Sunday, September 15, 2013

IOS IPsec VPN基于证书(CA)的验证




实验目标:
公司A部和公司B部之间的IPsec VPN是通过证书(CA)来验证,以适应在大型复杂的网络中。

实验步骤:
1)  预配(如TOP图所示)
2)  NTP或手工将R1,R2,R3时间同步
3)  配置R2为CA服务器
4)  R1,R3申请证书
5)  R1和R3间用证书(CA)的方式配置IPsec VPN

1.  预配
R1
interface Loopback0
ipaddress 10.1.1.1 255.255.255.0
nosh
interface FastEthernet0/0
ipaddress 123.123.123.1 255.255.255.0
nosh
ip route 0.0.0.0 0.0.0.0 123.123.123.3

R2
interface FastEthernet0/0
ipaddress 123.123.123.2 255.255.255.0
nosh

R3
interface Loopback0
ipaddress 10.2.2.2 255.255.255.0
nosh
interface FastEthernet0/0
ipaddress 123.123.123.3 255.255.255.0
nosh
ip route 0.0.0.0 0.0.0.0 123.123.123.1

2.  用NTP同步时间
应为证书申请对时间比较敏感,所以要同步CA Serverclient的之间的时间,这里就用NTP来做。
R2NTP Server R1R2NTP Client

R2配置时间源的时区和时间
CA(config)#clock timezone BJ 8
CA#clock set 15:44:00 nov 15 2011
CA#sh clock
15:44:02.227 BJ Tue Nov 15 2011

配置NTP Server用安全的验证来同步
CA(config)#ntp master
CA(config)#ntp trusted-key 1
CA(config)#ntp authenticate
CA(config)#ntp authentication-key 1 md5 cisco

配置NTP Client同步时间
R1R3NTP Client的配置
R1(config)#clock timezone BJ 8(时区是不能同步的,所以要手工配置)
R1#sh run | in ntp
ntp authentication-key 1 md5 05080F1C2243 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179866
ntp server 123.123.123.2
R1#sh ntp sta
R1#sh ntp status
Clock is synchronized, stratum 9,reference is 123.123.123.2
nominal freq is 250.0000 Hz, actual freq is250.0000 Hz, precision is 2**18
reference time is D26C9773.9787D0C0(07:46:59.591 UTC Tue Nov 15 2011)
clock offset is -65.5990 msec, root delayis 36.12 msec
root dispersion is 92.76 msec, peerdispersion is 27.11 msec

R1#sh clock
15:53:42.006 BJ Tue Nov15 2011

R3#sh ntp status
Clock is synchronized, stratum 9,reference is 123.123.123.2
nominal freq is 250.0000 Hz, actual freq is250.0000 Hz, precision is 2**18
reference time is D26C98B9.B63D34A6(07:52:25.711 UTC Tue Nov 15 2011)
clock offset is -21.8116 msec, root delayis 19.79 msec
root dispersion is 37.63 msec, peerdispersion is 15.78 msec

