Cisco IOS ipsec-***-ca
Ipsec ***中,设备验证通常有三种:
pre-key,rsa-encrypt(非对称预共享密匙),rsa-sig(ca证书认证)。今天我们来看一下使用rsa-signature证书设备验证的IPSEC ×××实验,top如下:
配置:
R1:
R1#show run
!
! Last configuration change at 22:11:04 GMT Sun Jun 19 2011
!
no aaa new-model
memory-size iomem 5
clock timezone GMT 8
!
!
ip cef
ip domain name redhat.com
ip name-server 192.168.4.2
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint caserver
enrollment mode ra
enrollment url http://zengfei:80/certsrv/mscep/mscep.dll
serial-number
ip-address 202.1.1.1
revocation-check none
crypto pki certificate chain caserver
certificate 617BB35B000000000005
30820524 3082040C A0030201 02020A61 7BB35B00 00000000 05300D06 092A8648
86F70D01 01050500 303E3113 3011060A 09922689 93F22C64 01191603 636F6D31
16301406 0A099226 8993F22C 64011916 06726564 68617431 0F300D06 03550403
13067265 64686174 301E170D 31313036 31393133 35313533 5A170D31 33303631
38313335 3135335A 304E3114 30120603 55040513 0B4A4142 30343436 43304C32
31183016 06092A86 4886F70D 01090813 09323032 2E312E31 2E31311C 301A0609
2A864886 F70D0109 02130D52 312E7265 64686174 2E636F6D 305C300D 06092A86
4886F70D 01010105 00034B00 30480241 00B7FE0A EC4E3F5B D03AD53A 51E8389A
2222F237 0975D738 A98AB534 6A390EBF 10DA30C9 9C68062B 551E3CF0 D965D4EE
55F48263 17494A6B BC3B94DA 399F2CD6 47020301 0001A382 02DA3082 02D6300B
0603551D 0F040403 0205A030 1D060355 1D0E0416 041432C6 1825CC95 90369EE9
5A99EB86 47F46B8A CD7F301F 0603551D 23041830 168014F9 E2C297A0 30C93238
E57FD63A 0F3FB0BB 7A698830 81F40603 551D1F04 81EC3081 E93081E6 A081E3A0
81E08681 AC6C6461 703A2F2F 2F434E3D 72656468 61742C43 4E3D7A65 6E676665
692C434E 3D434450 2C434E3D 5075626C 69632532 304B6579 25323053 65727669
6365732C 434E3D53 65727669 6365732C 434E3D43 6F6E6669 67757261 74696F6E
2C44433D 72656468 61742C44 433D636F 6D3F6365 72746966 69636174 65526576
6F636174 696F6E4C 6973743F 62617365 3F6F626A 65637443 6C617373 3D63524C
44697374 72696275 74696F6E 506F696E 74862F68 7474703A 2F2F7A65 6E676665
692E7265 64686174 2E636F6D 2F436572 74456E72 6F6C6C2F 72656468 61742E63
726C3082 01070608 2B060105 05070101 0481FA30 81F73081 A406082B 06010505
07300286 81976C64 61703A2F 2F2F434E 3D726564 6861742C 434E3D41 49412C43
4E3D5075 626C6963 2532304B 65792532 30536572 76696365 732C434E 3D536572
76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D7265 64686174
2C44433D 636F6D3F 63414365 72746966 69636174 653F6261 73653F6F 626A6563
74436C61 73733D63 65727469 66696361 74696F6E 41757468 6F726974 79304E06
082B0601 05050730 02864268 7474703A 2F2F7A65 6E676665 692E7265 64686174
2E636F6D 2F436572 74456E72 6F6C6C2F 7A656E67 6665692E 72656468 61742E63
6F6D5F72 65646861 742E6372 74302106 03551D11 0101FF04 17301582 0D52312E
72656468 61742E63 6F6D8704 CA010101 303F0609 2B060104 01823714 0204321E
30004900 50005300 45004300 49006E00 74006500 72006D00 65006400 69006100
74006500 4F006600 66006C00 69006E00 65300C06 03551D13 0101FF04 02300030
13060355 1D25040C 300A0608 2B060105 05080202 300D0609 2A864886 F70D0101
05050003 82010100 19D0BCCE 0A9DBE9D 201E3229 0DF65BFC 214B2CF5 F809E5B5
7CC803E9 10093B58 053AA9B7 A74BCCB6 C8966D8E F0F1C39B E780771C 7F7824DC
9C2B32F9 64FF1CA8 E9DCE499 78722E74 4A203822 DC5C1E8C AA7E14FE 94E164D4
678686E7 49AB7CFE 64DCAE73 F6FCC45A C75A6689 915C9955 52AF68CB 11205F49
