用路由器做CA的基於數字證書的ipsec ***

 用路由器做CA的基於數字證書的ipsec ***

--by Mast 2012

 

本實驗採用路由器來作爲ca服務器，實現site to site的基於數字證書的IPSec ***。

實驗環境：

原來準備用IOU來做這個實驗的，可是試了之後發現IOU對路由器做ca這一塊支持不好，要麼ca server起不來，要麼證書獲取不到，因此最後還是採用小凡的模擬器來做。採用的ios爲：(C3745-ADVIPSERVICESK9-M), Version 12.4(3c), RELEASE SOFTWARE (fc1)，拓撲如下：

 

實驗說明：

實驗中一共模擬了5臺路由器，R1和R5用來模擬兩個lan中的主機，wuhan和changzhou兩臺路由器作爲兩個lan的出口路由器，其中wuhan這臺路由器用來作爲ca服務器。

配置步驟總結：

1、在要作爲ca服務器的路由器上配置好時鐘，並將它作爲ntp服務器，如果網絡中有ntp服務器，可以在路由器上指定ntp server，目的是進行時間同步。

2、首先配置ca服務器，啓用http server，配置域名，生成key，啓用ca服務。

3、服務器端路由器上配置信任點。

4、服務器端路由器向ca服務器申請認證，取得ca的根證書。

5、服務器端路由器向ca服務器註冊，申請設備的身份證書，提交申請後，在ca服務器上頒發證書。

6、客戶端路由器上配置ntp server，進行時間同步。

7、客戶端路由器上配置域名，生成key。

8、客戶端路由器上配置信任點。

9、客戶端路由器向ca服務器申請認證，取得ca的根證書。

10、    客戶端路由器向ca服務器註冊，申請設備的身份證書，提交申請後，在ca服務器上頒發。

11、    進行常規的ipsec ***的配置，需要注意的是認證方式由通常的預共享密鑰方式改爲使用數字證書。

主要配置命令及說明：

設置時鐘

wuhan#clock set 13:20:00 2 feb 2012

wuhan#

*Feb  2 13:20:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:02:33 UTC Fri Mar 1 2002 to 13:20:00 UTC Thu Feb 2 2012, configured from console by console.

 

啓用http，配置域名

wuhan#config t

Enter configuration commands, one per line.  End with CNTL/Z.

wuhan(config)#ip http server

wuhan(config)#ip domain-name cjgs.com

 

生成key

wuhan(config)#crypto key generate rsa general-keys label caserver    label後面的caserver爲將要啓用的ca服務器的名字

The name for the keys will be: caserver

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

 

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

 

wuhan(config)#

Feb  2 13:21:45.067: %SSH-5-ENABLED: SSH 1.99 has been enabled

wuhan(config)#

 

配置ca服務器並啓用

wuhan(config)#crypto pki server caserver       ca服務器的名字，必須與生成key時的label參數一致

wuhan(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password: （輸入一個密碼如：12345678）

 

Re-enter password:

 

% Certificate Server enabled.       服務啓用成功

wuhan(cs-server)#exit

wuhan(config)#

 

顯示ca服務器

wuhan#sh crypto pki server        

Certificate Server caserver:

    Status: enabled

    Server's configuration is locked  (enter "shut" to unlock it)

    Issuer name: CN=caserver

    CA cert fingerprint: 51A50612 7690A10E 30DF6B77 838A253D

    Granting mode is: manual

    Last certificate issued serial number: 0x1

    CA certificate expiration timer: 13:22:36 UTC Feb 1 2015

    CRL NextUpdate timer: 13:22:36 UTC Feb 9 2012

    Current storage dir: nvram:

    Database Level: Minimum - no cert data written to storage

 

查看服務器證書

wuhan#sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: caserver

 

配置信任點

wuhan#config t

Enter configuration commands, one per line.  End with CNTL/Z.

wuhan(config)#crypto pki trustpoint 59.175.234.102

wuhan(ca-trustpoint)#enrollment mode ra

wuhan(ca-trustpoint)#enrollment url http://59.175.234.102

wuhan(ca-trustpoint)#exit

 

向ca服務器申請認證，取得ca根證書

wuhan(config)#crypto pki authenticate 59.175.234.102

Certificate has the following attributes:

       Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D

      Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F19AF 83B0C7B2

 

% Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

wuhan(config)#

 

查看證書

wuhan#sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102 caserver

 

向ca服務器申請註冊設備的身份證書

wuhan(config)#crypto pki enroll 59.175.234.102

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

 

Password: （指定一個密碼，如87654321）

Feb  2 13:29:07.379: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair

Re-enter password:

 

% The subject name in the certificate will include: wuhan.cjgs.com

% Include the router serial number in the subject name? [yes/no]: n

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: y

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.

