采用CA服务为对IPSec ×××对等体验证(基于思科设备)
IPSec ×××的身份验证的方法有三种:
pre-share:预共享秘钥
rsa-sig:配置rsa签名
rsa-encr:配置rsa加密
本案例使用rsa-sig的方式进行阶段一中对等体身份的验证工作,此时需要在网络中提供一台ca服务器,该服务器可以有一台windows服务器提供,也可以由路由器提供,本案例使用路由器提供ca服务,采用rsa-sig的身份验证方法。
一:基本网络设置
1:总部
R1#conf t
R1(config)#hostname zongbu
zongbu(config)#no ip domain-lookup
zongbu(config)#line console 0
zongbu(config-line)#logging synchronous
zongbu(config-line)#exec-timeout 0 0
zongbu(config-line)#exit
zongbu(config)#int f0/1
zongbu(config-if)#ip add 192.168.1.254 255.255.255.0
zongbu(config-if)#no shut
zongbu(config-if)#int f0/0
zongbu(config-if)#ip add 200.0.0.1 255.255.255.0
zongbu(config-if)#no shut
zongbu(config-if)#exit
zongbu(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2
2:运营商
R2#conf t
R2(config)#int f0/0
R2(config-if)#ip add 200.0.0.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int f0/1
R2(config-if)#ip add 100.0.0.2 255.255.255.0
R2(config-if)#no shut
3:分支机构
R3#conf t
R3(config)#hostname fenbu
fenbu(config)#no ip domain-lookup
fenbu(config)#line console 0
fenbu(config-line)#logging synchronous
fenbu(config-line)#exec-timeout 0 0
fenbu(config-line)#exit
fenbu(config)#int f0/1
fenbu(config-if)#ip add 192.168.2.254 255.255.255.0
fenbu(config-if)#no shut
fenbu(config-if)#int f0/0
fenbu(config-if)#ip add 100.0.0.1 255.255.255.0
fenbu(config-if)#no shut
fenbu(config-if)#exit
fenbu(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.2
二:配置时间同步
1:总部的R1作为ntp服务器
zongbu#clock set 09:22:30 july 30 2016
zongbu #conf t
zongbu (config)#clock timezone beijing 8
zongbu (config)#ntp master
2:分支的路由器同步ntp时间
fenbu(config)#ntp server 100.0.0.1
fenbu(config)#end
fenbu#show clock
三:CA的配置
1:在总部的路由器上配置CA服务
zongbu#conf t
zongbu(config)#ip domain-name cisco.com
zongbu(config)#crypto key generate rsa general-keys label cisco123 modulus 1024
The name for the keys will be: cisco123
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Jul 30 09:48:08.683: %SSH-5-ENABLED: SSH 1.99 has been enabled
zongbu(config)#ip http server
zongbu(config)#crypto pki server cisco
zongbu(cs-server)#issuer-name CN=zongbu.cisco.com,L=beijing,C=CN
zongbu(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
% Certificate Server enabled.
zongbu(cs-server)#end
zongbu#show crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.cisco.com
l=beijing
c=CN
Subject:
cn=zongbu.cisco.com
l=beijing
c=CN
Validity Date:
start date: 17:51:58 beijing Jul 30 2016
end date: 17:51:58 beijing Jul 30 2019
Associated Trustpoints: cisco
四:申请证书
1:总部自己的路由器获取证书
总部自己向自己请求根证书(若总部不先向自己申请根证书,则自己的设备证书是获不到的
zongbu#conf t
zongbu(config)#crypto ca trustpoint 200.0.0.1
zongbu(ca-trustpoint)#enrollment mode ra
zongbu(ca-trustpoint)#enrollment url http://200.0.0.1
zongbu(ca-trustpoint)#exit
zongbu(config)#crypto ca authenticate 200.0.0.1
Certificate has the following attributes:
Fingerprint MD5: 0F4F2D42 7B89406E 6A5DE032 6DFD3895
Fingerprint SHA1: 5FB04606 F607E4C0 C77CB828 5AFAC46D 5DA995EB
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
zongbu(config)#crypto ca enroll 200.0.0.1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Jul 30 09:58:57.116: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Password:
Re-enter password:
% The subject name in the certificate will include: zongbu.cisco.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 200.0.0.1 verbose' command will show the fingerprint.
