IPsec using IOS CA Server

Connecting R1 f0/0 to SW1 f1/1 (vlan 10). See configs:
R1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
ntp master 2 ß-R1 is master NTP

SW1:
interface Loopback0
ip address 20.20.20.20 255.255.255.0
interface FastEthernet1/1
switchport access vlan 10
spanning-tree portfast
interface Vlan10
ip address 1.1.1.2 255.255.255.0
!
router rip
version 2
network 1.0.0.0
network 20.0.0.0
ntp server 1.1.1.1
Checking time sync with R1:
SW1#sh ntp associations
address ref clock st when poll reach delay offset disp
~1.1.1.1 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
SW1#sh ntp status
Clock is synchronized, stratum 3, reference is 1.1.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is C0294479.4E9966A2 (00:06:17.307 UTC Fri Mar 1 2002)
clock offset is 13.6786 msec, root delay is 120.03 msec
root dispersion is 947.17 msec, peer dispersion is 933.47 msec
Setup CA server on R1:
#ip http server (first enable http server)
#crypto pki server R1-CA
grant auto
no sh
R1#sh crypto pki server
Certificate Server R1-CA:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=R1-CA
CA cert fingerprint: E37C8415 EE363946 A7DFD807 71D2F531
Granting mode is: auto
Last certificate issued serial number: 0x1
CA certificate expiration timer: 00:11:22 UTC Feb 28 2005
CRL NextUpdate timer: 06:11:23 UTC Mar 1 2002
Current primary storage dir: nvram:
Database Level: Minimum – no
Then setup CA trustpoint on R1
crypto pki trustpoint R1
enrollment url http://1.1.1.1:80
revocation-check none
Authenticate and Enroll
R1(config)#crypto pki authenticate R1
Certificate has the following attributes:
Fingerprint MD5: E37C8415 EE363946 A7DFD807 71D2F531
Fingerprint SHA1: B26D366F E5DF350D C4371198 9E293668 8976FF12
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#
R1(config)#crypto pki enroll R1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Mar 1 00:17:40.875: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: R1
% Include the router serial number in the subject name? [yes/no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1 verbose' commandwill show the fingerprint.
R1(config)#
Mar 1 00:18:20.107: CRYPTO_PKI: Certificate Request Fingerprint MD5: 93133E70 830422FF 8A00C3CE 81E82BE4
Mar 1 00:18:20.119: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 269D2E24 31BFA4B1 96777F4B 86533B81 BD40CB45
R1(config)#
Mar 1 00:18:23.075: %PKI-6-CERTRET: Certificate received from Certificate Authority
R1(config)#
Authenticate and enroll SW1 to R1:
SW1(config)#crypto pki authenticate R1
Certificate has the following attributes:
Fingerprint MD5: E37C8415 EE363946 A7DFD807 71D2F531
Fingerprint SHA1: B26D366F E5DF350D C4371198 9E293668 8976FF12
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
SW1(config)#
SW1(config)#crypto pki enroll R1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Mar 1 00:20:30.131: RSA key size needs to be atleast 768 bits for ssh version 2
Mar 1 00:20:30.151: %SSH-5-ENABLED: SSH 1.5 has been enabled
Mar 1 00:20:30.167: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: SW1
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1 verbose' commandwill show the fingerprint.
SW1(config)#
Mar 1 00:20:52.007: CRYPTO_PKI: Certificate Request Fingerprint MD5: D4849C4C FAB9547D 13B0FB07 FF0C2C54
Mar 1 00:20:52.019: CRYPTO_PKI: Certificate Request Fingerprint SHA1: B7E7067A 691283EC C739E45D 179AEEA9 6D3033B3
SW1(config)#
Mar 1 00:20:56.428: %PKI-6-CERTRET: Certificate received from Certificate Authority
Then configure IPsec on R1 and SW1:
R1:
access-list 100 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
crypto isakmp policy 10
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
match address 100
set peer 1.1.1.2
set transform-set SET
interface FastEthernet0/0
crypto map VPN
SW1:
access-list 100 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto isakmp policy 10
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set SET
match address 100
and basically that’s it:
R1#ping 20.20.20.20 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 168/181/188 ms
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.2 1.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x410281BA(1090683322)
inbound esp sas:
spi: 0xB5EAB4B4(3052057780)
transform: esp-3des esp-md5-hmac ,
And from SW1
SW1#ping 10.10.10.10 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 20.20.20.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/162/260 ms
SW1#sh crypto ipsec sa
interface: Vlan10
Crypto map tag: VPN, local addr 1.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
current outbound spi: 0xB5EAB4B4(3052057780)
inbound esp sas:
spi: 0x410281BA(1090683322)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4492899/3251)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB5EAB4B4(3052057780)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4492899/3251)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: