Sunday, February 26, 2012

用路由器做CA的基于数字证书的ipsec vpn


本实验采用路由器来作为ca服务器,实现site to site的基于数字证书的IPSec VPN
实验环境:
原来准备用IOU来做这个实验的,可是试了之后发现IOU对路由器做ca这一块支持不好,要么ca server起不来,要么证书获取不到,因此最后还是采用小凡的模拟器来做。采用的ios为:(C3745-ADVIPSERVICESK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1),拓扑如下:
实验说明:
实验中一共模拟了5台路由器,R1R5用来模拟两个lan中的主机,wuhanchangzhou两台路由器作为两个lan的出口路由器,其中wuhan这台路由器用来作为ca服务器。
配置步骤总结:
1、在要作为ca服务器的路由器上配置好时钟,并将它作为ntp服务器,如果网络中有ntp服务器,可以在路由器上指定ntp server,目的是进行时间同步。
2、首先配置ca服务器,启用http server,配置域名,生成key,启用ca服务。
3、服务器端路由器上配置信任点。
4、服务器端路由器向ca服务器申请认证,取得ca的根证书。
5、服务器端路由器向ca服务器注册,申请设备的身份证书,提交申请后,在ca服务器上颁发证书。
6、客户端路由器上配置ntp server,进行时间同步。
7、客户端路由器上配置域名,生成key
8、客户端路由器上配置信任点。
9、客户端路由器向ca服务器申请认证,取得ca的根证书。
10、    客户端路由器向ca服务器注册,申请设备的身份证书,提交申请后,在ca服务器上颁发。
11、    进行常规的ipsec vpn的配置,需要注意的是认证方式由通常的预共享密钥方式改为使用数字证书。
主要配置命令及说明:
设置时钟
wuhan#clock set 13:20:00 2 feb 2012
wuhan#
*Feb  2 13:20:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:02:33 UTC Fri Mar 1 2002 to 13:20:00 UTC Thu Feb 2 2012, configured from console by console.

启用http,配置域名
wuhan#config t
Enter configuration commands, one per line.  End with CNTL/Z.
wuhan(config)#ip http server
wuhan(config)#ip domain-name cjgs.com

生成key
wuhan(config)#crypto key generate rsa general-keys label caserver    label后面的caserver为将要启用的ca服务器的名字
The name for the keys will be: caserver
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

wuhan(config)#
Feb  2 13:21:45.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
wuhan(config)#

配置ca服务器并启用
wuhan(config)#crypto pki server caserver       ca服务器的名字,必须与生成key时的label参数一致
wuhan(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: (输入一个密码如:12345678

Re-enter password:

% Certificate Server enabled.       服务启用成功
wuhan(cs-server)#exit
wuhan(config)#

显示ca服务器
wuhan#sh crypto pki server        
Certificate Server caserver:
    Status: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=caserver
    CA cert fingerprint: 51A50612 7690A10E 30DF6B77 838A253D
    Granting mode is: manual
    Last certificate issued serial number: 0x1
    CA certificate expiration timer: 13:22:36 UTC Feb 1 2015
    CRL NextUpdate timer: 13:22:36 UTC Feb 9 2012
    Current storage dir: nvram:
    Database Level: Minimum - no cert data written to storage

查看服务器证书
wuhan#sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: caserver

配置信任点
wuhan#config t
Enter configuration commands, one per line.  End with CNTL/Z.
wuhan(config)#crypto pki trustpoint 59.175.234.102
wuhan(ca-trustpoint)#enrollment mode ra
wuhan(ca-trustpoint)#enrollment url http://59.175.234.102
wuhan(ca-trustpoint)#exit

ca服务器申请认证,取得ca根证书
wuhan(config)#crypto pki authenticate 59.175.234.102
Certificate has the following attributes:
       Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D
      Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F19AF 83B0C7B2

% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
wuhan(config)#

查看证书
wuhan#sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102 caserver

ca服务器申请注册设备的身份证书
wuhan(config)#crypto pki enroll 59.175.234.102
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: (指定一个密码,如87654321
Feb  2 13:29:07.379: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:

% The subject name in the certificate will include: wuhan.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.

wuhan(config)#


ca服务器上查看注册请求
wuhan#crypto pki server caserver info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      pending    D93C6086850599878DC34E3062B1D24E hostname=wuhan.cjgs.com  提交的注册请求,状态为pending


查看证书
wuhan#sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102 caserver


Certificate
  Subject:
    Name: wuhan.cjgs.com
   Status: Pending                      状态为pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: D93C6086 85059987 8DC34E30 62B1D24E
   Certificate Request Fingerprint SHA1: E06AE039 C855FA9B BA4EDE9D 12028E9F 5BBFB4F7
   Associated Trustpoint: 59.175.234.102


ca服务器上颁发证书
wuhan#crypto pki server caserver grant 1   这里的1为请求的ID号,或用all参数颁发所有请求

。。。要等一会儿
wuhan#
Feb  2 13:33:36.707: %PKI-6-CERTRET: Certificate received from Certificate Authority   收到证书,注册成功


查看证书
wuhan#sh crypto ca certificates
Certificate                       获得的设备证书
  Status: Available
  Certificate Serial Number: 02
  Certificate Usage: General Purpose
  Issuer:
    cn=caserver
  Subject:
    Name: wuhan.cjgs.com
    hostname=wuhan.cjgs.com
  Validity Date:
    start date: 13:31:59 UTC Feb 2 2012
    end   date: 13:31:59 UTC Feb 1 2013
  Associated Trustpoints: 59.175.234.102

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102 caserver


将路由器设为ntp服务器,用于时间同步
wuhan#config t
Enter configuration commands, one per line.  End with CNTL/Z.
wuhan(config)#ntp master


在客户端路由器上指定ntp服务器
changzhou#config t
Enter configuration commands, one per line.  End with CNTL/Z.
changzhou(config)#ntp server 59.175.234.102

changzhou#sh clock
13:35:55.663 UTC Thu Feb 2 2012

配置客户端路由器的域名
changzhou(config)#ip domain-name cjgs.com


生成key,这里就不要带label参数
changzhou(config)#crypto key generate rsa general-keys
The name for the keys will be: changzhou.cjgs.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

changzhou(config)#
Feb  2 13:37:41.801: %SSH-5-ENABLED: SSH 1.99 has been enabled
changzhou(config)#

配置信任点
changzhou(config)#crypto pki trustpoint 59.175.234.102
changzhou(ca-trustpoint)#enrollment mode ra
changzhou(ca-trustpoint)#enrollment url http://59.175.234.102
changzhou(ca-trustpoint)#exit


ca服务器申请认证,取得ca根证书
changzhou(config)#crypto pki authenticate 59.175.234.102
Certificate has the following attributes:
       Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D
      Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F19AF 83B0C7B2

% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
changzhou(config)#


查看客户端路由器上获得的证书
changzhou#sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102


changzhou#



ca服务器申请设备身份证书
changzhou(config)#crypto pki enroll 59.175.234.102
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: (指定密码,如:11111111
Re-enter password:

% The subject name in the certificate will include: changzhou.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.

changzhou(config)#
Feb  2 13:41:56.820: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6
Feb  2 13:41:56.828: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F 3A770A01
changzhou(config)#


ca服务器上查看证书注册请求
wuhan#crypto pki server caserver info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
2      pending    6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com


颁发客户端请求的证书
wuhan#crypto pki server caserver grant 2


wuhan#crypto pki server caserver info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
2      granted    6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com    颁发后,状态由pending变为granted



在客户端路由器上查看证书
changzhou#sh crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102


Certificate
  Subject:
    Name: changzhou.cjgs.com
   Status: Pending               身份证书状态为pending,还未收到ca颁发的证书
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6
   Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F 3A770A01
   Associated Trustpoint: 59.175.234.102



