知

MSR-G2系列路由器 RSA方式建立IPSEC的典型配置

其他

2013-07-22 发表

0关注
0收藏 1346浏览

高贵贤

高贵贤四段

粉丝：2人关注：0人

MSR-G2系列路由器 RSA方式建立IPSEC的典型配置

一、组网需求：

在Router1和Router2之间建立一个IPsec隧道，对Router1所在的子网（1.1.1.1/32）与Router2所在的子网（3.3.3.3/32）之间的数据流进行安全保护

1.Router1和Router2之间采用IKE协商方式建立IPsec SA；

2.Router1和Router2均使用RSA数字签名的认证方法；

3.IKE第一阶段的协商模式为野蛮模式；

4.使用windows2008 server搭建CA服务器。

设备清单：MSR G2路由器2台

二、 组网图：

图一 MSR-G2路由器 RSA方式建立IPSEC典型配置组网图

三、 配置步骤：

使用版本：E0006P05

Router1配置：

//配置环回接口模拟内网用户

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

#

//Router1的GigabitEthernet0/0口调用IPSEC策略

interface GigabitEthernet0/0

port link-mode route

combo enable copper

ip address 100.1.1.1 255.255.255.0

ipsec apply policy 123

#

//配置静态路由，下一跳指向100.1.1.2

ip route-static 2.2.2.2 32 100.1.1.2

#

//配置安全ACL

acl number 3000

rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0

#

//配置PKI域h3c，CA服务器的URL地址为100.1.1.253

pki domain h3c

ca identifier ts-msr

certificate request url http://100.1.1.253/certsrv/mscep/mscep.dll

certificate request from ra

certificate request entity h3c

public-key rsa general name 123

undo crl check enable

#

//PKI实体为h3c

pki entity h3c

common-name h3c

country CN

#

//配置IPSEC提议，加密算法使用3des-cbc,认证方式为MD5

ipsec transform-set 123

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

#

//配置IPSEC安全策略，调用安全ACL，IPSEC提议和IKE Profile

ipsec policy 123 1 isakmp

transform-set 123

security acl 3000

remote-address 100.1.1.2

ike-profile 123

#

//配置IKE Profile 123，使用野蛮模式

ike profile 123

certificate domain h3c

exchange-mode aggressive

local-identity fqdn Router1

match remote identity fqdn R2

proposal 123

#

//配置ike提议，指定使用数字证书认证方式

ike proposal 123

authentication-method rsa-signature

authentication-algorithm md5

#

Return

//证书申请过程：

//生成本地证书密钥对

[Router1]public-key local create rsa name 123

The local key pair already exists.

Confirm to replace it? [Y/N]:y

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

........++++++

.++++++

Create the key pair successfully.

//获取根证书

[Router1]pki retrieve-certificate domain h3c ca

The trusted CA's finger print is:

    MD5 fingerprint:AD2B A928 850E BB26 1F56 6C98 12EB 97C0

    SHA1 fingerprint:34B7 0FAC 121B E7F2 CCFA 7042 A737 1668 400D 0E3E

Is the finger print correct?(Y/N):y

Retrieved the certificates successfully.

//获取本地证书，password为本地密钥握手挑战码（BEDF2A91DED372FF）

[Router1]pki request-certificate domain h3c password 6054576C2575ED24

Start to request general certificate ...

Certificate requested successfully.

握手挑战码获取方式为:

登录：http://100.1.1.253/certsrv/mscep_admin

输入用户名和密码后会弹出如下界面：

图二

Router2配置:

#

//配置环回口模拟内用户

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

#

//接口GigabitEthernet0/0调用IPSEC策略

interface GigabitEthernet0/0

port link-mode route

ip address 100.1.1.2 255.255.255.0

ipsec apply policy 123

#

//配置静态路由，下一条指向100.1.1.1

ip route-static 1.1.1.1 32 100.1.1.1

#

//配置安全ACL

acl number 3000

rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0

#

//配置PKI域h3c，CA服务器的URL为100.1.1.253

pki domain h3c

ca identifier h3c

certificate request url http://100.1.1.253/certsrv/mscep/mscep.dll

certificate request from ra

certificate request entity h3c

public-key rsa general name 123

undo crl check enable

#

//配置PKI实体h3c

pki entity h3c

common-name h3c

country CN

organization-unit h3c

organization H3C

#

//配置IPSEC提议，加密算法为3des-cbc,认证算法为MD5

ipsec transform-set 123

esp encryption-algorithm 3des-cbc

esp authentication-algorithm md5

#

//配置IPSEC策略，调用安全ACL，IPSEC策略、IKE Profile

ipsec policy 123 1 isakmp

transform-set 123

security acl 3000

remote-address 100.1.1.1

ike-profile 123

#

//配置ike profile，使用野蛮模式

ike profile 123

exchange-mode aggressive

local-identity fqdn R2

match remote identity fqdn Router1

proposal 123

#

//配置Ike提议，指定使用证书认证方式

ike proposal 123

authentication-method rsa-signature

authentication-algorithm md5

#

证书申请过程：

[R2]public-key local create rsa name 123     //生成本地密钥对

The local key pair already exists.

