筆者做easy ***實驗,配置如下,已驗證成功。client是891路由器,版本12.4,*** Server是ASA,版本8.1。
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
clock timezone HKST 8 //時間需正確
crypto pki trustpoint testca //證書名
enrollment mode ra
enrollment url http://1.1.1.1:80/certsrv/mscep/mscep.dll //在線註冊CA
revocation-check none
rsakeypair test.domain.com //密鑰對,hostname是test,域名是domain.com,大小最好1024
crypto pki certificate chain testca
certificate 1EA19833000000000038
308203BC 308202A4 A0030201 02020A1E A1983300 00000000 38300D06 092A8648
86F70D01 01050500 30133111 300F0603 55040313 0856504E 4D414743 41301E17
0D313231 31303631 30303134 335A170D 31383039 30313037 34363539 5A302031
1E301C06 092A8648 86F70D01 0902130F 63613839 312E626A 6C6F742E 636F6D30
5C300D06 092A8648 86F70D01 01010500 034B0030 48024100 982E251F 25DA21D7
65EE5390 7F7BDA1B C40C28E4 8B1C5A63 87A2F572 4D4543B0 7E60D088 49706DF8
4058D1A0 5466EA30 21A9D3C0 FFF383B5 4F02375B 0720B05F 02030100 01A38201
CB308201 C7300B06 03551D0F 04040302 05A0301D 0603551D 0E041604 14B58D91
96B09CB6 4051EA65 0CCF087C 444B39A2 6B301F06 03551D23 04183016 80144CDD
4B1D4789 D9B20920 1B67C0E2 C0984AA7 9C67306F 0603551D 1F046830 663064A0
62A06086 2D687474 703A2F2F 71677467 2E626A6C 6F742E63 6F6D2F43 65727445
6E726F6C 6C2F5650 4E4D4147 43412E63 726C862F 66696C65 3A2F2F5C 5C716774
672E626A 6C6F742E 636F6D5C 43657274 456E726F 6C6C5C56 504E4D41 4743412E
63726C30 81A60608 2B060105 05070101 04819930 81963048 06082B06 01050507
3002863C 68747470 3A2F2F71 6774672E 626A6C6F 742E636F 6D2F4365 7274456E
726F6C6C 2F716774 672E626A 6C6F742E 636F6D5F 56504E4D 41474341 2E637274
304A0608 2B060105 05073002 863E6669 6C653A2F 2F5C5C71 6774672E 626A6C6F
742E636F 6D5C4365 7274456E 726F6C6C 5C716774 672E626A 6C6F742E 636F6D5F
56504E4D 41474341 2E637274 301D0603 551D1101 01FF0413 3011820F 63613839
312E626A 6C6F742E 636F6D30 3F06092B 06010401 82371402 04321E30 00490050
00530045 00430049 006E0074 00650072 006D0065 00640069 00610074 0065004F
00660066 006C0069 006E0065 300D0609 2A864886 F70D0101 05050003 82010100
224A0D66 E5C49C19 393A5055 AD4B348F 5375B26F B95987C0 B458675C E1F8FB69
35500E96 B54DC69A 95CC72DF CA5D27A0 29B978AF F17BBA73 885AFACD 44EB553B
32A824C5 CAF79AC4 351B8A25 3B7ACDB9 2118A5BF 527E27C6 601B561D 105A3CE7
F2113868 F5F382C6 690D9564 686F0E1F DE665FFA 2B681C6B A65FFEEA ECA67562
C9EBFAB3 FDB175AE B64415B9 4F0AF6A3 9B7A5829 241396E0 03A6BAB4 D5936CD4
55B5E0AF 559DC5A1 C3410699 01DE7654 8D6D59B6 20DBDD76 84A64EA0 E7864236
FFCB276F CD112B19 B8F91E7B BE3243DF 66293484 58BA275D 0605A176 8CAD1058
3F9EB2B1 4A4BDDF0 CE374796 9BF3D8E6 6AAFB995 E993455F 0E50600E 83
B48D0E
quit
certificate testca 5524AFAF35AEC78047EB27D64889D672
30820374 3082025C A0030201 02021055 24AFAF35 AEC78047 EB27D648 89D67230
0D06092A 864886F7 0D010105 05003013 3111300F 06035504 03130856 504E4D41
