1.拓扑
2.ASA配置
(1)信任点配置
crypto ca trustpoint ez***
revocation-check crl none
enrollment url http://192.168.10.1:80/certsrv/mscep/mscep.dll
fqdn asa.ez***.net
subject-name cn=asa.ez***.net
keypair ez***key
crl configure
(2)下载根证书
crypto ca authen ez***
(3)申请实体证书
crypto ca enroll ez***
(4)配置第一阶段
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
(5)配置1.5阶段
tunnel-group ez*** type remote-access
tunnel-group ez*** general-attributes
address-pool (outside) ez***-pool
tunnel-group ez*** ipsec-attributes
peer-id-validate cert
ikev1 trust-point ez***
(6)配置第二阶段
crypto ipsec ikev1 transform-set ez***ipsec esp-des esp-md5-hmac
crypto dynamic-map ez***dymap 1000 set ikev1 transform-set ez***ipsec
crypto dynamic-map ez***dymap 1000 set reverse-route
crypto map ez***map 10 ipsec-isakmp dynamic ez***dymap
crypto map ez***map interface outside
(7)配置路由
route outside 0.0.0.0 0.0.0.0 10.1.1.10 1
route inside 0.0.0.0 0.0.0.0 192.168.1.10 tunneled
3.验证证书
asa(config)# show crypto ca certificates
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 610f817b000000000003
Certificate Usage: Encryption
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
ea=wenlf@136.com
cn=wenlf136
ou=network
o=The Sunshine Network Technology
l=beijing
st=china
c=cn
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:36:07 gmt Oct 7 2012
end date: 17:46:07 gmt Oct 7 2013
Associated Trustpoints: ez***
RA Signature Certificate
Status: Available
Certificate Serial Number: 610f8071000000000002
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
ea=wenlf@136.com
cn=wenlf136
ou=network
o=The Sunshine Network Technology
l=beijing
st=china
c=cn
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:36:07 gmt Oct 7 2012
end date: 17:46:07 gmt Oct 7 2013
Associated Trustpoints: ez***
Certificate
Status: Available
Certificate Serial Number: 6120aacb000000000005
Certificate Usage: Encryption
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=asa.ez***.net
hostname=asa.ez***.net
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 08:47:44 gmt Oct 12 2012
end date: 08:57:44 gmt Oct 12 2013
Associated Trustpoints: ez***
Certificate
Status: Available
Certificate Serial Number: 61209fce000000000004
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=asa.ez***.net
hostname=asa.ez***.net
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 08:47:41 gmt Oct 12 2012
end date: 08:57:41 gmt Oct 12 2013
Associated Trustpoints: ez***
CA Certificate
Status: Available
Certificate Serial Number: 606323d31d3d4198470400de77cc44a6
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=ROOTCA
Subject Name:
cn=ROOTCA
CRL Distribution Points:
[1] http://server-2003/CertEnroll/ROOTCA.crl
[2] file://\\server-2003\CertEnroll\ROOTCA.crl
Validity Date:
start date: 17:27:53 gmt Oct 7 2012
end date: 17:37:21 gmt Oct 7 2017
Associated Trustpoints: ez***
4.配置客户端
(1)配置信任点
(2)等管理颁发证书以后申请实体证书
(3)当看到下图说明申请成功
(4)配置客户端
5.验证
转载于:https://blog.51cto.com/692344/1021914