Confirm to replace it? [Y/N]:y

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

......................................................................................++++++

................++++++

Create the key pair successfully.

//获取根证书

[R2]pki retrieve-certificate domain h3c ca

The trusted CA's finger print is:

    MD5 fingerprint:AD2B A928 850E BB26 1F56 6C98 12EB 97C0

    SHA1 fingerprint:34B7 0FAC 121B E7F2 CCFA 7042 A737 1668 400D 0E3E

Is the finger print correct?(Y/N):y

Retrieved the certificates successfully.

//获取本地证书

[R2]pki request-certificate domain h3c password 6A8C9FACB2CA3DCF

Start to request general certificate ...

Certificate requested successfully.

[R2]%Jun 20 10:33:28:748 2013 R2 PKI/5/REQUEST_CERT_SUCCESS: Request certificate of domain h3c successfully

四、验证配置

//查看根证书

[Router1]display pki certificate domain h3c ca

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            56:c3:98:36:bf:9d:45:a9:43:61:78:94:72:3a:ad:a6

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=WIN-2VHX793UTF1-CA

        Validity

            Not Before: Dec 24 06:26:34 2012 GMT

            Not After : Dec 24 06:36:33 2017 GMT

        Subject: CN=WIN-2VHX793UTF1-CA

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:b4:66:32:0d:55:39:6e:93:4d:4a:46:1b:29:e1:

                    89:13:fe:58:d0:ac:50:2c:0c:af:7b:36:3e:bc:04:

                    7f:a5:de:da:97:52:b4:d7:23:6f:0a:e7:7e:66:b4:

                    fd:96:4a:68:3f:53:fe:46:bb:8c:0d:08:97:1d:00:

                    84:14:1b:a4:08:cf:eb:39:8c:c0:f5:3b:a6:fb:fe:

                    ab:10:47:36:cc:7b:75:e3:aa:3b:fb:38:cb:c0:bb:

                    1a:20:21:9f:01:ce:59:0d:3f:a8:91:46:bd:3f:bc:

                    ee:d3:23:7e:7b:8d:cd:ee:b4:79:d0:28:f0:58:3d:

                    73:ad:b1:e1:ff:60:8e:16:4e:b6:58:c8:67:60:56:

                    05:d6:b8:90:90:19:d4:41:cc:7a:12:81:16:4c:89:

                    89:d3:52:e9:52:ff:10:39:15:a1:c2:8d:e2:69:45:

                    a4:ba:e7:04:86:05:7c:c5:c0:f9:65:af:d0:e5:7c:

                    76:41:13:62:73:28:92:db:46:09:ec:64:d5:55:38:

                    0a:ba:3c:80:e6:0d:e9:4a:db:3f:f6:67:4b:be:40:

                    cf:29:eb:50:e1:63:f1:7c:d3:18:72:ce:9e:4f:a2:

                    f3:c4:a2:6e:da:67:02:d1:ff:1e:6e:7f:25:8f:f9:

                    56:31:c8:10:6b:98:6a:6a:8a:8c:3a:6e:a0:0f:67:

                    d3:f7

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Certificate Sign, CRL Sign

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Subject Key Identifier:

                A2:F1:E9:DE:21:48:C8:AA:C6:89:D8:3E:D8:24:9E:E6:40:99:7B:E6

            1.3.6.1.4.1.311.21.1:

                ...

    Signature Algorithm: sha1WithRSAEncryption

        72:ed:88:12:01:73:be:75:1f:00:d5:39:a8:9a:6d:f8:ed:ec:

        f5:5e:a9:12:2d:1a:9d:1e:cc:09:6a:55:86:99:fe:96:97:e3:

        97:4b:11:ac:34:e2:70:25:27:7c:eb:05:3a:6c:9c:c5:7d:46:

        46:8f:00:05:29:40:e1:36:06:b0:e4:68:6d:74:fe:5f:60:7c:

        d1:73:8f:37:0e:11:72:cf:6c:af:ff:63:6c:94:cf:d1:cd:65:

        a1:f2:52:65:3e:b1:a4:38:68:eb:2a:06:cc:5d:35:4e:4f:1b:

        df:b6:03:ff:0e:cd:e3:3f:6a:b2:ab:d0:1e:4c:72:7c:e8:1c:

        9d:bc:fa:3a:05:b8:71:bf:15:6f:34:ba:b6:2f:14:a1:76:e8:

        2f:af:9c:1f:70:35:80:4b:44:3e:75:85:e8:8d:8e:4f:01:2e:

        7b:48:11:3e:20:74:54:0c:27:0d:80:73:dd:16:e9:5f:a7:1e:

        e3:93:39:f1:ec:46:4c:df:56:f2:4b:c7:45:71:4f:4e:3f:94:

        68:3c:cb:f0:d8:04:d7:16:3c:b2:bf:07:db:b0:5b:1f:33:c3:

        fc:53:5e:aa:04:27:9c:2f:4e:aa:3a:25:c0:f6:00:75:ee:2b:

        b0:7a:a8:e9:5f:c0:b7:90:d5:80:e4:16:9a:86:1a:57:9d:cb:

        08:ac:cb:50

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            61:70:75:6d:00:00:00:00:00:27

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=WIN-2VHX793UTF1-CA

        Validity

            Not Before: Jun 17 05:53:07 2013 GMT

            Not After : Jun 17 06:03:07 2014 GMT

        Subject: C=CN, O=H3C, CN=8048TEST-2008Server-RA

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

…………………………………………………………   //证书有删减

//查看本地证书

[Router1]display pki certificate domain h3c local

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            61:5c:c1:1e:00:00:00:00:00:2a

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: CN=WIN-2VHX793UTF1-CA

        Validity

            Not Before: Jun 20 02:03:18 2013 GMT

            Not After : Jun 20 02:13:18 2014 GMT

        Subject: unstructuredAddress=100.1.1.1, C=CN, CN=h3c

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:bd:61:46:6c:1a:44:cc:97:27:a3:77:b1:cc:ec:

                    22:29:e1:65:c3:4e:d4:4d:96:d0:ca:76:bd:4f:8f:

                    52:69:33:9d:ea:5e:f3:4d:65:9a:bb:a4:4c:02:a2:

                    0f:c4:b0:64:34:e1:79:ad:4b:2d:93:1a:f8:8d:c9:

                    5a:92:3e:80:96:b4:8a:c4:f4:3c:fa:7f:f3:88:0d:

                    24:0e:6e:b8:ef:53:d2:63:9d:31:f8:09:8e:1a:ae:

                    4a:e1:60:63:36:8a:a0:0c:8b:46:fb:2b:53:67:87:

                    29:20:b7:45:a0:19:00:a0:91:52:21:55:0d:51:41:

                    17:f2:6c:92:56:fe:5f:66:b5

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

            X509v3 Subject Alternative Name:

                IP Address:100.1.1.1

            X509v3 Subject Key Identifier:

                8F:F9:E7:57:94:F3:A6:FA:78:A9:2E:72:F7:BD:8E:E2:87:13:03:EB

            X509v3 Authority Key Identifier:

………………………………                                  //证书有删减

<Router1>ping -a 1.1.1.1 2.2.2.2

Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press escape sequence to break

Request time out                 //第一个包丢掉

56 bytes from 2.2.2.2: icmp_seq=1 ttl=255 time=0.438 ms

56 bytes from 2.2.2.2: icmp_seq=2 ttl=255 time=0.238 ms

56 bytes from 2.2.2.2: icmp_seq=3 ttl=255 time=0.218 ms

56 bytes from 2.2.2.2: icmp_seq=4 ttl=255 time=0.252 ms

<Router1>display ike sa

    Connection-ID   Remote                Flag         DOI

------------------------------------------------------------------

    3               100.1.1.2             RD           IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING

<Router1>display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0

-------------------------------

-----------------------------

IPsec policy: 123

Sequence number: 1

Mode: isakmp

-----------------------------

    Tunnel id: 0

    Encapsulation mode: tunnel

    Perfect forward secrecy:

    Path MTU: 1443

    Tunnel:

        local address: 100.1.1.1

        remote address: 100.1.1.2

    Flow:

    sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip

   dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: ip

    [Inbound ESP SAs]

      SPI: 3563806421 (0xd46b5ed5)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3582

      Max received sequence-number: 4

      Anti-replay check enable: Y

      Anti-replay window size: 64

      UDP encapsulation used for nat traversal: N

      Status: active

    [Outbound ESP SAs]

      SPI: 3208384833 (0xbf3c1141)

      Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5

      SA duration (kilobytes/sec): 1843200/3600

      SA remaining duration (kilobytes/sec): 1843199/3582

      Max sent sequence-number: 4

      UDP encapsulation used for nat traversal: N

      Status: active

五、 配置关键点：

1.   保证建立IPSEC隧道的两个路由器和CA服务器互通；

2.   获取本地证书前，要先通过配置生成本地密钥对；

3.   本地证书获取要使用握手挑战码，此挑战码是通过WEB访问CA服务器获取得到；

4. ipsec安全策略下（ipsec transform-set）默认是没有加密和认证方法的，这点需要注意。

该案例对您是否有帮助：

您的评价：1

若您有关于案例的建议，请反馈：

作者在2019-06-08对此案例进行了修订

0 个评论

该案例暂时没有网友评论

编辑评论

侵犯我的权益 >

对根叔知了社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

原文链接或出处

诽谤我

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

举报说明

✖

案例意见反馈

➤

网站相关: 关于我们; 服务条款; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

MSR-G2系列路由器 RSA方式建立IPSEC的典型配置

编辑评论

提出建议