Jul 30 10:00:36.642: CRYPTO_PKI: Certificate Request Fingerprint MD5: C1C948AE 34CEFAD9 952918CA 4A17DAF0
Jul 30 10:00:36.642: CRYPTO_PKI: Certificate Request Fingerprint SHA1: ED90C238 CF4C8E2F BEB69404 7D954833 78C2D026
zongbu(config)#end
zongbu#crypto pki server cisco info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
RA certificate requests:
ReqID State Fingerprint SubjectName
Router certificates requests:
ReqID State Fingerprint SubjectName
1 pending C1C948AE34CEFAD9952918CA4A17DAF0 serialNumber=FF1045C5+hostname=zongbu.cisco.com
zongbu#crypto pki server cisco grant all
Apr 18 10:35:16.487: %PKI-6-CERTRET: Certificate received from Certificate
Authority
zongbu#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=zongbu.cisco.com
l=beijing
c=CN
Subject:
Name: zongbu.cisco.com
Serial Number: FF1045C5
serialNumber=FF1045C5+hostname=zongbu.cisco.com
Validity Date:
start date: 11:18:44 beijing Jul 30 2016
end date: 11:18:44 beijing Jul 30 2017
Associated Trustpoints: 200.0.0.1
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.cisco.com
l=beijing
c=CN
Subject:
cn=zongbu.cisco.com
l=beijing
c=CN
Validity Date:
start date: 11:12:49 beijing Jul 30 2016
end date: 11:12:49 beijing Jul 30 2019
Associated Trustpoints: 200.0.0.1 cisco
2:分支机构路由器申请证书
1)分支路由器申请CA
fenbu#conf t
fenbu(config)#ip domain-name cisco.com
fenbu(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: fenbu.cisco.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Jul 30 10:09:03.490: %SSH-5-ENABLED: SSH 1.99 has been enabled
fenbu(config)#crypto ca trustpoint 200.0.0.1
fenbu(ca-trustpoint)#enrollment mode ra
fenbu(ca-trustpoint)#enrollment url http://200.0.0.1
fenbu(ca-trustpoint)#exit
fenbu(config)#crypto ca authenticate 200.0.0.1
Certificate has the following attributes:
Fingerprint MD5: 0F4F2D42 7B89406E 6A5DE032 6DFD3895
Fingerprint SHA1: 5FB04606 F607E4C0 C77CB828 5AFAC46D 5DA995EB
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
fenbu(config)#crypto ca enroll 200.0.0.1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: fenbu.cisco.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 200.0.0.1 verbose' command will show the fingerprint.
Jul 30 10:11:54.918: CRYPTO_PKI: Certificate Request Fingerprint MD5: A6B154D4 88EB76DC 65FBAC50 08E7B1FA
Jul 30 10:11:54.918: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 202ABAD7 317F0AE9 18EBEC64 63282E74 A73F3BA3
2)在总部CA服务器上颁发客户端的证书申请
zongbu#crypto pki server cisco info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
RA certificate requests:
ReqID State Fingerprint SubjectName
Router certificates requests:
ReqID State Fingerprint SubjectName
2 pending 6471B47A0CCC766A0C84074A9B55AE8A hostname=fenbu.cisco.com
zongbu#crypto pki server cisco grant all
等待一分钟左右,证书会颁发下来
在分支机构申请证书的路由器上会看到消息提示
fenbu#
Jul 30 10:16:17.550: %PKI-6-CERTRET: Certificate received from Certificate Autho
fenbu#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=zongbu.cisco.com
l=beijing
c=CN
Subject:
Name: fenbu.cisco.com
hostname=fenbu.cisco.com
Validity Date:
start date: 10:14:38 UTC Jul 30 2016
end date: 10:14:38 UTC Jul 30 2017
Associated Trustpoints: 200.0.0.1
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=zongbu.cisco.com
l=beijing
c=CN
Subject:
cn=zongbu.cisco.com
l=beijing
c=CN
Validity Date:
start date: 09:51:58 UTC Jul 30 2016
end date: 09:51:58 UTC Jul 30 2019
Associated Trustpoints: 200.0.0.1
颁发结束以后在总部的CA服务器上查看挂起的证书申请时提示为空
zongbu#crypto pki server cisco info requests
The Enrollment Request Database is empty.
五:×××的配置
1:总部***的设置
zongbu#conf t
zongbu(config)#crypto isakmp policy 10
zongbu(config-isakmp)#encryption 3des
zongbu(config-isakmp)#authentication rsa-sig
zongbu(config-isakmp)#hash md5
zongbu(config-isakmp)#group 2
zongbu(config-isakmp)#exit
zongbu(config)#crypto ipsec transform-set cisco-set esp-3des esp-md5-hmac
zongbu(cfg-crypto-trans)#mode tunnel
zongbu(cfg-crypto-trans)#exit
zongbu(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.255
zongbu(config)#crypto map cisco-map 1 ipsec-isakmp
zongbu(config-crypto-map)#set peer 100.0.0.1
zongbu(config-crypto-map)#set transform-set cisco-set
zongbu(config-crypto-map)#match address 101
zongbu(config-crypto-map)#exit
zongbu(config)#int f0/0
zongbu(config-if)#crypto map cisco-map
zongbu(config-if)#exit
2:分支机构的***
fenbu#conf t
fenbu(config)#crypto isakmp policy 10
fenbu(config-isakmp)#encryption 3des
fenbu(config-isakmp)#authentication rsa-sig
fenbu(config-isakmp)#hash md5
fenbu(config-isakmp)#group 2
fenbu(config-isakmp)#exit
fenbu(config)#crypto ipsec transform-set cisco-set esp-3des esp-md5-hmac
fenbu(cfg-crypto-trans)#mode tunnel
fenbu(cfg-crypto-trans)#exit
fenbu(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.255
fenbu(config)#crypto map cisco-map 1 ipsec-isakmp
fenbu(config-crypto-map)#set peer 200.0.0.1
fenbu(config-crypto-map)#set transform-set cisco-set
fenbu(config-crypto-map)#match address 101
fenbu(config-crypto-map)#exit
fenbu(config)#int f0/0
fenbu(config-if)#crypto map cisco-map
fenbu(config-if)#exit
六:在两台主机间测试连通性