本文PDF版下载地址:http://218.94.26.146/cisco/docs/ca_vpn.zip
或者http://www.itany.com/cisco/docs/ca_vpn.zip
网络拓扑图如下:
图中的三台路由器使用RIPv2进行简单的互联,注意两台26身后的10网络没有启动RIP
c2620-1(config)#router rip
c2620-1(config-router)#netw 173.16.0.0
c2620-1(config-router)#ver 2
c2620-1(config-router)#no au
c2500(config)#router rip
c2500(config-router)#netw 173.16.0.0
c2500(config-router)#netw 10.0.0.0
c2500(config-router)#ver 2
c2500(config-router)#no au
c2620-2(config)#router rip
c2620-2(config-router)#netw 173.16.0.0
c2620-2(config-router)#ver 2
c2620-2(config-router)#no au
在两台26路由器上分别设置指向对方10网络的静态路由,假定这两个网络之间的流量需要被保护,并且需要隧道进行连接。
c2620-1(config)#ip route 10.2.2.0 255.255.255.0 s0/0
c2620-2(config)#ip route 10.1.1.0 255.255.255.0 s0/0
检查两26路由器IOS版本:
c2620-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.2(29), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 11-May-05 17:27 by kellmill
Image text-base: 0x8000808C, data-base: 0x812D1734
c2620-2#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(12a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 13-Jan-05 18:06 by kellythw
Image text-base: 0x80008098, data-base: 0x819FA39C
其中2620-1是12.2版本,2620-2是12.3版本,建议真实环境中,大家使用相同版本的IOS(12.3以上,并且支持加密特性集),这里2620-1的内存只有48M,因此无法使用更高版本的IOS。
下面的2620-1路由器的配置:
1、首先设置时间、主机名、域名,这是做CA必须的。
c2620-1#clock set 9:51:00 1 aug 2005
c2620-1#conf t
c2620-1(config)#hostname c2620-1
c2620-1(config)#ip domain-name itany.com
2、产生RSA密钥对。
c2620-1(config)#crypto key generate rsa
The name for the keys will be: c2620-1.itany.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
查看公钥:
c2620-1#sh crypto key mypubkey rsa
% Key pair was generated at: 00:27:55 UTC Mar 1 1993
Key name: c2620-1.itany.com
Usage: General Purpose Key
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C052D9
F365333E 4192C916 10EE40ED F970F2C4 B55DCDD0 4C8CE845 055646C6 B166502C
26A6172F 5E43B544 A0CD6FF0 75862CDD D0238A5F 909742F9 CD421F3E 6111AD6C
DCD00BC2 4B73DB38 860CE255 8190090F 7DD2B267 3D48135C A2E48749 6FD5AB29
BFDE287D B0756B7D CFCF9BA6 03EAF01D 3CC65B4C 71CF96F2 17D441DF DB020301 0001
% Key pair was generated at: 00:28:01 UTC Mar 1 1993
Key name: c2620-1.itany.com.server
Usage: Encryption Key
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AAC8FA F73B8F60
BE1DED99 D7794863 92D568EB 45F0965C 07B92E02 4AEE3DBD 02DC0341 523ED77E
292B8BD7 F0E25ED4 C1E57AA5 15B1F3F4 603CAED9 11B61E09 1046EEBF 34498811
10B53CBE 1203F509 8ED76721 BF8D7B89 E0F9042E FE6B069E F7020301 0001
3、配置CA的注册。
指定CA的主机名,相当于做一个静态DNS条目。
c2620-1(config)#ip host cisco-vpc 10.10.5.91
配置CA的注册参数(此命令在IOS12.3中为crypto ca trustpoint)
c2620-1(config)#crypto ca identity ccsp-lab-vpc
c2620-1(ca-identity)#enrollment mode ra
c2620-1(ca-identity)#enrollment url http://cisco-vpc/certsrv/mscep/mscep.dll
c2620-1(ca-identity)#exit
开始获取根证书
c2620-1(config)#crypto ca authenticate ccsp-lab-vpc
Certificate has the following attributes:
Fingerprint: CA28A34E CDB30B87 D28F106D 18C37F88
% Do you accept this certificate? [yes/no]: yes
查看根证书
c2620-1#sh crypto ca certificates
RA Signature Certificate
Status: Available
Certificate Serial Number: 113B85F5000000000002
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:46 UTC Jul 29 2005
end date: 09:19:46 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 113B8790000000000003
Key Usage: Encryption
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:47 UTC Jul 29 2005
end date: 09:19:47 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
CA Certificate
Status: Available
Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
CN = clab.com
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 15:30:35 UTC Jul 2 2005
end date: 15:38:16 UTC Jul 2 2007
Associated Identity: ccsp-lab-vpc
开始向CA提交申请
c2620-1(config)#crypto ca enroll ccsp-lab-vpc
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
(这个口令很重要,全称是“enrollment challenge password”,由CA提供。要获得此口令需要拿一台能够连接到CA的PC,在其浏览器中输入“http://cisco-vpc/certsrv/mscep/mscep.dll”;之后CA会返回一个对话框<如下图>,请求用户输入用户名和密码,此时用户只要输入正确的CA windows用户帐号即可。)
当用户输入正确的用户名和密码后,CA会提供给他一个口令,这个口令是一个OTP(one time pass),有效期为60分钟。用户将此口令复制粘贴到刚才的口令提示处即可完成注册。
% The subject name in the certificate will be: c2620-1.itany.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
查看证书的状态
c2620-1#sh crypto ca certificates
RA Signature Certificate
Status: Available
Certificate Serial Number: 113B85F5000000000002
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:46 UTC Jul 29 2005
end date: 09:19:46 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 113B8790000000000003
Key Usage: Encryption
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:47 UTC Jul 29 2005
end date: 09:19:47 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
CA Certificate