3D32D89D ABE5D2E3 187B0D07 888EB2CC 52750B6D F770489A 8E3F989B 69B44F31
9B7B7424 A0A0C469 2DE5B943 E27C8AE4 9AABE382 35E1164E 256C27A9 CEF19F8B
EF7B63B4 CE62DA25 87521113 64B3465F C6DE65B1 E42DCF44 BB0E115E C4E5FE2C
6CC72DA7 85F9C3FB DAD97359 4A0E90B5 6F847653 6B3B530D 74764AF0 938F97E2
621E7B10 59A5BCD5
quit
certificate ca 7782BC7DCD2870AF4F18D51320EE750B
30820452 3082033A A0030201 02021077 82BC7DCD 2870AF4F 18D51320 EE750B30
0D06092A 864886F7 0D010105 0500303E 31133011 060A0992 268993F2 2C640119
1603636F 6D311630 14060A09 92268993 F22C6401 19160672 65646861 74310F30
0D060355 04031306 72656468 6174301E 170D3131 30353237 30343531 33385A17
0D313630 35323730 34353931 345A303E 31133011 060A0992 268993F2 2C640119
1603636F 6D311630 14060A09 92268993 F22C6401 19160672 65646861 74310F30
0D060355 04031306 72656468 61743082 0122300D 06092A86 4886F70D 01010105
00038201 0F003082 010A0282 010100A7 65D70558 37BD7AE8 1D1753E1 114370EB
21EAA783 698563E2 A4BD7F05 63FE9B6A 2DA950A6 2DBF6847 CF994760 25ECC1E3
F41AB53A E661FE26 D520BDD6 B2E55B00 82EC7525 3CCE395E 94E1470D BEA4D308
DF73D31B 1EFABDC8 09599AC8 2230B4A8 C139A4EE EA3DA8DB 9D7B84AB 7F0BDDF8
D4DD1268 5DD3C99A 4096B64F D0E63F29 C788665A 7395E245 3B67876D BE8645D2
7D592182 FF0A770F 9B63A8D7 061A3FDB 8997B1FD 5DD5404A A392A561 82EE8425
F2A6912D 0C178BD4 EDFEE614 508FD1BD C19AE38E 2F95D78F 4E66D3D8 E4E16B9C
FD0E492F A68A2030 891087DC DAEE4395 5FDABEDC 2254716F FB53C8D1 71DDDEDC
D9DC5F4A 10A84021 B7AB05FF 75B12502 03010001 A382014A 30820146 300B0603
551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 14F9E2C2 97A030C9 3238E57F D63A0F3F B0BB7A69 883081F4 0603551D
1F0481EC 3081E930 81E6A081 E3A081E0 8681AC6C 6461703A 2F2F2F43 4E3D7265
64686174 2C434E3D 7A656E67 6665692C 434E3D43 44502C43 4E3D5075 626C6963
2532304B 65792532 30536572 76696365 732C434E 3D536572 76696365 732C434E
3D436F6E 66696775 72617469 6F6E2C44 433D7265 64686174 2C44433D 636F6D3F
63657274 69666963 61746552 65766F63 6174696F 6E4C6973 743F6261 73653F6F
626A6563 74436C61 73733D63 524C4469 73747269 62757469 6F6E506F 696E7486
2F687474 703A2F2F 7A656E67 6665692E 72656468 61742E63 6F6D2F43 65727445
6E726F6C 6C2F7265 64686174 2E63726C 30100609 2B060104 01823715 01040302
0100300D 06092A86 4886F70D 01010505 00038201 01009A64 92902BE6 8AC422AB
A4A155D6 56631E31 95EAD76D 8A5E4656 9D7B759C E43F6BA9 710A0FD5 12F0EB8E
C8596738 BAEE17B4 7FF5DAE2 6254D170 8ADD8077 E0400E4F 2F368022 F004321C
66115A94 5DFBDFC3 71D6B83D A0F3FC34 F1A4B754 44B75060 022AEECE 625E1009
72BC7201 06568025 B49D2DC8 BD3AA0D9 F627E639 D19F3BDB 9E7B62E5 3F581150
F6B1CE02 E35D560C 95257356 718703FD FBE56D44 0E0059CE CE7BE954 8048F9BB
0AEC5E83 7F70FC29 288E12F8 83738784 53366415 D0764844 ACF174DE AEABEB4A
9FBFADBE E002FBB7 C0557E2F 0A818308 B8F22C10 B41CFF78 8479049C C4A3DD53
6983F0CA 8103F7FA 8BFFDD97 FD80E707 27B31FAD 0806
quit
crypto isakmp policy 1
encr 3des
group 2
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map map 10 ipsec-isakmp
set peer 202.1.2.2
set transform-set myset
match address 101
ip ssh version 1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map map
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 202.1.1.2
access-list 101 permit ip host 192.168.1.1 host 192.168.2.1
R2
:
R2#show run
hostname R2
!
