现场使用ipsec 国密主模式数字信封认证方式,与各分支对接
Can't match an available PKI domain.
1、IPSEC隧道无法正常建立,dis ike sa看到状态为unknow
<H3C>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
259 1.1.1.1/500 Unknown IPsec
250 1.1.1.2/500 Unknown IPsec
247 1.1.1.3/500 Unknown IPsec
240 1.1.1.4/500 Unknown IPsec
249 1.1.1.5/500 Unknown IPsec
261 1.1.1.6/500 Unknown IPsec
1、
2、
<H3C>ddebug ike all remote-address 1.1.1.5
This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:y
<H3C>t d
<H3C>t m
<H3C>rest ike sa
<H3C>
*Aug 3 18:38:37:380 2022 H3C IKE/7/ERROR: -COntext=1; vrf = 0, local = 2.2.2.2, remote = 1.1.1.5/500
Can't match an available PKI domain.
3、
4、
5、
#
pki domain pki1
certificate request entity entity1
public-key sm2 signature name test1cer encryption name test1pfx
pkcs7-encryption-algorithm sm4-cbc
crl url ldap://x.x.x.x
revocation-check method crl none
crl update-period 720
#
pki entity entity1
common-name xxxxx
organization-unit xxxxxx
organization xxxxx
#
6、
Aug 4 18:07:34:228 2022 H3C IKE/7/ERROR: -COntext=1; vrf = 0, local = 2.2.2.2, remote = 1.1.1.5/500
Can't match an available PKI domain.
7、
#
pki domain pki1
certificate request entity entity1
public-key sm2 signature name realcer encryption name realpfx
pkcs7-encryption-algorithm sm4-cbc
crl url ldap://x.x.x.x
revocation-check method crl none
crl update-period 720
#
8、
<H3C>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
6961 1.1.1.2/500 RD IPsec
6962 1.1.1.3/500 RD IPsec
6960 1.1.1.5/500 RD IPsec
6963 1.1.1.4/500 RD IPsec
6966 1.1.1.6/500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<H3C>
<H3C>dis ipsec sa 也正常
1、修改pki entity中的配置与实际导入的证书的O、OU、CN保持一致
2、修改pki domain下public-key sm2 signature name xxxxx encryption namexxxxxx密钥对的名称需要跟实际导入证书的名称保持一致
请教一下,申请国密证书的时候防火墙提供 pkcs10码给CA机构,然后CA机构返回两个证书,一个CA证书和一个本地证书,是这样的流程吗
(0)
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
是的,到时候两个都导入设备,先导CA,建议web操作,简单些