 

wuhan(config)#

 

 

在ca服務器上查看註冊請求

wuhan#crypto pki server caserver info requests

Enrollment Request Database:

 

Subordinate CA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

RA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

Router certificates requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

1      pending    D93C6086850599878DC34E3062B1D24E hostname=wuhan.cjgs.com  提交的註冊請求，狀態爲pending

 

 

查看證書

wuhan#sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102 caserver

 

 

Certificate

  Subject:

    Name: wuhan.cjgs.com

   Status: Pending                      狀態爲pending

   Key Usage: General Purpose

   Certificate Request Fingerprint MD5: D93C6086 85059987 8DC34E30 62B1D24E

   Certificate Request Fingerprint SHA1: E06AE039 C855FA9B BA4EDE9D 12028E9F 5BBFB4F7

   Associated Trustpoint: 59.175.234.102

 

 

在ca服務器上頒發證書

wuhan#crypto pki server caserver grant 1   這裏的1爲請求的ID號，或用all參數頒發所有請求

 

。。。要等一會兒

wuhan#

Feb  2 13:33:36.707: %PKI-6-CERTRET: Certificate received from Certificate Authority   收到證書，註冊成功

 

 

查看證書

wuhan#sh crypto ca certificates

Certificate                       獲得的設備證書

  Status: Available

  Certificate Serial Number: 02

  Certificate Usage: General Purpose

  Issuer:

    cn=caserver

  Subject:

    Name: wuhan.cjgs.com

    hostname=wuhan.cjgs.com

  Validity Date:

    start date: 13:31:59 UTC Feb 2 2012

    end   date: 13:31:59 UTC Feb 1 2013

  Associated Trustpoints: 59.175.234.102

 

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102 caserver

 

 

將路由器設爲ntp服務器，用於時間同步

wuhan#config t

Enter configuration commands, one per line.  End with CNTL/Z.

wuhan(config)#ntp master

 

 

在客戶端路由器上指定ntp服務器

changzhou#config t

Enter configuration commands, one per line.  End with CNTL/Z.

changzhou(config)#ntp server 59.175.234.102

 

changzhou#sh clock

13:35:55.663 UTC Thu Feb 2 2012

 

配置客戶端路由器的域名

changzhou(config)#ip domain-name cjgs.com

 

 

生成key，這裏就不要帶label參數

changzhou(config)#crypto key generate rsa general-keys

The name for the keys will be: changzhou.cjgs.com

Choose the size of the key modulus in the range of 360 to 2048 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

 

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

 

changzhou(config)#

Feb  2 13:37:41.801: %SSH-5-ENABLED: SSH 1.99 has been enabled

changzhou(config)#

 

配置信任點

changzhou(config)#crypto pki trustpoint 59.175.234.102

changzhou(ca-trustpoint)#enrollment mode ra

changzhou(ca-trustpoint)#enrollment url http://59.175.234.102

changzhou(ca-trustpoint)#exit

 

 

向ca服務器申請認證，取得ca根證書

changzhou(config)#crypto pki authenticate 59.175.234.102

Certificate has the following attributes:

       Fingerprint MD5: 51A50612 7690A10E 30DF6B77 838A253D

      Fingerprint SHA1: 688268EB 7CBFD71C ACE1317C 394F19AF 83B0C7B2

 

% Do you accept this certificate? [yes/no]: y

Trustpoint CA certificate accepted.

changzhou(config)#

 

 

查看客戶端路由器上獲得的證書

changzhou#sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102

 

 

changzhou#

 

 

 

向ca服務器申請設備身份證書

changzhou(config)#crypto pki enroll 59.175.234.102

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

   password to the CA Administrator in order to revoke your certificate.

   For security reasons your password will not be saved in the configuration.

   Please make a note of it.

 

Password: （指定密碼，如：11111111）

Re-enter password:

 

% The subject name in the certificate will include: changzhou.cjgs.com

% Include the router serial number in the subject name? [yes/no]: n

% Include an IP address in the subject name? [no]: n

Request certificate from CA? [yes/no]: y

% Certificate request sent to Certificate Authority

% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.

 

changzhou(config)#

Feb  2 13:41:56.820: CRYPTO_PKI:  Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6

Feb  2 13:41:56.828: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F 3A770A01

changzhou(config)#

 

 

在ca服務器上查看證書註冊請求

wuhan#crypto pki server caserver info requests

Enrollment Request Database:

 

Subordinate CA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

RA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

Router certificates requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

2      pending    6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com

 

 

頒發客戶端請求的證書

wuhan#crypto pki server caserver grant 2

 

 

wuhan#crypto pki server caserver info requests

Enrollment Request Database:

 

Subordinate CA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

RA certificate requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

 

Router certificates requests:

ReqID  State      Fingerprint                      SubjectName

--------------------------------------------------------------

2      granted    6396F2BAABE2EDA4B7815564E53B1BD6 hostname=changzhou.cjgs.com    頒發後，狀態由pending變爲granted

 

 

 