ip cef
ip domain name redhat.com
ip name-server 192.168.4.2
interface FastEthernet0/0
ip address 202.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 202.1.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.4.1 255.255.255.0
duplex auto
speed auto
!
R3
:
R3#show run
hostname R3
memory-size iomem 5
对于证书NTP很重要,
clock timezone GMT 8
!
!
ip cef
ip domain name redhat.com
ip name-server 192.168.4.2
crypto pki trustpoint caserver/crypto ca trustpoint caserver
enrollment mode ra
enrollment url http://zengfei:80/certsrv/mscep/mscep.dll
serial-number
ip-address 202.1.2.2
revocation-check none
!
crypto pki certificate chain caserver//
获得的CA证书
certificate 61804651000000000006
30820524 3082040C A0030201 02020A61 80465100 00000000 06300D06 092A8648
86F70D01 01050500 303E3113 3011060A 09922689 93F22C64 01191603 636F6D31
16301406 0A099226 8993F22C 64011916 06726564 68617431 0F300D06 03550403
13067265 64686174 301E170D 31313036 31393133 35363533 5A170D31 33303631
38313335 3635335A 304E3114 30120603 55040513 0B4A4142 30343436 43304C32
31183016 06092A86 4886F70D 01090813 09323032 2E312E32 2E32311C 301A0609
2A864886 F70D0109 02130D52 332E7265 64686174 2E636F6D 305C300D 06092A86
4886F70D 01010105 00034B00 30480241 00DDB1E1 F00C1C11 9C160BBD D3840055
1E792538 AB775B14 AA9DC546 0BDA69E5 8B3C6A38 2246D247 54EC1F2A 69658B75
0227A0A0 0D33C74A 94C3A9B6 E1B3B067 A5020301 0001A382 02DA3082 02D6300B
0603551D 0F040403 0205A030 1D060355 1D0E0416 04143D75 1F81D09A F1FE57D6
BE73AEBA DD174983 EEC0301F 0603551D 23041830 168014F9 E2C297A0 30C93238
E57FD63A 0F3FB0BB 7A698830 81F40603 551D1F04 81EC3081 E93081E6 A081E3A0
81E08681 AC6C6461 703A2F2F 2F434E3D 72656468 61742C43 4E3D7A65 6E676665
692C434E 3D434450 2C434E3D 5075626C 69632532 304B6579 25323053 65727669
6365732C 434E3D53 65727669 6365732C 434E3D43 6F6E6669 67757261 74696F6E
2C44433D 72656468 61742C44 433D636F 6D3F6365 72746966 69636174 65526576
6F636174 696F6E4C 6973743F 62617365 3F6F626A 65637443 6C617373 3D63524C
44697374 72696275 74696F6E 506F696E 74862F68 7474703A 2F2F7A65 6E676665
692E7265 64686174 2E636F6D 2F436572 74456E72 6F6C6C2F 72656468 61742E63
726C3082 01070608 2B060105 05070101 0481FA30 81F73081 A406082B 06010505
07300286 81976C64 61703A2F 2F2F434E 3D726564 6861742C 434E3D41 49412C43
4E3D5075 626C6963 2532304B 65792532 30536572 76696365 732C434E 3D536572
76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D7265 64686174
2C44433D 636F6D3F 63414365 72746966 69636174 653F6261 73653F6F 626A6563
74436C61 73733D63 65727469 66696361 74696F6E 41757468 6F726974 79304E06
