to your router. You should then be able to ping internal hosts by their IP address.