使用CA進行site-to-site VPN連接

本文PDF版下載地址：http://218.94.26.146/cisco/docs/ca_vpn.zip

或者http://www.itany.com/cisco/docs/ca_vpn.zip

網絡拓撲圖如下：

圖中的三臺路由器使用RIPv2進行簡單的互聯，注意兩臺26身後的10網絡沒有啓動RIP

c2620-1(config)#router rip
c2620-1(config-router)#netw 173.16.0.0
c2620-1(config-router)#ver 2
c2620-1(config-router)#no au

c2500(config)#router rip
c2500(config-router)#netw 173.16.0.0
c2500(config-router)#netw 10.0.0.0
c2500(config-router)#ver 2
c2500(config-router)#no au

c2620-2(config)#router rip
c2620-2(config-router)#netw 173.16.0.0
c2620-2(config-router)#ver 2
c2620-2(config-router)#no au

在兩臺26路由器上分別設置指向對方10網絡的靜態路由，假定這兩個網絡之間的流量需要被保護，並且需要隧道進行連接。
c2620-1(config)#ip route 10.2.2.0 255.255.255.0 s0/0
c2620-2(config)#ip route 10.1.1.0 255.255.255.0 s0/0

檢查兩26路由器IOS版本：
c2620-1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.2(29), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 11-May-05 17:27 by kellmill
Image text-base: 0x8000808C, data-base: 0x812D1734

c2620-2#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(12a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 13-Jan-05 18:06 by kellythw
Image text-base: 0x80008098, data-base: 0x819FA39C

其中2620-1是12.2版本，2620-2是12.3版本，建議真實環境中，大家使用相同版本的IOS（12.3以上，並且支持加密特性集），這裏2620-1的內存只有48M，因此無法使用更高版本的IOS。

下面的2620-1路由器的配置：
1、首先設置時間、主機名、域名，這是做CA必須的。
c2620-1#clock set 9:51:00 1 aug 2005
c2620-1#conf t
c2620-1(config)#hostname c2620-1
c2620-1(config)#ip domain-name itany.com

2、產生RSA密鑰對。
c2620-1(config)#crypto key generate rsa
The name for the keys will be: c2620-1.itany.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

查看公鑰：
c2620-1#sh crypto key mypubkey rsa
% Key pair was generated at: 00:27:55 UTC Mar 1 1993
Key name: c2620-1.itany.com
 Usage: General Purpose Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C052D9
  F365333E 4192C916 10EE40ED F970F2C4 B55DCDD0 4C8CE845 055646C6 B166502C
  26A6172F 5E43B544 A0CD6FF0 75862CDD D0238A5F 909742F9 CD421F3E 6111AD6C
  DCD00BC2 4B73DB38 860CE255 8190090F 7DD2B267 3D48135C A2E48749 6FD5AB29
  BFDE287D B0756B7D CFCF9BA6 03EAF01D 3CC65B4C 71CF96F2 17D441DF DB020301 0001
% Key pair was generated at: 00:28:01 UTC Mar 1 1993
Key name: c2620-1.itany.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AAC8FA F73B8F60
  BE1DED99 D7794863 92D568EB 45F0965C 07B92E02 4AEE3DBD 02DC0341 523ED77E
  292B8BD7 F0E25ED4 C1E57AA5 15B1F3F4 603CAED9 11B61E09 1046EEBF 34498811
  10B53CBE 1203F509 8ED76721 BF8D7B89 E0F9042E FE6B069E F7020301 0001

3、配置CA的註冊。
指定CA的主機名，相當於做一個靜態DNS條目。
c2620-1(config)#ip host cisco-vpc 10.10.5.91
配置CA的註冊參數（此命令在IOS12.3中爲crypto ca trustpoint）
c2620-1(config)#crypto ca identity ccsp-lab-vpc
c2620-1(ca-identity)#enrollment mode ra
c2620-1(ca-identity)#enrollment url http://cisco-vpc/certsrv/mscep/mscep.dll
c2620-1(ca-identity)#exit
開始獲取根證書
c2620-1(config)#crypto ca  authenticate ccsp-lab-vpc
Certificate has the following attributes:
Fingerprint: CA28A34E CDB30B87 D28F106D 18C37F88
% Do you accept this certificate? [yes/no]: yes
查看根證書
c2620-1#sh crypto ca certificates
RA Signature Certificate
  Status: Available
  Certificate Serial Number: 113B85F5000000000002
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:46 UTC Jul 29 2005
    end   date: 09:19:46 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 113B8790000000000003
  Key Usage: Encryption
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:47 UTC Jul 29 2005
    end   date: 09:19:47 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

CA Certificate
  Status: Available
  Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    CN = clab.com
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 15:30:35 UTC Jul 2 2005
    end   date: 15:38:16 UTC Jul 2 2007
  Associated Identity: ccsp-lab-vpc

開始向CA提交申請
c2620-1(config)#crypto ca enroll ccsp-lab-vpc
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:
（這個口令很重要，全稱是“enrollment challenge password”，由CA提供。要獲得此口令需要拿一臺能夠連接到CA的PC，在其瀏覽器中輸入“http://cisco-vpc/certsrv/mscep/mscep.dll”；之後CA會返回一個對話框<如下圖>，請求用戶輸入用戶名和密碼，此時用戶只要輸入正確的CA windows用戶帳號即可。）

當用戶輸入正確的用戶名和密碼後，CA會提供給他一個口令，這個口令是一個OTP（one time pass），有效期爲60分鐘。用戶將此口令複製粘貼到剛纔的口令提示處即可完成註冊。

% The subject name in the certificate will be: c2620-1.itany.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

查看證書的狀態
c2620-1#sh crypto ca certificates
RA Signature Certificate
  Status: Available
  Certificate Serial Number: 113B85F5000000000002
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:46 UTC Jul 29 2005
    end   date: 09:19:46 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 113B8790000000000003
  Key Usage: Encryption
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:47 UTC Jul 29 2005
    end   date: 09:19:47 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

CA Certificate
  Status: Available
  Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    CN = clab.com
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 15:30:35 UTC Jul 2 2005
    end   date: 15:38:16 UTC Jul 2 2007
  Associated Identity: ccsp-lab-vpc

Certificate
  Subject Name Contains:
    Name: c2620-1.itany.com
   Status: Pending
   Key Usage: General Purpose
    Fingerprint:  6C9511EF 1F589E8A 1BF11473 8145A28E
   Associated Identity: ccsp-lab-vpc
上面輸出的“Certificate”部分顯示證書狀態爲“掛起（Pending）”。

此時，使用remote desktop登陸到CA服務器，點擊“開始”、“管理工具”、“證書頒發機構”對證書進行管理。
從上圖中我們可以看到有一個證書處於掛起狀態，右擊選擇所有任務，然後頒發。

證書頒發後，在路由器上再次查看其狀態。
“Certificate”部分顯示爲“有效的（Available）”
c2620-1#sh crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 1F18A48B000000000004
  Key Usage: General Purpose
  Issuer:
    CN = clab.com
  Subject Name Contains:
    Name: c2620-1.itany.com
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 01:53:34 UTC Aug 1 2005
    end   date: 02:03:34 UTC Aug 1 2006
  Associated Identity: ccsp-lab-vpc

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 113B85F5000000000002
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:46 UTC Jul 29 2005
    end   date: 09:19:46 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 113B8790000000000003
  Key Usage: Encryption
  Issuer:
    CN = clab.com
  Subject:
    EA = [email protected]
     CN = itany
     OU = tech
     O = itany
     L = NJ
     ST = JS
     C = CN
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 09:09:47 UTC Jul 29 2005
    end   date: 09:19:47 UTC Jul 29 2006
  Associated Identity: ccsp-lab-vpc

