要求PCA和PCB之间能够通过路由器的IPSEC隧道互通,PC使用路由器上的loopback口代替,并且有如下要求:
1、本例配置步骤中以ipsec主模式对接为例子,野蛮模式类似
2、认证方式为证书认证
3、证书需要离线导入到路由器中
1.V7版本MSR配置步骤
1) 配置PKI域和PKI实例
pki domain test
ca identifier CA-SNC-Server
public-key rsa general name abc
undo crl check enable
#
pki entity test
common-name MSR26
注意:在使用离线导入证书的时候,pki domain 下务必关闭crl check。
2) 检查系统时间
17:50:52 UTC Wed 03/18/2015
注意:确认目前设备的系统时间在证书的有效期范围内,早于或晚于证书有效期都会导致证书无法导入。
3) 导入CA证书
[MSR26]pki import domain TEST der ca filename certnew.cer
The trusted CA's finger print is:
MD5 fingerprint:10EC 6850 8B5B 535E C105 5243 A26C 7809
SHA1 fingerprint:36C1 BBB2 5027 4FBE 2503 45CA 8B31 EE6E 8953 31B9
Is the finger print correct?(Y/N):y
[MSR26]
使用 dis pki certificate domain TEST ca 命令查看证书。
4) 导入local证书
[MSR26]pki import domain TEST p12 local filename lns.pfx
Please input the password: //输入证书密码
The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted.
Overwrite it? [Y/N]:y
The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Please enter the key pair name[default name: test]: //输入密钥对名字
abc
本例中的local证书使用的是PKCS#12标准的证书,包含了local证书(其中包含公钥)和与之对应的私钥。因此设备提示需要为这个密钥对起一个名字。本例中起的名字是abc。
5) 配置ipsec 感兴趣流
acl number 3000
rule 0 permit ip source 1.1.1.1 0 destination 2.2.2.2 0
6) 配置证书访问策略
pki certificate access-control-policy policy1
rule 1 permit group1
#
pki certificate attribute-group group1
attribute 1 subject-name dn ctn 1
创建证书属性规则。对端证书subject-name DN中包必需包含(ctn)规则中定义的字符串才被认为是有效的证书。本例使用的证书subject-name DN中包含字符“1”,因此在这里使用参数ctn 1
7) 配置ike proposal 认证方式为证书认证
ike proposal 1
authentication-method rsa-signature
8) 配置ike profile
ike profile 1
certificate domain TEST
local-identity dn
match remote certificate policy1 //调用证书访问策略
proposal 1
9) 配置转换集
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
10) 配置ipsec策略
ipsec policy 1 1 isakmp
transform-set 1
security acl 3000
remote-address 12.0.0.2
ike-profile 1
11) 接口调用ipsec 策略
interface GigabitEthernet0/0
port link-mode route
ip address 12.0.0.1 255.255.255.0
ipsec apply policy 1
2. V5版本MSR配置步骤
1) 配置PKI实体和PKI domain
pki entity test
common-name MSR3020
#
pki domain test
ca identifier CA-SNC-Server
crl check disable
需要关闭CRL检查
2) 检查系统时间
14:17:46 UTC Fri 03/20/2015
注意:确认目前设备的系统时间在证书的有效期范围内,早于或晚于证书有效期都会导致证书无法导入。
3) 导入CA证书
[H3C]pki import-certificate ca domain TEST der filename certnew.cer
The trusted CA's finger print is:
MD5 fingerprint:10EC 6850 8B5B 535E C105 5243 A26C 7809
SHA1 fingerprint:36C1 BBB2 5027 4FBE 2503 45CA 8B31 EE6E 8953 31B9
Is the finger print correct?(Y/N):y
[H3C]
使用命令display pki certificate ca domain TEST确认证书是否导入。
4) 导入local证书
[H3C]pki import-certificate local domain TEST p12 filename lns.pfx
Please input challenge password:
The trusted CA's finger print is:
MD5 fingerprint:10EC 6850 8B5B 535E C105 5243 A26C 7809
SHA1 fingerprint:36C1 BBB2 5027 4FBE 2503 45CA 8B31 EE6E 8953 31B9
Is the finger print correct?(Y/N):y
5) 配置感兴趣流
acl number 3000
rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
6) 配置IKE proposal 使用证书认证
ike proposal 1
authentication-method rsa-signature
7) 配置ike peer
ike peer 1
proposal 1
remote-address 12.0.0.1
certificate domain TEST
8) 配置转换集
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
9) 配置ipsec 策略
ipsec policy 1 1 isakmp
security acl 3000
ike-peer 1
transform-set 1