。。。要等一会儿
Feb  2 13:44:14.602: %PKI-6-CERTRET: Certificate received from Certificate Authority   收到证书



查看证书
changzhou#sh crypto ca certificates
Certificate
  Status: Available                证书的状态改变了
  Certificate Serial Number: 03
  Certificate Usage: General Purpose
  Issuer:
    cn=caserver
  Subject:
    Name: changzhou.cjgs.com
    hostname=changzhou.cjgs.com
  Validity Date:
    start date: 13:43:35 UTC Feb 2 2012
    end   date: 13:43:35 UTC Feb 1 2013
  Associated Trustpoints: 59.175.234.102

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    cn=caserver
  Subject:
    cn=caserver
  Validity Date:
    start date: 13:22:36 UTC Feb 2 2012
    end   date: 13:22:36 UTC Feb 1 2015
  Associated Trustpoints: 59.175.234.102


在服务器端查看ca服务器
wuhan#sh crypto pki server
Certificate Server caserver:
    Status: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=caserver
    CA cert fingerprint: AE37D488 FF186F5F 30DE841F 0A1BAFC9
    Granting mode is: manual
    Last certificate issued serial number: 0x3              最后一个颁发的证书序列号
    CA certificate expiration timer: 11:31:32 UTC Feb 2 2015
    CRL NextUpdate timer: 11:31:32 UTC Feb 10 2012
    Current storage dir: nvram:
    Database Level: Minimum - no cert data written to storage


进行ipsec vpn的配置
服务器端
wuhan(config)#access-list 100 permit ip 172.19.10.0 0.0.0.255 172.19.129.0 0.0.0.255


wuhan(config)#crypto isakmp policy 10
wuhan(config-isakmp)#authentication rsa-sig      认证方式改为rsa-sig
wuhan(config-isakmp)#encryption 3des
wuhan(config-isakmp)#hash md5
wuhan(config-isakmp)#group 2
wuhan(config-isakmp)#exit

wuhan(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac
wuhan(cfg-crypto-trans)#exit

wuhan(config)#crypto map tochangzhou 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
wuhan(config-crypto-map)#match add 100
wuhan(config-crypto-map)#set tran set1
wuhan(config-crypto-map)#set peer 59.19.111.34
wuhan(config-crypto-map)#exit

wuhan(config)#int f0/0
wuhan(config-if)#crypto map tochangzhou
wuhan(config-if)#end
wuhan#
Feb  2 13:49:41.339: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


客户端
changzhou(config)#access-list 100 permit ip 172.19.129.0 0.0.0.255 172.19.10.0 0.0.0.255


changzhou(config)#crypto isakmp policy 10
changzhou(config-isakmp)#authentication rsa-sig
changzhou(config-isakmp)#hash md5
changzhou(config-isakmp)#encryption 3des
changzhou(config-isakmp)#group 2
changzhou(config-isakmp)#exit

changzhou(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac
changzhou(cfg-crypto-trans)#exit

changzhou(config)#crypto map towuhan 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
changzhou(config-crypto-map)#match add 100
changzhou(config-crypto-map)#set tran set1
changzhou(config-crypto-map)#set peer 59.175.234.102
changzhou(config-crypto-map)#exit
changzhou(config)#int f0/1
changzhou(config-if)#crypto map towuhan
changzhou(config-if)#end
Feb  2 13:54:41.658: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is On




测试
changzhou#sh crypto isakmp sa
dst             src             state          conn-id slot status
59.19.111.34    59.175.234.102  QM_IDLE              1    0 ACTIVE

changzhou#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE    
Peer: 59.175.234.102 port 500
  IKE SA: local 59.19.111.34/500 remote 59.175.234.102/500 Active
  IPSEC FLOW: permit ip 172.19.129.0/255.255.255.0 172.19.10.0/255.255.255.0
        Active SAs: 2, origin: crypto map



R1#ping 172.19.129.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.19.129.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 136/201/260 ms
本文档的pdf文件下载地址: 

No comments: