用路由器做CA的基于数字证书的ipsec ***
--by Mast 2012
本实验采用路由器来作为ca服务器,实现site to site的基于数字证书的IPSec ×××。
实验环境:
原来准备用IOU来做这个实验的,可是试了之后发现IOU对路由器做ca这一块支持不好,要么ca server起不来,要么证书获取不到,因此最后还是采用小凡的模拟器来做。采用的ios为:(C3745-ADVIPSERVICESK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1),拓扑如下:
实验说明:
实验中一共模拟了5台路由器,R1和R5用来模拟两个lan中的主机,wuhan和changzhou两台路由器作为两个lan的出口路由器,其中wuhan这台路由器用来作为ca服务器。
配置步骤总结:
1、在要作为ca服务器的路由器上配置好时钟,并将它作为ntp服务器,如果网络中有ntp服务器,可以在路由器上指定ntp server,目的是进行时间同步。
2、首先配置ca服务器,启用http server,配置域名,生成key,启用ca服务。
3、服务器端路由器上配置信任点。
4、服务器端路由器向ca服务器申请认证,取得ca的根证书。
5、服务器端路由器向ca服务器注册,申请设备的×××书,提交申请后,在ca服务器上颁发证书。
6、客户端路由器上配置ntp server,进行时间同步。
7、客户端路由器上配置域名,生成key。
8、客户端路由器上配置信任点。
9、客户端路由器向ca服务器申请认证,取得ca的根证书。
10、 客户端路由器向ca服务器注册,申请设备的×××书,提交申请后,在ca服务器上颁发。
11、 进行常规的ipsec ***的配置,需要注意的是认证方式由通常的预共享密钥方式改为使用数字证书。
主要配置命令及说明:
设置时钟
wuhan#clock set 13:20:00 2 feb 2012
wuhan#
*Feb 2 13:20:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:02:33 UTC Fri Mar 1 2002 to 13:20:00 UTC Thu Feb 2 2012, configured from console by console.
启用http,配置域名
wuhan#config t
Enter configuration commands, one per line. End with CNTL/Z.
wuhan(config)#ip http server
wuhan(config)#ip domain-name cjgs.com
生成key
wuhan(config)#crypto key generate rsa general-keys label caserver label后面的caserver为将要启用的ca服务器的名字
The name for the keys will be: caserver
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
wuhan(config)#
Feb 2 13:21:45.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
wuhan(config)#
配置ca服务器并启用
wuhan(config)#crypto pki server caserver ca服务器的名字,必须与生成key时的label参数一致
wuhan(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: (输入一个密码如:12345678)
Re-enter password:
% Certificate Server enabled. 服务启用成功
wuhan(cs-server)#exit
wuhan(config)#
显示ca服务器
wuhan#sh crypto pki server
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint: 51A50612 7690A10E 30DF6B77 838A253D
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 13:22:36 UTC Feb 1 2015
CRL NextUpdate timer: 13:22:36 UTC Feb 9 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
查看服务器证书
wuhan#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: caserver
配置信任点
wuhan#config t
Enter configuration commands, one per line. End with CNTL/Z.
wuhan(config)#crypto pki trustpoint 59.175.234.102
wuhan(ca-trustpoint)#enrollment mode ra
wuhan(ca-trustpoint)#enrollment url http://59.175.234.102
wuhan(ca-trustpoint)#exit
向ca服务器申请认证,取得ca根证书
wuhan(config)#crypto pki authenticate 59.175.234.102
Certificate has the following attributes:
Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D
Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C394F19AF 83B0C7B2
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
wuhan(config)#
查看证书
wuhan#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
向ca服务器申请注册设备的×××书
wuhan(config)#crypto pki enroll 59.175.234.102
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定一个密码,如87654321)
Feb 2 13:29:07.379: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: wuhan.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
wuhan(config)#
在ca服务器上查看注册请求
wuhan#crypto pki server caserver info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending D93C6086850599878DC34E3062B1D24E hostname=wuhan.cjgs.com 提交的注册请求,状态为pending
查看证书
wuhan#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
Certificate
Subject:
Name: wuhan.cjgs.com
Status: Pending 状态为pending
Key Usage: General Purpose
Certificate Request Fingerprint MD5: D93C6086 85059987 8DC34E30 62B1D24E
Certificate Request Fingerprint SHA1: E06AE039 C855FA9B BA4EDE9D 12028E9F 5BBFB4F7
Associated Trustpoint: 59.175.234.102
在ca服务器上颁发证书
wuhan#crypto pki server caserver grant 1 这里的1为请求的ID号,或用all参数颁发所有请求
。。。要等一会儿
wuhan#
Feb 2 13:33:36.707: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到证书,注册成功
查看证书
wuhan#sh crypto ca certificates
Certificate 获得的设备证书
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: wuhan.cjgs.com
hostname=wuhan.cjgs.com
Validity Date:
start date: 13:31:59 UTC Feb 2 2012
end date: 13:31:59 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
将路由器设为ntp服务器,用于时间同步
wuhan#config t
Enter configuration commands, one per line. End with CNTL/Z.
wuhan(config)#ntp master
在客户端路由器上指定ntp服务器
changzhou#config t
Enter configuration commands, one per line. End with CNTL/Z.
