cisco IPSec 离线证书认证
配置命令
IPSec vpn 离线证书
crypto key generate rsa modulus 1024 label R1
do show crypto key mypubkey rs
cry pki trustpoint win2012
rsakeypair R1
subject-name cn=R1.freeit,ou=NS,o=yinhe
enrollment terminal
revocation-check none
ex
crypto pki authenticate win2012
crypto pki enroll win2012
crypto pki import win2012 certificate
do show cry pki cer
crypto pki certificate map Cert-acl 10
subject-name co ou=NS
exit
crypto isakmp policy 10
encryption 3des
group 5
hash sha256
authentication rsa-sig
ex
crypto isakmp profile PKI-profile
ca trust-point win2012
match certificate Cert-acl
ex
crypto ipsec transform-set L2L esp3des esp-sha256-hmac
access-list 130 permit ip 192.168.1.0 0.0.0.255 4.4.4.0 0.0.0.255
crypto map map1 10 ipsec-isakmp
set peer 23.23.23.1
set transform-set L2L
match address 130
set isakmp-profile PKI-profile
ex
inter g0/1
crypto map map1