082B0601 05050730 02864268 7474703A 2F2F7A65 6E676665 692E7265 64686174
2E636F6D 2F436572 74456E72 6F6C6C2F 7A656E67 6665692E 72656468 61742E63
6F6D5F72 65646861 742E6372 74302106 03551D11 0101FF04 17301582 0D52332E
72656468 61742E63 6F6D8704 CA010202 303F0609 2B060104 01823714 0204321E
30004900 50005300 45004300 49006E00 74006500 72006D00 65006400 69006100
74006500 4F006600 66006C00 69006E00 65300C06 03551D13 0101FF04 02300030
13060355 1D25040C 300A0608 2B060105 05080202 300D0609 2A864886 F70D0101
05050003 82010100 4AA6C55F 79FF03CC 2F2DDA43 0A20A368 94E1FE35 8996CB96
2A38483E 99A9F889 F6E9ADCD 5706903F 59215786 79882504 018CD437 63DD5CFF
5D53FB20 0B2B278D 51446FA3 A457AD4D 05477A54 BD822BD1 6B17A2E6 859F0918
A5156E28 EFCDB14B C49196CC 091E6ECB E6335D83 A3285AC4 3840D5F6 1E7EC28F
74047B39 EC5E8281 3FAEA761 88AA9867 1C558C59 8460CDB2 76ED3EA0 DA18E974
8E119F32 A44E6A2B 3DFBABAF 88A463B7 63D42416 E7D23AAD 0EB64CE5 D49D0F9A
ABBE0FF5 92304AD6 A4EDFA1C C2B21EB9 C3BC4D2F 9D7129A8 D9A4E328 6D41FB12
DE4E3701 8BD53896 4820B94D 20D80E09 DF30C4E2 518BFC5B 941133A9 E6AD260B
E194F25E B6780441
quit
certificate ca 7782BC7DCD2870AF4F18D51320EE750B
30820452 3082033A A0030201 02021077 82BC7DCD 2870AF4F 18D51320 EE750B30
0D06092A 864886F7 0D010105 0500303E 31133011 060A0992 268993F2 2C640119
1603636F 6D311630 14060A09 92268993 F22C6401 19160672 65646861 74310F30
0D060355 04031306 72656468 6174301E 170D3131 30353237 30343531 33385A17
0D313630 35323730 34353931 345A303E 31133011 060A0992 268993F2 2C640119
1603636F 6D311630 14060A09 92268993 F22C6401 19160672 65646861 74310F30
0D060355 04031306 72656468 61743082 0122300D 06092A86 4886F70D 01010105
00038201 0F003082 010A0282 010100A7 65D70558 37BD7AE8 1D1753E1 114370EB
21EAA783 698563E2 A4BD7F05 63FE9B6A 2DA950A6 2DBF6847 CF994760 25ECC1E3
F41AB53A E661FE26 D520BDD6 B2E55B00 82EC7525 3CCE395E 94E1470D BEA4D308
DF73D31B 1EFABDC8 09599AC8 2230B4A8 C139A4EE EA3DA8DB 9D7B84AB 7F0BDDF8
D4DD1268 5DD3C99A 4096B64F D0E63F29 C788665A 7395E245 3B67876D BE8645D2
7D592182 FF0A770F 9B63A8D7 061A3FDB 8997B1FD 5DD5404A A392A561 82EE8425
F2A6912D 0C178BD4 EDFEE614 508FD1BD C19AE38E 2F95D78F 4E66D3D8 E4E16B9C
FD0E492F A68A2030 891087DC DAEE4395 5FDABEDC 2254716F FB53C8D1 71DDDEDC
D9DC5F4A 10A84021 B7AB05FF 75B12502 03010001 A382014A 30820146 300B0603
551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 14F9E2C2 97A030C9 3238E57F D63A0F3F B0BB7A69 883081F4 0603551D
1F0481EC 3081E930 81E6A081 E3A081E0 8681AC6C 6461703A 2F2F2F43 4E3D7265
64686174 2C434E3D 7A656E67 6665692C 434E3D43 44502C43 4E3D5075 626C6963
