Router A enabling DSS key exchange.

20 Mar

Listing 5.12: Router A enabling DSS key exchange.
Router−A(config)#crypto key exchange dss 192.168.12.2 routera
Public key for routera:
Serial Number 6B86ECF4
Fingerprint 6974 475B 3FB7 F64B B40A
Wait for peer to send a key[confirm]
Waiting ….

In Listing 5.12, Router A defines the IP address of Router B as the peer with which it would like to exchange public keys. After configuring the crypto key exchange dss command, Router A displays the public key that it intends to send to Router B and sends its public key to Router B. Notice that after sending its public key to Router B, Router A transitions to a state of waiting. It is now waiting for a public key in return from Router B. When Router B receives the key, it displays the output in Listing 5.13.

Listing 5.13: Router B asking to accept Router A’s public key.

Public key for routera:
Serial Number 6B86ECF4
Fingerprint 6974 475B 3FB7 F64B B40A
Add this public key to the configuration? [yes/no]: yes

The public key that Router B receives from Router A in Listing 5.13 includes the serial number for the key and the fingerprint of the key. The serial number and the fingerprint of the key Router B receives should be verbally compared against the key that Router A generated and displayed in Listing 5.5 and 5.9 and displayed in Listing 5.12 as the key that it was to send to Router B. Router B at this point must send Router A its public key, and Router B prompts you to send Router A its public key. In the next line of code (following the last line in Listing 5.13), Router B asks to send to Router A its public key. This can be seen in Listing 5.14

Listing 5.14: Router B asks to send Router A its public key.

Send peer a key in return[confirm]
Which one?
routerb? [yes]:
Public key for routerb:
Serial Number 0615EC60
Fingerprint 9C98 0488 7058 AF43 D4FC

Router B now sends Router A it public key. Router A should receive the key and prompt you to accept it. This can be seen in Listing 5.15.

Listing 5.15: Router A receives Router B’s public key.

Public key for routerb:
Serial Number 0615EC60
Fingerprint 9C98 0488 7058 AF43 D4FC
Add this public key to the configuration? [yes/no]: yes

The public key that Router A receives from Router B in Listing 5.15 includes the serial number for the key and the fingerprint of the key. The serial number and the fingerprint of the key Router A receives should be verbally compared against the key that Router B generated and displayed in Listings 5.6 and 5.10 and displayed in Listing 5.14 as the key that it was to send to Router B.

At this point, the key exchange process is complete. To view the key that each peer receives, issue the show crypto key pubkey−chain dss command. Listing 5.16 displays an example of viewing Router B’s public key from Router A. Compare the output of Listing 5.16 on Router A with the output of Listing 5.10 on Router B. The value of the serial number and data fields should be equal.

Listing 5.16: Router A viewing Router B’s public key.

Router−A#sh crypto key pubkey−chain dss serial 0615EC60
Key name:
Serial number: 0615EC60
Usage: Signature Key
Source: Manually entered
Data:
4B013A5D DB942F8F 556B6F67 13110723 A05F17F9 D7BA15BF
74B1C17B D2E5C4A5 ABC0A7DE D1188289 A54C80EC 5BB3B9AE
F4366FB1 D5DBB125 C44F904A 62209467
Router−A#

Listing 5.17 displays an example of viewing Router A’s public key from Router B. Compare the output of Listing 5.17 on Router B with the output of Listing 5.9 on Router A. The value of the serial number and data fields should be equal.

Listing 5.17: Router B viewing Router A’s public key.

Router−B#sh crypto key pubkey−chain dss serial 6B86ECF4
Key name:
Serial number: 6B86ECF4
Usage: Signature Key
Source: Manually entered
Data:
CC0438CE 125C2C5E DAE47A2C B47B44EE 4737C1D9 9FDF3164
69CAACA7 82D25416 8CA218AC 644BE782 36966277 BBF437DF
1347FFAA F2E3C04E 94CE60E5 5485C539
Router−B#

To summarize what has happened up to this point, each router has generated a public and a private key and successfully exchanged its public key with its encrypting peer router. Listing 5.18 displays a partial output of Router A’s configuration after generating and exchanging keys. Listing 5.19 displays a partial output of Router B’s configuration after generating and exchanging keys.

Listing 5.18: Router A’s configuration after exchanging keys.