在客戶端路由器上查看證書

changzhou#sh crypto ca certificates

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102

 

 

Certificate

  Subject:

    Name: changzhou.cjgs.com

   Status: Pending               身份證書狀態爲pending，還未收到ca頒發的證書

   Key Usage: General Purpose

   Certificate Request Fingerprint MD5: 6396F2BA ABE2EDA4 B7815564 E53B1BD6

   Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF 98205A9F 3A770A01

   Associated Trustpoint: 59.175.234.102

 

 

 

。。。要等一會兒

Feb  2 13:44:14.602: %PKI-6-CERTRET: Certificate received from Certificate Authority   收到證書

 

 

 

查看證書

changzhou#sh crypto ca certificates

Certificate

  Status: Available                證書的狀態改變了

  Certificate Serial Number: 03

  Certificate Usage: General Purpose

  Issuer:

    cn=caserver

  Subject:

    Name: changzhou.cjgs.com

    hostname=changzhou.cjgs.com

  Validity Date:

    start date: 13:43:35 UTC Feb 2 2012

    end   date: 13:43:35 UTC Feb 1 2013

  Associated Trustpoints: 59.175.234.102

 

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=caserver

  Subject:

    cn=caserver

  Validity Date:

    start date: 13:22:36 UTC Feb 2 2012

    end   date: 13:22:36 UTC Feb 1 2015

  Associated Trustpoints: 59.175.234.102

 

 

在服務器端查看ca服務器

wuhan#sh crypto pki server

Certificate Server caserver:

    Status: enabled

    Server's configuration is locked  (enter "shut" to unlock it)

    Issuer name: CN=caserver

    CA cert fingerprint: AE37D488 FF186F5F 30DE841F 0A1BAFC9

    Granting mode is: manual

    Last certificate issued serial number: 0x3              最後一個頒發的證書序列號

    CA certificate expiration timer: 11:31:32 UTC Feb 2 2015

    CRL NextUpdate timer: 11:31:32 UTC Feb 10 2012

    Current storage dir: nvram:

    Database Level: Minimum - no cert data written to storage

 

 

進行ipsec ***的配置

服務器端

wuhan(config)#access-list 100 permit ip 172.19.10.0 0.0.0.255 172.19.129.0 0.0.0.255

 

 

wuhan(config)#crypto isakmp policy 10

wuhan(config-isakmp)#authentication rsa-sig      認證方式改爲rsa-sig

wuhan(config-isakmp)#encryption 3des

wuhan(config-isakmp)#hash md5

wuhan(config-isakmp)#group 2

wuhan(config-isakmp)#exit

 

wuhan(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac

wuhan(cfg-crypto-trans)#exit

 

wuhan(config)#crypto map tochangzhou 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

wuhan(config-crypto-map)#match add 100

wuhan(config-crypto-map)#set tran set1

wuhan(config-crypto-map)#set peer 59.19.111.34

wuhan(config-crypto-map)#exit

 

wuhan(config)#int f0/0

wuhan(config-if)#crypto map tochangzhou

wuhan(config-if)#end

wuhan#

Feb  2 13:49:41.339: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 

 

客戶端

changzhou(config)#access-list 100 permit ip 172.19.129.0 0.0.0.255 172.19.10.0 0.0.0.255

 

 

changzhou(config)#crypto isakmp policy 10

changzhou(config-isakmp)#authentication rsa-sig

changzhou(config-isakmp)#hash md5

changzhou(config-isakmp)#encryption 3des

changzhou(config-isakmp)#group 2

changzhou(config-isakmp)#exit

 

changzhou(config)#crypto ipsec transform-set set1 esp-3des esp-md5-hmac

changzhou(cfg-crypto-trans)#exit

 

changzhou(config)#crypto map towuhan 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

        and a valid access list have been configured.

changzhou(config-crypto-map)#match add 100

changzhou(config-crypto-map)#set tran set1

changzhou(config-crypto-map)#set peer 59.175.234.102

changzhou(config-crypto-map)#exit

changzhou(config)#int f0/1

changzhou(config-if)#crypto map towuhan

changzhou(config-if)#end

Feb  2 13:54:41.658: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is On

 

 

 

 

測試

changzhou#sh crypto isakmp sa

dst             src             state          conn-id slot status

59.19.111.34    59.175.234.102  QM_IDLE              1    0 ACTIVE

 

changzhou#sh crypto session

Crypto session current status

 

Interface: FastEthernet0/1

Session status: UP-ACTIVE    

Peer: 59.175.234.102 port 500

  IKE SA: local 59.19.111.34/500 remote 59.175.234.102/500 Active

  IPSEC FLOW: permit ip 172.19.129.0/255.255.255.0 172.19.10.0/255.255.255.0

        Active SAs: 2, origin: crypto map

 

 

 

R1#ping 172.19.129.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R1#ping 172.19.129.100

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 136/201/260 ms