1.拓扑

2.ASA配置

(1)信任点配置

crypto ca trustpoint ez***
revocation-check crl none
enrollment url http://192.168.10.1:80/certsrv/mscep/mscep.dll
fqdn asa.ez***.net
subject-name cn=asa.ez***.net
keypair ez***key
crl configure

(2)下载根证书

crypto ca authen ez***

(3)申请实体证书

crypto ca enroll ez***

(4)配置第一阶段

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

(5)配置1.5阶段

tunnel-group ez*** type remote-access
tunnel-group ez*** general-attributes
address-pool (outside) ez***-pool
tunnel-group ez*** ipsec-attributes
peer-id-validate cert
ikev1 trust-point ez***

(6)配置第二阶段

crypto ipsec ikev1 transform-set ez***ipsec esp-des esp-md5-hmac
crypto dynamic-map ez***dymap 1000 set ikev1 transform-set ez***ipsec
crypto dynamic-map ez***dymap 1000 set reverse-route
crypto map ez***map 10 ipsec-isakmp dynamic ez***dymap
crypto map ez***map interface outside

(7)配置路由

route outside 0.0.0.0 0.0.0.0 10.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.1.10 tunneled

3.验证证书

asa(config)# show crypto ca certificates
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 610f817b000000000003
Certificate Usage: Encryption
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
ea=wenlf@136.com
cn=wenlf136
ou=network
o=The Sunshine Network Technology
l=beijing
st=china
c=cn
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:36:07 gmt Oct 7 2012
end date: 17:46:07 gmt Oct 7 2013
Associated Trustpoints: ez***

RA Signature Certificate
Status: Available
Certificate Serial Number: 610f8071000000000002
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
ea=wenlf@136.com
cn=wenlf136
ou=network
o=The Sunshine Network Technology
l=beijing
st=china
c=cn
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:36:07 gmt Oct 7 2012
end date: 17:46:07 gmt Oct 7 2013
Associated Trustpoints: ez***

Certificate
Status: Available
Certificate Serial Number: 6120aacb000000000005
Certificate Usage: Encryption
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=asa.ez***.net
hostname=asa.ez***.net
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 08:47:44 gmt Oct 12 2012
end date: 08:57:44 gmt Oct 12 2013
Associated Trustpoints: ez***

Certificate
Status: Available
Certificate Serial Number: 61209fce000000000004
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=asa.ez***.net
hostname=asa.ez***.net
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 08:47:41 gmt Oct 12 2012
end date: 08:57:41 gmt Oct 12 2013
Associated Trustpoints: ez***

CA Certificate
Status: Available
Certificate Serial Number: 606323d31d3d4198470400de77cc44a6
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=ROOTCA
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:27:53 gmt Oct 7 2012
end date: 17:37:21 gmt Oct 7 2017
Associated Trustpoints: ez***

4.配置客户端

(1)配置信任点

(2)等管理颁发证书以后申请实体证书

(3)当看到下图说明申请成功

 

(4)配置客户端

5.验证