2532304B 65792532 30536572 76696365 732C434E 3D536572 76696365 732C434E
3D436F6E 66696775 72617469 6F6E2C44 433D7265 64686174 2C44433D 636F6D3F
63657274 69666963 61746552 65766F63 6174696F 6E4C6973 743F6261 73653F6F
626A6563 74436C61 73733D63 524C4469 73747269 62757469 6F6E506F 696E7486
2F687474 703A2F2F 7A656E67 6665692E 72656468 61742E63 6F6D2F43 65727445
6E726F6C 6C2F7265 64686174 2E63726C 30100609 2B060104 01823715 01040302
0100300D 06092A86 4886F70D 01010505 00038201 01009A64 92902BE6 8AC422AB
A4A155D6 56631E31 95EAD76D 8A5E4656 9D7B759C E43F6BA9 710A0FD5 12F0EB8E
C8596738 BAEE17B4 7FF5DAE2 6254D170 8ADD8077 E0400E4F 2F368022 F004321C
66115A94 5DFBDFC3 71D6B83D A0F3FC34 F1A4B754 44B75060 022AEECE 625E1009
72BC7201 06568025 B49D2DC8 BD3AA0D9 F627E639 D19F3BDB 9E7B62E5 3F581150
F6B1CE02 E35D560C 95257356 718703FD FBE56D44 0E0059CE CE7BE954 8048F9BB
0AEC5E83 7F70FC29 288E12F8 83738784 53366415 D0764844 ACF174DE AEABEB4A
9FBFADBE E002FBB7 C0557E2F 0A818308 B8F22C10 B41CFF78 8479049C C4A3DD53
6983F0CA 8103F7FA 8BFFDD97 FD80E707 27B31FAD 0806
quit
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map map 10 ipsec-isakmp
set peer 202.1.1.1
set transform-set myset
match address 101
ip ssh version 1
interface Loopback0
ip address 192.168.2.1 255.255.255.0
interface FastEthernet0/1
ip address 202.1.2.2 255.255.255.0
duplex auto
speed auto
crypto map map
ip route 0.0.0.0 0.0.0.0 202.1.2.1
access-list 101 permit ip host 192.168.2.1 host 192.168.1.1
定义感兴趣流
测试:
R1#ping 192.168.2.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/115/148 ms
R1#
当然啦,以上只是路由器上的配置而已啦,还有CA服务器上的配置呢:IIS+证书服务+DNS+AD+scep.exe
DNS
:
安装SCEP。EXE:
然后会生成路由器指向CA请求证书的路径:http://zengfei/certsrv/mscep/mscep.dll
再把证书装好后,我们用户就可以用管理员帐户来申请证书了
当你在请求实体证书(或者路由器证书)的时候可能要你输入挑战密码:
那么这时你就要在浏览器里输入http://zengfei/certsrv/mscep/mscep.dll,然后以管理员帐号登入:
界面:
然后在路由器里输入亮色密码,即可完成实体证书的请求。
证书服务:
已经成功分配的证书。
实际上我们的路由器的配置:
×××A
:
Ip domain-name redhat.com
Ip name-server 192.168.4.2
Ip domain-lookup
Crypto key generate rsa
Clock timezone GMT +8
Clock set 22:33:33 june 19 2011
Crypto ca trustpoint caserver
Crypto ca authentication caserver
Crypto ca enroll caserver
Access-list 101 permit ip host 192.168.1.1 host 192.168.2.1
Crypto isakmp policy 1
Encryption 3des
Authentication rsa-sig
Hash sha
Group 2
Exit
Crypto ipsec transform-set myset esp-3des esp-sha-hmac
Crypto map map 10 ipsec-isakmp
Set peer 202.1.2.2
Set transform-set myset
Match address 101
Exit
Interface fa0/0
Crypto map map
Exit
转载于:https://blog.51cto.com/zenfei/591792
4339
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