47434130 1E170D30 38303930 31303733 3830385A 170D3138 30393031 30373436
35395A30 13311130 0F060355 04031308 56504E4D 41474341 30820122 300D0609
2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00BC8512 96AF1B87
16509C0F CC7719EB 46ACEFFC 387136DD 299FB9B7 5267FCBC 002C359C 7AA90098
1006839B 51337F8A 737A73FE D8835AC9 B8B88F07 5B1EAD9F C641B204 7A9C9F5B
1F420F61 E9C22936 E774CB4D A41EB945 E24EA655 B338003A C3492DBE C4C5930A
8318863C A76BE327 E5DDD537 C144E8E0 6CD6FE92 C6E9F913 AACBEAED 36C14CC7
3BBD9005 F9186970 31EDF7A2 65923C7E DE46E628 DAA54A6F 7D928913 26AFFA72
FAC8CE7C 42DEAB18 62B1CB55 9E4FCF41 EDA1A5AA F6094A7A 7AF49092 FC4D48E2
042F63A6 282067C5 AEBF2546 85B3F2F1 8F0E9D19 0B22B069 D8E18F0F C8278831
5383412F D155A51E A990A1D0 2FC8BC84 0278DAD0 85D3A1E8 A7020301 0001A381
C33081C0 300B0603 551D0F04 04030201 86300F06 03551D13 0101FF04 05300301
01FF301D 0603551D 0E041604 144CDD4B 1D4789D9 B209201B 67C0E2C0 984AA79C
67306F06 03551D1F 04683066 3064A062 A060862D 68747470 3A2F2F71 6774672E
626A6C6F 742E636F 6D2F4365 7274456E 726F6C6C 2F56504E 4D414743 412E6372
6C862F66 696C653A 2F2F5C5C 71677467 2E626A6C 6F742E63 6F6D5C43 65727445
6E726F6C 6C5C5650 4E4D4147 43412E63 726C3010 06092B06 01040182 37150104
03020100 300D0609 2A864886 F70D0101 05050003 82010100 8A85DCD5 B226D702
BD7613DE 38C0048D 5B7BA71D 509EC421 BE1FB5E7 C6B25D71 707B3352 AC8F3C83
2E25F3EE C3B46553 783B7E6B 9C1BAE99 FFC62616 EFBCDFED 16AA1DC1 5E35D038
B599E36B EB90D9A9 78ABBDE9 9EBD8FFC 9ABCE5E3 3ECD9EE8 EA0C9520 505C22C7
74D30D0F CBDED144 6A66B344 1F59520F EF427D5E 8E370D7D 28197B65 A3112861
2CF18376 056F22D2 FFCFA132 A582B551 945E36D6 36C11342 74988633 3AE18457
B86A5243 037849D7 6492CC7F 08529B6C 52CC9D95 4AA2F699 31CF271A E444830A
D3868965 77A53F97 52BCD517 0BAE0C25 7CF4E1FD 0E52A3F5 E13EB918 62457702
6545F6C7 57203B9B 82C41BFC 30299A77 D76770EC 647740FE
quit
ip domain name domain.com
username user privilege 15 password 0 passwd
crypto isakmp policy 1 //必需和server一致
encr aes 256
group 2
crypto isakmp keepalive 100
!
crypto isakmp client configuration group testgroup
key 123
domain domain.com
crypto isakmp profile pro //profile
ca trust-point testca //指定證書
match identity group testgroup
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac //和policy對應
crypto ipsec client ez*** ez***
connect auto
mode network-extension
peer 10.10.10.10 //*** Server地址
xauth userid mode interactive
!
!
crypto dynamic-map dymap 1
set transform-set set1
set isakmp-profile pro
reverse-route
!
!
crypto map mymap isakmp authorization list rtr-remote
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap
interface Loopback0
description inside
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ez*** ez*** inside //inside接口必須指定,而且是雙up
interface GigabitEthernet0 //outside接口
ip address dhcp
duplex auto
speed auto
crypto map mymap
crypto ipsec client ez*** ez***