10) 接口下调用ipsec策略
interface GigabitEthernet0/0
port link-mode route
ip address 12.0.0.2 255.255.255.0
ipsec policy 1
一、 配置验证
1. V7版本MSR 配置验证
1) 查看IKE SA
-----------------------------------------------
Connection ID: 2
Outside VPN:
Inside VPN:
Profile: 1
Transmitting entity: Initiator
-----------------------------------------------
Local IP: 12.0.0.1
Local ID type: DER_ASN1_DN
Local ID: /C=CN/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1 //本地ID为local证书的DN
Remote IP: 12.0.0.2
Remote ID type: DER_ASN1_DN
Remote ID: /C=CN/ST=1/L=1/O=1/OU=1/CN=1/emailAddress=1 //对端ID为对端local证书的DN
Authentication-method: RSA-SIG //认证方式为证书认证
Authentication-algorithm: SHA1
Encryption-algorithm: DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 86392
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
2) 查看IPSEC SA
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1443
Tunnel:
local address: 12.0.0.1
remote address: 12.0.0.2
Flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2040817517 (0x79a4676d)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3288
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: active
[Outbound ESP SAs]
SPI: 2000588214 (0x773e8db6)
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3288
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: active
3. V5版本MSR配置验证
1) 查看IKE SA
---------------------------------------------
connection id: 136
vpn-instance:
transmitting entity: responder
---------------------------------------------
local ip: 12.0.0.2
local id type: DER_ASN1_DN
local id: emailAddress=1,CN=1,OU=1,O=1,L=1,ST=1,C=CN
remote ip: 12.0.0.1
remote id type: DER_ASN1_DN
remote id: emailAddress=1,CN=1,OU=1,O=1,L=1,ST=1,C=CN
authentication-method: RSA_SIG
authentication-algorithm: SHA
encryption-algorithm: DES_CBC
life duration(sec): 86400
remaining key duration(sec): 85875
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO
2) 查看ipsec SA
===============================
Interface: GigabitEthernet0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "1"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
PFS: N, DH group: none
tunnel:
local address: 12.0.0.2
remote address: 12.0.0.1
flow:
sour addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 0x773E8DB6(2000588214)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
in use setting: Tunnel
connection id: 39
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843198/3016
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 0x79A4676D(2040817517)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
in use setting: Tunnel
connection id: 40
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843198/3016
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
1、导入证书前一定要检查设备时间是否在证书有效期范围内
2、导入证书的时候需要先导入CA证书,再导入local证书。因为设备需要使用CA证书中的公钥对local证书中的签名进行验证,以此来确认local证书是否真实有效。
3、由于是离线导入证书,设备无法验证CRL,因此在PKI domain中必须关闭CRL检查。
4、V7设备在进行证书认证的时候,除了检查对端证书的有效性之外,还需要对证书中的subject DN 进行检查。因此需要配置一个证书访问策略
5、V7设备在使用证书+野蛮模式时,如果在ike profile下配置了local identity 命令会使用FQDN作为local id进行协商,因此不能配置local identity
6、另外一种离线证书导入方式,即先配置好pki domain和pki entity相关属性(pki domain中的加密算法务必配置),然后再导入CA根证书,再通过pki request-certificate domain xx pkcs10的方式导出本地证书申请字符串,根据字符串到CA服务器申请服务器证书后再导入设备即可
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作