changzhou(config)#ntp server 59.175.234.102
changzhou#sh clock
13:35:55.663 UTC Thu Feb 2 2012
配置客户端路由器的域名
changzhou(config)#ip domain-name cjgs.com
生成key,这里就不要带label参数
changzhou(config)#crypto key generate rsa general-keys
The name for the keys will be: changzhou.cjgs.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
changzhou(config)#
Feb 2 13:37:41.801: %SSH-5-ENABLED: SSH 1.99 has been enabled
changzhou(config)#
配置信任点
changzhou(config)#crypto pki trustpoint 59.175.234.102
changzhou(ca-trustpoint)#enrollment mode ra
changzhou(ca-trustpoint)#enrollment url http://59.175.234.102
changzhou(ca-trustpoint)#exit
向ca服务器申请认证,取得ca根证书
changzhou(config)#crypto pki authenticate 59.175.234.102
Certificate has the following attributes:
Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D
Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C394F19AF 83B0C7B2
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
changzhou(config)#
查看客户端路由器上获得的证书
changzhou#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
changzhou#
向ca服务器申请设备×××书
changzhou(config)#crypto pki enroll 59.175.234.102
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定密码,如:11111111)
Re-enter password:
% The subject name in the certificate will include: changzhou.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
changzhou(config)#
Feb 2 13:41:56.820: CRYPTO_PKI: Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6
Feb 2 13:41:56.828: CRYPTO_PKI: Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F3A770A01
changzhou(config)#
在ca服务器上查看证书注册请求
wuhan#crypto pki server caserver info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending 6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com
颁发客户端请求的证书
wuhan#crypto pki server caserver grant 2
wuhan#crypto pki server caserver info requests
Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 granted 6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com 颁发后,状态由pending变为granted
在客户端路由器上查看证书
changzhou#sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
Certificate
Subject:
Name: changzhou.cjgs.com
Status: Pending ×××书状态为pending,还未收到ca颁发的证书
Key Usage: General Purpose
Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6
Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F3A770A01
Associated Trustpoint: 59.175.234.102
。。。要等一会儿
Feb 2 13:44:14.602: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到证书
查看证书
changzhou#sh crypto ca certificates
Certificate
Status: Available 证书的状态改变了
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: changzhou.cjgs.com
hostname=changzhou.cjgs.com
Validity Date:
start date: 13:43:35 UTC Feb 2 2012
end date: 13:43:35 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
在服务器端查看ca服务器
wuhan#sh crypto pki server
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint: AE37D488 FF186F5F 30DE841F0A1BAFC9
Granting mode is: manual
Last certificate issued serial number: 0x3 最后一个颁发的证书序列号
CA certificate expiration timer: 11:31:32 UTC Feb 2 2015
CRL NextUpdate timer: 11:31:32 UTC Feb 10 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
进行ipsec ***的配置
服务器端
wuhan(config)#access-list 100 permit ip 172.19.10.0 0.0.0.255 172.19.129.0 0.0.0.255
wuhan(config)#crypto isakmp policy 10
wuhan(config-isakmp)#authentication rsa-sig 认证方式改为rsa-sig
wuhan(config-isakmp)#encryption 3des
wuhan(config-isakmp)#hash md5
wuhan(config-isakmp)#group 2
wuhan(config-isakmp)#exit
wuhan(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac
wuhan(cfg-crypto-trans)#exit
wuhan(config)#crypto map tochangzhou 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
wuhan(config-crypto-map)#match add 100
wuhan(config-crypto-map)#set tran set1
wuhan(config-crypto-map)#set peer 59.19.111.34
wuhan(config-crypto-map)#exit
wuhan(config)#int f0/0
wuhan(config-if)#crypto map tochangzhou
wuhan(config-if)#end
wuhan#
Feb 2 13:49:41.339: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
客户端
changzhou(config)#access-list 100 permit ip 172.19.129.0 0.0.0.255 172.19.10.0 0.0.0.255
changzhou(config)#crypto isakmp policy 10
changzhou(config-isakmp)#authentication rsa-sig
changzhou(config-isakmp)#hash md5
changzhou(config-isakmp)#encryption 3des
changzhou(config-isakmp)#group 2
changzhou(config-isakmp)#exit
changzhou(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac
changzhou(cfg-crypto-trans)#exit
changzhou(config)#crypto map towuhan 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
changzhou(config-crypto-map)#match add 100
changzhou(config-crypto-map)#set tran set1
changzhou(config-crypto-map)#set peer 59.175.234.102
changzhou(config-crypto-map)#exit
changzhou(config)#int f0/1
changzhou(config-if)#crypto map towuhan
changzhou(config-if)#end
Feb 2 13:54:41.658: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is On
测试
changzhou#sh crypto isakmp sa
dst src state conn-id slot status
59.19.111.34 59.175.234.102 QM_IDLE 1 0 ACTIVE
changzhou#sh crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 59.175.234.102 port 500
IKE SA: local 59.19.111.34/500 remote 59.175.234.102/500 Active
IPSEC FLOW: permit ip 172.19.129.0/255.255.255.0 172.19.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 136/201/260 ms