R3#sh clock
15:54:10.245 BJ Tue Nov15 2011

OKR1R3的时间已经和CA的时间同步了!
3.  配置R2为CA服务器

开启CAHTTP 服务,因为证书申请是基于HTTP的。
CA(config)#ip http server

配置域名为后面生产RSA钥匙对做准备
CA(config)#ip domain-name cisco.com

配置CA证书服务,输入相关的信息然后no shutdown开启CA服务提示输入保护私钥口令。
CA(config)#crypto pki server CA
CA(cs-server)#issuer-name O=netconfed,CN=XX
CA(cs-server)#no shutdown
%Some server settings cannot be changedafter CA certificate generation.
% Please enter a passphrase to protect theprivate key
% or type Return to exit
Password: cisco123
Re-enter password:cisco123
% Generating 1024 bit RSA keys, keys willbe non-exportable...[OK]
% Exporting Certificate Server signingcertificate and keys...
% Certificate Server enabled.
CA(cs-server)#
Nov 15 08:01:33.055: %SSH-5-ENABLED: SSH 1.99has been enabled
Nov 15 08:01:35.351:%PKI-6-CS_ENABLED: Certificate server now enabled.
OK!IOSCA服务器配置完成!
show run 看一看多了很多东西!
crypto pki server CA
issuer-name O=netconfed,CN=XX
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
!自动产生的信任自己
crypto pki certificatechain CA
certificate ca 01
  3082021B 30820184 A0030201 02020101 300D06092A864886 F70D0101 04050030
  21310B30 09060355 04031302 58583112 3010060355040A13 096E6574 636F6E66
  6564301E 170D3131 31313135 30383031 33345A170D313431 31313430 38303133
  345A3021 310B3009 06035504 03130258 5831123010060355 040A1309 6E657463
  6F6E6665 6430819F 300D0609 2A864886 F70D010101050003 818D0030 81890281
  8100D564 B331AFB1 F2142C21 401873B3 19FBD18159E5ECAA 85C77B3F 4485D7FA
  8E6A1435 B413E2A6 5C10CCEF 88D1DA9A E07D2BD27DA77B78 0B988949 ACB8F93A
  58A22DC7 963CCCFA 7DC27926 D4390DAA 5276E19454ED516B B4C6B565 B5F5905E
  9E63223B 95C6622E 6099F847 8BB32C54 E561C88FB87E9055 3E79A6AD 2A13B38B
  18CB0203 010001A3 63306130 0F060355 1D130101FF040530 030101FF 300E0603
  551D0F01 01FF0404 03020186 301F0603 551D230418301680 1451CB4B 8A84A2E4
  91B22969 9416886C 1CB93722 E1301D06 03551D0E04160414 51CB4B8A 84A2E491
  B2296994 16886C1C B93722E1 300D0609 2A864886F70D0101 04050003 81810022
  523F9CA0 8631802F EC0F5817 463F4720 97D20C772260F6A5 65EF4B80 232F422A
  6A7CFE56 59EDC546 CBBB7181 D69BE4BA 23D0E5BBF0BFEE87 A0D701EC 103EF2D6
  B8C43F3F D0880801 53481D1F 736D6F5E C22DC7DD6E01E3B6 36B9FFDE 8213AED5
  7AB11D02 A2715435 75C76DD0 D01AF157 7DC99C490D8882F3 1EB301C5 66B1D0
  quit   
产生的CA自己的公钥,编号为01结尾(私钥是看不到的,要保密)

4.  R1和R3申请证书

R1
配置域名和产生RSA钥匙对
R1(config)#ipdomain-name cisco.com
R1(config)#cryptokey generate rsa
Thename for the keys will be: R1.cisco.com
Choosethe size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulusgreater than 512 may take
  a few minutes.
Howmany bits in the modulus [512]: 1024
%Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
Nov15 08:07:55.424: %SSH-5-ENABLED: SSH 1.99 has been enabled
配置CA服务器的申请地址和相关参数,然后验证CA服务器和申请证书(不信任的话,申请证书有什么意义了,可以联想我们平时申请什么营业执照或者身份证的例子理解)
可以参考http://www.netconfed.com/thread-1524-1-1.html理解证书相关的理论。


R1(config)#cryptopki trustpoint CA
R1(ca-trustpoint)#enrollmenturl http://123.123.123.2:80
R1(ca-trustpoint)#exit   
R1(config)#cryptopki authenticate CA
Certificatehas the following attributes:
       Fingerprint MD5: 18949E51 8E49CDA35860D524 41E6BDDB
      Fingerprint SHA1: 6DFB280C 8BED16C3EB21EBE6 E556535B 253369FB
%Do you accept this certificate? [yes/no]: yes
TrustpointCA certificate accepted.
OK!信任关系确认!可以看看R1上的根证书已经获取到了。
R1#shcrypto pki certificates
CACertificate
  Status: Available
  CertificateSerial Number: 01
  Certificate Usage: Signature
  Issuer:
    o=netconfed
    cn=XX
  Subject:
    o=netconfed
    cn=XX
  Validity Date:
    start date: 16:01:34 BJ Nov 15 2011
    end  date: 16:01:34 BJ Nov 14 2014
  Associated Trustpoints: CA
然后接着申请自己的证书。提示输入密钥,随便填6为密钥,然后no ,no,yes
R1(config)#cryptopki enroll CA
%
%Start certificate enrollment ..
%Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order torevoke your certificate.
   For security reasons your password will notbe saved in the configuration.
   Please make a note of it.
Password:
Re-enter password:
%The subject name in the certificate will include: R1.cisco.com
% Include the routerserial number in the subject name? [yes/no]: n
% Include an IP addressin the subject name? [no]: n
Request certificate fromCA? [yes/no]: y
%Certificate request sent to Certificate Authority
%The 'show crypto ca certificate CA verbose' commandwill show the fingerprint.
R1(config)#
Nov 15 08:21:48.218:CRYPTO_PKI:  Certificate RequestFingerprint MD5: F42D6B19 6ACC7738 E3E95FB9 BF6ABEA7
Nov 15 08:21:48.226:CRYPTO_PKI:  Certificate RequestFingerprint SHA1: 45683A56 923727C3 48D034F4 8FAE2B53 285F19E2
提示证书申请OK!很多童鞋在这里很收到提示申请证书被拒绝的提示,一般可能是CA服务器配置有误或时间不同步一起的!要注意!!!!!

