本实验采用路由器来作为ca服务器,实现site to site的基于数字证书的IPSec VPN。
实验环境:
原来准备用IOU来做这个实验的,可是试了之后发现IOU对路由器做ca这一块支持不好,要么ca server起不来,要么证书获取不到,因此最后还是采用小凡的模拟器来做。采用的ios为:(C3745-ADVIPSERVICESK9-M), Version 12.4(3c ), RELEASE SOFTWARE (fc1),拓扑如下:
实验说明:
实验中一共模拟了5台路由器,R1和R5用来模拟两个lan中的主机,wuhan和changzhou两台路由器作为两个lan的出口路由器,其中wuhan这台路由器用来作为ca服务器。
配置步骤总结:
1、在要作为ca服务器的路由器上配置好时钟,并将它作为ntp服务器,如果网络中有ntp服务器,可以在路由器上指定ntp server,目的是进行时间同步。
2、首先配置ca服务器,启用http server,配置域名,生成key,启用ca服务。
3、服务器端路由器上配置信任点。
4、服务器端路由器向ca服务器申请认证,取得ca的根证书。
5、服务器端路由器向ca服务器注册,申请设备的身份证书,提交申请后,在ca服务器上颁发证书。
6、客户端路由器上配置ntp server,进行时间同步。
7、客户端路由器上配置域名,生成key。
8、客户端路由器上配置信任点。
9、客户端路由器向ca服务器申请认证,取得ca的根证书。
10、 客户端路由器向ca服务器注册,申请设备的身份证书,提交申请后,在ca服务器上颁发。
11、 进行常规的ipsec vpn的配置,需要注意的是认证方式由通常的预共享密钥方式改为使用数字证书。
主要配置命令及说明:
设置时钟
*Feb 2 13:20:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:02:33 UTC Fri Mar 1 2002 to 13:20:00 UTC Thu Feb 2 2012, configured from console by console.
启用http,配置域名
Enter configuration commands, one per line. End with CNTL/Z.
生成key
wuhan(config)#crypto key generate rsa general-keys label caserver label后面的caserver为将要启用的ca服务器的名字
The name for the keys will be: caserver
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
Feb 2 13:21:45.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
配置ca服务器并启用
wuhan(config)#crypto pki server caserver ca服务器的名字,必须与生成key时的label参数一致
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: (输入一个密码如:12345678)
Re-enter password:
% Certificate Server enabled. 服务启用成功
显示ca服务器
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint: 51A 50612 7690A 10E 30DF6B77 838A 253D
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 13:22:36 UTC Feb 1 2015
CRL NextUpdate timer: 13:22:36 UTC Feb 9 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
查看服务器证书
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: caserver
配置信任点
Enter configuration commands, one per line. End with CNTL/Z.
向ca服务器申请认证,取得ca根证书
Certificate has the following attributes:
Fingerprint MD5: 51A 50612 7690A 10E 30DF6B77 838A 253D
Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F 19AF 83B0C 7B2
% Do you accept this certificate? [yes/no]: y
查看证书
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
向ca服务器申请注册设备的身份证书
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定一个密码,如87654321)
Feb 2 13:29:07.379: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: wuhan.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
在ca服务器上查看注册请求
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
1 pending D93C 6086850599878DC34E3062B1D24E hostname=wuhan.cjgs.com 提交的注册请求,状态为pending
查看证书
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
Certificate
Subject:
Name: wuhan.cjgs.com
Status: Pending 状态为pending
Key Usage: General Purpose
Certificate Request Fingerprint MD5: D93C 6086 85059987 8DC34E30 62B1D24E
Certificate Request Fingerprint SHA1: E06AE039 C 855FA9B BA4EDE9D 12028E9F 5BBFB4F 7
Associated Trustpoint: 59.175.234.102
在ca服务器上颁发证书
wuhan#crypto pki server caserver grant 1 这里的1为请求的ID号,或用all参数颁发所有请求
。。。要等一会儿
Feb 2 13:33:36.707: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到证书,注册成功
查看证书
Certificate 获得的设备证书
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: wuhan.cjgs.com
hostname=wuhan.cjgs.com
Validity Date:
start date: 13:31:59 UTC Feb 2 2012
end date: 13:31:59 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
将路由器设为ntp服务器,用于时间同步
Enter configuration commands, one per line. End with CNTL/Z.
在客户端路由器上指定ntp服务器
Enter configuration commands, one per line. End with CNTL/Z.
13:35:55.663 UTC Thu Feb 2 2012
配置客户端路由器的域名
生成key,这里就不要带label参数
The name for the keys will be: changzhou.cjgs.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
Feb 2 13:37:41.801: %SSH-5-ENABLED: SSH 1.99 has been enabled
配置信任点
向ca服务器申请认证,取得ca根证书
Certificate has the following attributes:
Fingerprint MD5: 51A 50612 7690A 10E 30DF6B77 838A 253D
Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F 19AF 83B0C 7B2
% Do you accept this certificate? [yes/no]: y
查看客户端路由器上获得的证书
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
向ca服务器申请设备身份证书
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定密码,如:11111111)
Re-enter password:
% The subject name in the certificate will include: changzhou.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
Feb 2 13:41:56.820: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6396F 2BA ABE2EDA4 B7815564 E53B1BD6
Feb 2 13:41:56.828: CRYPTO_PKI: Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A 9F 3A 770A 01
在ca服务器上查看证书注册请求
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
2 pending 6396F 2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com
颁发客户端请求的证书
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
2 granted 6396F 2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com 颁发后,状态由pending变为granted
在客户端路由器上查看证书
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
Certificate
Subject:
Name: changzhou.cjgs.com
Status: Pending 身份证书状态为pending,还未收到ca颁发的证书
Key Usage: General Purpose
Certificate Request Fingerprint MD5: 6396F 2BA ABE2EDA4 B7815564 E53B1BD6
Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A 9F 3A 770A 01
Associated Trustpoint: 59.175.234.102
。。。要等一会儿
Feb 2 13:44:14.602: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到证书
查看证书
Certificate
Status: Available 证书的状态改变了
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: changzhou.cjgs.com
hostname=changzhou.cjgs.com
Validity Date:
start date: 13:43:35 UTC Feb 2 2012
end date: 13:43:35 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
在服务器端查看ca服务器
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint: AE37D488 FF186F 5F 30DE841F 0A 1BAFC9
Granting mode is: manual
Last certificate issued serial number: 0x3 最后一个颁发的证书序列号
CA certificate expiration timer: 11:31:32 UTC Feb 2 2015
CRL NextUpdate timer: 11:31:32 UTC Feb 10 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
进行ipsec vpn的配置
服务器端
wuhan(config-isakmp)#authentication rsa-sig 认证方式改为rsa-sig
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Feb 2 13:49:41.339: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
客户端
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Feb 2 13:54:41.658: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is On
测试
dst src state conn-id slot status
59.19.111.34 59.175.234.102 QM_IDLE 1 0 ACTIVE
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 59.175.234.102 port 500
IKE SA: local 59.19.111.34/500 remote 59.175.234.102/500 Active
IPSEC FLOW: permit ip 172.19.129.0/255.255.255.0 172.19.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 136/201/260 ms
No comments:
Post a Comment