Status: Available
Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
CN = clab.com
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 15:30:35 UTC Jul 2 2005
end date: 15:38:16 UTC Jul 2 2007
Associated Identity: ccsp-lab-vpc
Certificate
Subject Name Contains:
Name: c2620-1.itany.com
Status: Pending
Key Usage: General Purpose
Fingerprint: 6C9511EF 1F589E8A 1BF11473 8145A28E
Associated Identity: ccsp-lab-vpc
上面输出的“Certificate”部分显示证书状态为“挂起(Pending)”。
此时,使用remote desktop登陆到CA服务器,点击“开始”、“管理工具”、“证书颁发机构”对证书进行管理。
从上图中我们可以看到有一个证书处于挂起状态,右击选择所有任务,然后颁发。
证书颁发后,在路由器上再次查看其状态。
“Certificate”部分显示为“有效的(Available)”
c2620-1#sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 1F18A48B000000000004
Key Usage: General Purpose
Issuer:
CN = clab.com
Subject Name Contains:
Name: c2620-1.itany.com
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 01:53:34 UTC Aug 1 2005
end date: 02:03:34 UTC Aug 1 2006
Associated Identity: ccsp-lab-vpc
RA Signature Certificate
Status: Available
Certificate Serial Number: 113B85F5000000000002
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:46 UTC Jul 29 2005
end date: 09:19:46 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 113B8790000000000003
Key Usage: Encryption
Issuer:
CN = clab.com
Subject:
EA = wanglinlin@itany.com
CN = itany
OU = tech
O = itany
L = NJ
ST = JS
C = CN
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 09:09:47 UTC Jul 29 2005
end date: 09:19:47 UTC Jul 29 2006
Associated Identity: ccsp-lab-vpc
CA Certificate
Status: Available
Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
Key Usage: Signature
Issuer:
CN = clab.com
Subject:
CN = clab.com
CRL Distribution Point:
http://cisco-vpc/CertEnroll/clab.com.crl
Validity Date:
start date: 15:30:35 UTC Jul 2 2005
end date: 15:38:16 UTC Jul 2 2007
Associated Identity: ccsp-lab-vpc
4、配置ISAKMP参数。
c2620-1(config)#crypto isakmp enable
c2620-1(config)#crypto isakmp policy 10
c2620-1(config-isakmp)#authentication rsa-sig
c2620-1(config-isakmp)#encryption 3des
c2620-1(config-isakmp)#group 2
c2620-1(config-isakmp)#hash sha
c2620-1(config)#crypto isakmp identity address
5、设置IPSEC参数。
c2620-1(config)#crypto ipsec transform-set cisco esp-3des esp-sha-hmac
c2620-1(cfg-crypto-trans)#mode tunnel
c2620-1(cfg-crypto-trans)#exit
6、设置感兴趣流。
c2620-1(config)#access-l 101 per ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
7、设置加密图,并且应用加密图。
c2620-1(config)#crypto map secure 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
c2620-1(config-crypto-map)#match address 101
c2620-1(config-crypto-map)#set transform-set cisco
c2620-1(config-crypto-map)#set pfs group2
c2620-1(config-crypto-map)#set peer 173.16.2.1
c2620-1(config-crypto-map)#exit
c2620-1(config)#int s0/0
c2620-1(config-if)#crypto map secure
下面的2620-2路由器的配置:
c2620-2#clock set 10:15:00 1 aug 2005
c2620-2(config)#hostname c2620-2
c2620-2(config)#ip domain-name itany.com
c2620-2(config)#crypto key generate rsa
The name for the keys will be: c2620-2.itany.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
c2620-2(config)#ip host cisco-vpc 10.10.5.91
c2620-2(config)#crypto ca trustpoint ccsp-lab-vpc
c2620-2(ca-trustpoint)#enrollment mode ra
c2620-2(ca-trustpoint)#enrollment url http://cisco-vpc/certsrv/mscep/mscep.dll
c2620-2(ca-trustpoint)#exit
c2620-2(config)#crypto ca authenticate ccsp-lab-vpc
Certificate has the following attributes:
Fingerprint: CA28A34E CDB30B87 D28F106D 18C37F88
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
c2620-2(config)#crypto ca enroll ccsp-lab-vpc
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=c2620-2 OU=ccsplab
% The fully-qualified domain name in the certificate will be: c2620-2.itany.com
% The subject name in the certificate will include: c2620-2.itany.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.
c2620-2(config)#crypto isakmp enable
c2620-2(config)#crypto isakmp policy 10
c2620-2(config-isakmp)#authentication rsa-sig
c2620-2(config-isakmp)#encryption 3des
c2620-2(config-isakmp)#group 2
c2620-2(config-isakmp)#hash sha
c2620-2(config-isakmp)#exit
c2620-2(config)#crypto isakmp identity address
c2620-2(config)#crypto ipsec transform-set cisco esp-3des esp-sha-hmac
c2620-2(cfg-crypto-trans)#mode tunnel
c2620-2(cfg-crypto-trans)#exit
c2620-2(config)#access-l 101 per ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
c2620-2(config)#crypto map secure 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
c2620-2(config-crypto-map)#match address 101
c2620-2(config-crypto-map)#set pfs group2
c2620-2(config-crypto-map)#set transform-set cisco
c2620-2(config-crypto-map)#set peer 173.16.1.1
c2620-2(config-crypto-map)#exit
c2620-2(config)#int s0/0
c2620-2(config-if)#crypto map secure