CA Certificate
  Status: Available
  Certificate Serial Number: 66BEBEDFD7DF188C4B7FC031CDA61940
  Key Usage: Signature
  Issuer:
    CN = clab.com
  Subject:
    CN = clab.com
  CRL Distribution Point:
    http://cisco-vpc/CertEnroll/clab.com.crl
  Validity Date:
    start date: 15:30:35 UTC Jul 2 2005
    end   date: 15:38:16 UTC Jul 2 2007
  Associated Identity: ccsp-lab-vpc

4、配置ISAKMP參數。
c2620-1(config)#crypto isakmp enable
c2620-1(config)#crypto isakmp policy 10
c2620-1(config-isakmp)#authentication rsa-sig
c2620-1(config-isakmp)#encryption 3des
c2620-1(config-isakmp)#group 2
c2620-1(config-isakmp)#hash sha
c2620-1(config)#crypto isakmp identity address

5、設置IPSEC參數。
c2620-1(config)#crypto ipsec transform-set cisco esp-3des esp-sha-hmac
c2620-1(cfg-crypto-trans)#mode tunnel
c2620-1(cfg-crypto-trans)#exit

6、設置感興趣流。       
c2620-1(config)#access-l 101 per ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

7、設置加密圖，並且應用加密圖。
c2620-1(config)#crypto map secure 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
c2620-1(config-crypto-map)#match address 101
c2620-1(config-crypto-map)#set transform-set cisco
c2620-1(config-crypto-map)#set pfs group2
c2620-1(config-crypto-map)#set peer 173.16.2.1
c2620-1(config-crypto-map)#exit
c2620-1(config)#int s0/0
c2620-1(config-if)#crypto map secure

下面的2620-2路由器的配置：
c2620-2#clock set 10:15:00 1 aug 2005
c2620-2(config)#hostname c2620-2
c2620-2(config)#ip domain-name itany.com
c2620-2(config)#crypto key generate rsa
The name for the keys will be: c2620-2.itany.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]

c2620-2(config)#ip host cisco-vpc 10.10.5.91
c2620-2(config)#crypto ca trustpoint ccsp-lab-vpc
c2620-2(ca-trustpoint)#enrollment mode ra
c2620-2(ca-trustpoint)#enrollment url http://cisco-vpc/certsrv/mscep/mscep.dll        
c2620-2(ca-trustpoint)#exit

c2620-2(config)#crypto ca authenticate ccsp-lab-vpc
Certificate has the following attributes:
           Fingerprint: CA28A34E CDB30B87 D28F106D 18C37F88

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

c2620-2(config)#crypto ca enroll ccsp-lab-vpc
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=c2620-2 OU=ccsplab
% The fully-qualified domain name in the certificate will be: c2620-2.itany.com
% The subject name in the certificate will include: c2620-2.itany.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

c2620-2(config)#crypto isakmp enable
c2620-2(config)#crypto isakmp policy 10
c2620-2(config-isakmp)#authentication rsa-sig
c2620-2(config-isakmp)#encryption 3des
c2620-2(config-isakmp)#group 2
c2620-2(config-isakmp)#hash sha
c2620-2(config-isakmp)#exit
c2620-2(config)#crypto isakmp identity address

c2620-2(config)#crypto ipsec transform-set cisco esp-3des esp-sha-hmac
c2620-2(cfg-crypto-trans)#mode tunnel
c2620-2(cfg-crypto-trans)#exit

c2620-2(config)#access-l 101 per ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

c2620-2(config)#crypto map secure 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
c2620-2(config-crypto-map)#match address 101
c2620-2(config-crypto-map)#set pfs group2
c2620-2(config-crypto-map)#set transform-set cisco
c2620-2(config-crypto-map)#set peer 173.16.1.1
c2620-2(config-crypto-map)#exit
c2620-2(config)#int s0/0
c2620-2(config-if)#crypto map secure