R1#sh crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
   o=netconfed
   cn=XX
Subject:
   o=netconfed
   cn=XX
Validity Date:
   start date: 16:01:34 BJ Nov 15 2011
   end   date: 16:01:34 BJ Nov 142014
Associated Trustpoints: CA


Certificate
Subject:
   Name: R1.cisco.com
  Status: Pending-------------------------------正在等待CA服务颁发证书)
  Key Usage: General Purpose
  Certificate Request Fingerprint MD5: F42D6B19 6ACC7738 E3E95FB9 BF6ABEA7
  Certificate Request Fingerprint SHA1: 45683A56 923727C3 48D034F48FAE2B53 285F19E2
  Associated Trustpoint: CA
再接着去CA服务器上颁发提交的证书申请了。
CA#crypto pki server CA info requests   
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      pending   F42D6B196ACC7738E3E95FB9BF6ABEA7 hostname=R1.cisco.com
可以看到上面显示有Req ID 的申请的证书!
好了,现在可以颁发了。
CA#crypto pki serverCA grant 1
颁发编号为的证书。
CA#cryptopki server CA info requests
EnrollmentRequest Database:
SubordinateCA certificate requests:
ReqID  State     Fingerprint                     SubjectName
--------------------------------------------------------------
RAcertificate requests:
ReqID  State     Fingerprint                     SubjectName
--------------------------------------------------------------
Routercertificates requests:
ReqID  State     Fingerprint                     SubjectName
--------------------------------------------------------------
1      granted    F42D6B196ACC7738E3E95FB9BF6ABEA7hostname=R1.cisco.com
然后稍等片刻去R1上去看是否获取到证书的提示。
R1#sh crypto pki certificates
Certificate
Status: Available
  Certificate SerialNumber: 02
Certificate Usage: General Purpose
Issuer:
   o=netconfed
   cn=XX
Subject:
   Name: R1.cisco.com
   hostname=R1.cisco.com
Validity Date:
   start date: 16:47:53 BJ Nov 15 2011
   end   date: 16:47:53 BJ Nov 142012
Associated Trustpoints: CA

CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
   o=netconfed
   cn=XX
Subject:
   o=netconfed
   cn=XX
Validity Date:
    startdate: 16:01:34 BJ Nov 15 2011
   end   date: 16:01:34 BJ Nov 142014
Associated Trustpoints: CA
OKR1的证书颁发了!
好了R3上的申请CA证书的步骤和R1的一样,省略……..
R3的证书
R3#shcrypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 03
  Certificate Usage: General Purpose
  Issuer:
    o=netconfed
    cn=XX
  Subject:
    Name: R3.cisco.com
    hostname=R3.cisco.com
  Validity Date:
    start date: 16:38:26 BJ Nov 15 2011
    end  date: 16:38:26 BJ Nov 14 2012
  Associated Trustpoints: CA
CACertificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    o=netconfed
    cn=XX
  Subject:
    o=netconfed
    cn=XX
  Validity Date:
    start date: 16:01:34 BJ Nov 15 2011
    end  date: 16:01:34 BJ Nov 14 2014
  Associated Trustpoints: CA
自此R1R3CA证书都颁发了!
5.  IPSec VPN配置
要注意的是IPsec VPN配置中要选rsa-sig的方式来验证了,预共享密钥就不用配置了!
R1
access-list100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
cryptoisakmp policy 1
encr 3des
hash md5
group 2
!
cryptoipsec transform-set VPN_SET esp-3des esp-sha-hmac
!
cryptomap VPN_MAP 1 ipsec-isakmp
set peer 123.123.123.3
set transform-set VPN_SET
match address 100
interfaceFastEthernet0/0
cryptomap VPN_MAP
R3
cryptoisakmp policy 1
encr 3des
hash md5
group 2
cryptoipsec transform-set VPN_SET esp-3des esp-sha-hmac
!
cryptomap VPN_MAP 1 ipsec-isakmp
set peer 123.123.123.1
set transform-set VPN_SET
match address 100
!
interfaceFastEthernet0/0
cryptomap VPN_MAP
access-list100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
测试IPSec VPN
R1
R1#ping 10.2.2.2 sourceloopback 0
Typeescape sequence to abort.
Sending5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packetsent with a source address of 10.1.1.1
…!!
Successrate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
%Incomplete command.
R1#sh crypto isakmp sa
IPv4Crypto ISAKMP SA
dst             src             state          conn-id slot status
123.123.123.3   123.123.123.1   QM_IDLE           1001    0 ACTIVE
IPv6Crypto ISAKMP SA
R1#shcrypto ipsec sa
interface:FastEthernet0/0
    Crypto map tag: VPN_MAP, local addr123.123.123.1
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 123.123.123.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2, #pkts encrypt: 2, #pktsdigest: 2
    #pkts decaps: 2, #pkts decrypt: 2, #pktsverify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr.failed: 0
    #pkts not decompressed: 0, #pkts decompressfailed: 0
    #send errors 3, #recv errors 0
     local crypto endpt.: 123.123.123.1, remotecrypto endpt.: 123.123.123.3
     path mtu 1500, ip mtu 1500, ip mtu idbFastEthernet0/0
     current outbound spi:0x7EB31A5F(2125666911)
     inbound esp sas:
      spi: 0x2F95033B(798294843)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map:VPN_MAP
        sa timing: remaining key lifetime(k/sec): (4589808/3390)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x7EB31A5F(2125666911)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map:VPN_MAP
        sa timing: remaining key lifetime(k/sec): (4589808/3389)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
R1#sh crypto isakmppolicy
GlobalIKE policy
Protectionsuite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
R3
R3#ping10.1.1.1 source loopback 0
Typeescape sequence to abort.
Sending5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packetsent with a source address of 10.2.2.2
!!!!!
Successrate is 100 percent (5/5), round-trip min/avg/max = 88/101/108 ms
R3#shcry is sa
IPv4Crypto ISAKMP SA
dst             src             state          conn-id slot status
123.123.123.3   123.123.123.1   QM_IDLE           1001    0 ACTIVE
IPv6Crypto ISAKMP SA
R3#shcry ip sa
interface:FastEthernet0/0
    Crypto map tag: VPN_MAP, local addr123.123.123.3
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port):(10.1.1.0/255.255.255.0/0/0)
   current_peer 123.123.123.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7, #pkts encrypt: 7, #pktsdigest: 7
    #pkts decaps: 7, #pkts decrypt: 7, #pktsverify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr.failed: 0
    #pkts not decompressed: 0, #pkts decompressfailed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 123.123.123.3, remotecrypto endpt.: 123.123.123.1
     path mtu 1500, ip mtu 1500, ip mtu idbFastEthernet0/0
     current outbound spi:0x2F95033B(798294843)
     inbound esp sas:
      spi: 0x7EB31A5F(2125666911)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map:VPN_MAP
        sa timing: remaining key lifetime(k/sec): (4406620/3164)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x2F95033B(798294843)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map:VPN_MAP
        sa timing: remaining key lifetime(k/sec): (4406620/3163)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
OK!大功告成!IPSec VPN基于CA证书验证的试验到此结束!

No comments: