Saturday, January 25, 2014

30 second guide to setting up an interface mode VPN on Cisco IOS

This is like one of those recipe book type 1 page cheat sheets. This relies on you knowing IOS well enough to just need a jog.

So to set up an interface mode (Virtual tunnel interface in Cisco speak) vpn you need these commands:

crypto isakmp policy
crypto isakmp key
crypto ipsec transform set
crypto ipsec profile

policy-map maybe
class class-default
shape average 128000

int tun
ip address maybe or ip unnumbered vlan1 to tie to vlan1
tun source outsideIP
tun destin otherend
tunnel mode ipsec ipv4
tunnel protection ipsec profile
service-policy maybe?

ip route tun0 perm?
or use Ip and dynamic routing rip v2?

If you're switching from proxy style VPN then remove the crypto map unless you still have dynamic client vpns and remove the IPSec policy for the connection.

The tunnel ones are just so much nicer.  No NAT hassles, easy policy QoS etc. 

Also help diag commands:

sh crypto session detail 

Thursday, January 16, 2014

Certificates on Windows, AD CA etc

This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.

This is ripped from another blog (thanks


cretate a file called c:\cert.inf with the following content:

Subject = ", O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Now run the following:

certreq -new cert.inf outfile.req

Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.


But that only goes half way.

To complete things for me loading a certificate into IIS I had to change the cert.inf file..

Subject = ", O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Exportable = TRUE

The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.

Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.