用路由器做CA的基於數字證書的ipsec ***
--by Mast 2012
本實驗採用路由器來作爲ca服務器,實現site to site的基於數字證書的IPSec ***。
實驗環境:
原來準備用IOU來做這個實驗的,可是試了之後發現IOU對路由器做ca這一塊支持不好,要麼ca server起不來,要麼證書獲取不到,因此最後還是採用小凡的模擬器來做。採用的ios爲:(C3745-ADVIPSERVICESK9-M), Version 12.4(
實驗說明:
實驗中一共模擬了5臺路由器,R1和R5用來模擬兩個lan中的主機,wuhan和changzhou兩臺路由器作爲兩個lan的出口路由器,其中wuhan這臺路由器用來作爲ca服務器。
配置步驟總結:
1、在要作爲ca服務器的路由器上配置好時鐘,並將它作爲ntp服務器,如果網絡中有ntp服務器,可以在路由器上指定ntp server,目的是進行時間同步。
2、首先配置ca服務器,啓用http server,配置域名,生成key,啓用ca服務。
3、服務器端路由器上配置信任點。
4、服務器端路由器向ca服務器申請認證,取得ca的根證書。
5、服務器端路由器向ca服務器註冊,申請設備的身份證書,提交申請後,在ca服務器上頒發證書。
6、客戶端路由器上配置ntp server,進行時間同步。
7、客戶端路由器上配置域名,生成key。
8、客戶端路由器上配置信任點。
9、客戶端路由器向ca服務器申請認證,取得ca的根證書。
10、 客戶端路由器向ca服務器註冊,申請設備的身份證書,提交申請後,在ca服務器上頒發。
11、 進行常規的ipsec ***的配置,需要注意的是認證方式由通常的預共享密鑰方式改爲使用數字證書。
主要配置命令及說明:
設置時鐘
*Feb 2 13:20:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:02:33 UTC Fri Mar 1 2002 to 13:20:00 UTC Thu Feb 2 2012, configured from console by console.
啓用http,配置域名
Enter configuration commands, one per line. End with CNTL/Z.
生成key
wuhan(config)#crypto key generate rsa general-keys label caserver label後面的caserver爲將要啓用的ca服務器的名字
The name for the keys will be: caserver
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
Feb 2 13:21:45.067: %SSH-5-ENABLED: SSH 1.99 has been enabled
配置ca服務器並啓用
wuhan(config)#crypto pki server caserver ca服務器的名字,必須與生成key時的label參數一致
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: (輸入一個密碼如:12345678)
Re-enter password:
% Certificate Server enabled. 服務啓用成功
顯示ca服務器
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint:
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 13:22:36 UTC Feb 1 2015
CRL NextUpdate timer: 13:22:36 UTC Feb 9 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
查看服務器證書
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: caserver
配置信任點
Enter configuration commands, one per line. End with CNTL/Z.
向ca服務器申請認證,取得ca根證書
Certificate has the following attributes:
Fingerprint MD5:
Fingerprint SHA1: 688268EB 7CBFD
% Do you accept this certificate? [yes/no]: y
查看證書
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
向ca服務器申請註冊設備的身份證書
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定一個密碼,如87654321)
Feb 2 13:29:07.379: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: wuhan.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
在ca服務器上查看註冊請求
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
1 pending D
查看證書
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
Certificate
Subject:
Name: wuhan.cjgs.com
Status: Pending 狀態爲pending
Key Usage: General Purpose
Certificate Request Fingerprint MD5: D
Certificate Request Fingerprint SHA1: E06AE
Associated Trustpoint: 59.175.234.102
在ca服務器上頒發證書
wuhan#crypto pki server caserver grant 1 這裏的1爲請求的ID號,或用all參數頒發所有請求
。。。要等一會兒
Feb 2 13:33:36.707: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到證書,註冊成功
查看證書
Certificate 獲得的設備證書
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: wuhan.cjgs.com
hostname=wuhan.cjgs.com
Validity Date:
start date: 13:31:59 UTC Feb 2 2012
end date: 13:31:59 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102 caserver
將路由器設爲ntp服務器,用於時間同步
Enter configuration commands, one per line. End with CNTL/Z.
在客戶端路由器上指定ntp服務器
Enter configuration commands, one per line. End with CNTL/Z.
13:35:55.663 UTC Thu Feb 2 2012
配置客戶端路由器的域名
生成key,這裏就不要帶label參數
The name for the keys will be: changzhou.cjgs.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
Feb 2 13:37:41.801: %SSH-5-ENABLED: SSH 1.99 has been enabled
配置信任點
向ca服務器申請認證,取得ca根證書
Certificate has the following attributes:
Fingerprint MD5:
Fingerprint SHA1: 688268EB 7CBFD
% Do you accept this certificate? [yes/no]: y
查看客戶端路由器上獲得的證書
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
向ca服務器申請設備身份證書
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: (指定密碼,如:11111111)
Re-enter password:
% The subject name in the certificate will include: changzhou.cjgs.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate 59.175.234.102 verbose' commandwill show the fingerprint.
Feb 2 13:41:56.820: CRYPTO_PKI: Certificate Request Fingerprint MD5:
Feb 2 13:41:56.828: CRYPTO_PKI: Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF
在ca服務器上查看證書註冊請求
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
2 pending
頒發客戶端請求的證書
Enrollment Request Database:
Subordinate CA certificate requests:
--------------------------------------------------------------
RA certificate requests:
--------------------------------------------------------------
Router certificates requests:
--------------------------------------------------------------
2 granted
在客戶端路由器上查看證書
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
Certificate
Subject:
Name: changzhou.cjgs.com
Status: Pending 身份證書狀態爲pending,還未收到ca頒發的證書
Key Usage: General Purpose
Certificate Request Fingerprint MD5:
Certificate Request Fingerprint SHA1: AAD52AAF 40AABB43 747ED4AF
Associated Trustpoint: 59.175.234.102
。。。要等一會兒
Feb 2 13:44:14.602: %PKI-6-CERTRET: Certificate received from Certificate Authority 收到證書
查看證書
Certificate
Status: Available 證書的狀態改變了
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=caserver
Subject:
Name: changzhou.cjgs.com
hostname=changzhou.cjgs.com
Validity Date:
start date: 13:43:35 UTC Feb 2 2012
end date: 13:43:35 UTC Feb 1 2013
Associated Trustpoints: 59.175.234.102
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=caserver
Subject:
cn=caserver
Validity Date:
start date: 13:22:36 UTC Feb 2 2012
end date: 13:22:36 UTC Feb 1 2015
Associated Trustpoints: 59.175.234.102
在服務器端查看ca服務器
Certificate Server caserver:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=caserver
CA cert fingerprint: AE37D488 FF
Granting mode is: manual
Last certificate issued serial number: 0x3 最後一個頒發的證書序列號
CA certificate expiration timer: 11:31:32 UTC Feb 2 2015
CRL NextUpdate timer: 11:31:32 UTC Feb 10 2012
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
進行ipsec ***的配置
服務器端
wuhan(config-isakmp)#authentication rsa-sig 認證方式改爲rsa-sig
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Feb 2 13:49:41.339: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
客戶端
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Feb 2 13:54:41.658: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is On
測試
dst src state conn-id slot status
59.19.111.34 59.175.234.102 QM_IDLE 1 0 ACTIVE
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 59.175.234.102 port 500
IKE SA: local 59.19.111.34/500 remote 59.175.234.102/500 Active
IPSEC FLOW: permit ip 172.19.129.0/255.255.255.0 172.19.10.0/255.255.255.0
Active SAs: 2, origin: crypto map
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 172.19.129.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.129.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 136/201/260 ms