Building configuration…
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Router−A
!
username routera privilege 15 password 0 routera
!
memory−size iomem 10
ip subnet−zero
no ip finger
ip tcp synwait−time 10
no ip domain−lookup
!
crypto key pubkey−chain dss
named−key routerb signature
serial−number 0615EC60
key−string
4B013A5D DB942F8F 556B6F67 13110723 A05F17F9 D7BA15BF −
74B1C17B D2E5C4A5
ABC0A7DE D1188289 A54C80EC 5BB3B9AE −
F4366FB1 D5DBB125 C44F904A 62209467
quit
!

Listing 5.19: Router B’s configuration after exchanging keys.

Building configuration…
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password−encryption
!
hostname Router−B
!
username routerb privilege 15 password 0 routerb
!
memory−size iomem 10
ip subnet−zero
no ip finger
ip tcp synwait−time 10
no ip domain−lookup
!
crypto key pubkey−chain dss
named−key routera signature
serial−number 6B86ECF4
key−string
CC0438CE 125C2C5E DAE47A2C B47B44EE 4737C1D9 9FDF3164 69CAACA7

82D25416
8CA218AC 644BE782 36966277 BBF437DF 1347FFAA F2E3C04E 94CE60E5

5485C539
quit
!

Now that each router has generated a private and a public key pair and exchanged its public key with its peer router, the next step is to configure and enable a global encryption algorithm for use in encrypting traffic between each peer. Cisco Encryption Technology makes use of the DES algorithm for encrypted communication between peers. All encryption algorithms that your router will use during an encrypted session must be enabled globally on the router. To have an encrypted session, each peer router must have at least one DES algorithm enabled that is the same as the algorithm used by the peer router. Cisco routers support the following four types of DES encryption algorithms:

56−bit DES with 8−bit cipher feedback
56−bit DES with 64−bit cipher feedback
40−bit DES with 8−bit cipher feedback
40−bit DES with 64−bit cipher feedback

Listing 5.20 displays an example of configuring a global encryption policy on Router A, and Listing 5.21 displays an example of configuring a global encryption policy on Router B.

Listing 5.20: Configuring a global encryption policy on Router A.

Router−A#config t
Router−A(config)#crypto cisco algorithm des cfb−8
Router−A(config)#crypto cisco algorithm des cfb−64
Router−A(config)#crypto cisco algorithm 40−bit−des cfb−64
Router−A(config)#end

Listing 5.21: Configuring a global encryption policy on Router B.

Router−B#config t
Router−B(config)#crypto cisco algorithm des cfb−64
Router−B(config)#crypto cisco algorithm des cfb−8
Router−B(config)#crypto cisco algorithm 40−bit−des cfb−8
Router−B(config)#end

Notice in the configurations in Listing 5.20 and Listing 5.21 that each router encryption policy is configured to use the 56−bit DES algorithm with both cipher feedback 64 and 8. However, the third encryption policy on each router is configured differently. Router A is configured to use the 40−bit DES encryption algorithm using cipher feedback 64, and Router B is configured to use the 40−bit DES encryption algorithm using cipher feedback 8. Because the third encryption policy on each
router is different, it will not be used to provide encryption services between each of these peer routers; however, it could be used with another router that has a similar encryption policy.

To display and verify the global encryption algorithms currently in use on each router, issue the show crypto cisco algorithms command. Listing 5.22 displays an example of issuing the show crypto cisco algorithms command on Router A, and Listing 5.23 displays an example of issuing the same command on Router B.

Listing 5.22: Viewing encryption algorithms in use on Router A.

Router−A#show crypto cisco algorithms
des cfb−64
des cfb−8
40−bit−des cfb−64
Router−A#

Listing 5.23: Viewing encryption algorithms in use on Router B.

Router−B#show crypto cisco algorithms
des cfb−64
des cfb−8
40−bit−des cfb−8
Router−B#

The next task to configuring Cisco Encryption Technology is to configure access lists to define which packets are to be protected by encryption and which packets should not be. Access lists that are used for encryption function a little differently than normal access lists used for packet filtering. When an access list is defined for encryption and the rule specifies a permit statement, if a packet matches the permit rule, the router performs encryption on the packet. If a packet matches a deny statement within an access list, the packet is not encrypted and is forwarded as normal via the routing process. IP extended access lists are used to define which packets are encrypted. Listing
5.24 displays an example of configuring Router A to provide encryption on packets with a source address within the range of 192.168.10.0 and a destination address of 192.168.11.0. Listing 5.25 displays an example of configuring Router B to provide encryption on packets with a source address within the range of 192.168.11.0 and a destination address of 192.168.10.0. It is recommended that each encrypting peer router maintain mirror copies of each other’s access lists.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.