站点间FlexVPN试验(二): 静态隧道 (static tunnel)+证书认证(PKI)

 

试验介绍:

这次试验还是2个站点间FlexVPN配置。和之前的试验(一)不同,这次的试验用证书PKI做认证,而不是PSK。

 

试验拓扑如下。本试验只用到HUB1和SPOKE1,其他设备是为别的试验准备的。 HUB1作为证书服务器(CA),SPOKE1向HUB1申请并获取证书。

FlexVPN_site

 

端口配置如下:

CSR-HUB1

g3: 200.1.13.1/24

Tunnel 0: 10.1.13.1/24

MGMT: 192.168.1.91/24

 

 

CSR-SPOKE1

g3: 200.1.13.3/24

Tunnel0: 10.1.13.3/24

MGMT: 192.168.1.94/24

 

NTP指向外部NTP server。NTP在这次试验中非常重要,如果设备时间没有同步是无法从CA上获取证书的。

 

CSRHUB1配置

 

  1. 配置CA

ip http server #开启HTTP服务,证书获取用80端口

crypto pki server CA

no database archive

grant auto #自动发放证书

eku server-auth client-auth #证书类型,现在的试验只用到server-auth类型。Anyconnect VPN可能会用到client-auth类型。

no shut #CA配置好后,no shut开启服务器。No shut之后需要配置证书获取验证码,如下:

 

 

CSR-HUB1(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.

% Please enter a passphrase to protect the private key

% or type Return to exit

Password:

% Password must be more than 7 characters. Try again

% or type Return to exit

Password:

 

Re-enter password:

% Generating 1024 bit RSA keys, keys will be non-exportable…

[OK] (elapsed time was 0 seconds)

 

% Certificate Server enabled.

 

 

  1. 配置trustpoint

CSR-HUB1(config)#crypto pki trustpoint S2S-CA

CSR-HUB1(ca-trustpoint)#enrollment url http://192.168.1.91:80

CSR-HUB1(ca-trustpoint)#subject-name cn=HUB1,ou=mm.com

CSR-HUB1(ca-trustpoint)#exit

 

  1. 验证CA

CSR-HUB1(config)#crypto pki authenticate S2S-CA

Certificate has the following attributes:

Fingerprint MD5: EAEAB410 9923A004 BD20B9D5 C7DA9B5B

Fingerprint SHA1: BB35A6B8 E9448A78 882EC846 11C1CF4F 714101E3

 

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

 

  1. Enrol证书

CSR-HUB1(config)#crypto pki enroll S2S-CA

%

% Start certificate enrollment ..

% Create a challenge password. You will need to verbally provide this

password to the CA Administrator in order to revoke your certificate.

For security reasons your password will not be saved in the configuration.

Please make a note of it.

 

Password:

Re-enter password:

 

% The subject name in the certificate will include: cn=HUB1,ou=mm.com

% The subject name in the certificate will include: CSR-HUB1.mm.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

% Certificate request sent to Certificate Authority

% The ‘show crypto pki certificate verbose S2S-CA‘ commandwill show the fingerprint.

 

  1. 配置预设PSK

crypto ikev2 keyring mykeys

peer SPOKE #设置密钥组,限制IP增强安全性

address 200.1.13.3

pre-shared-key Cisco123

 

 

  1. 配置IKEv2 profile

crypto ikev2 profile FLEXVPN-Static

match identity remote address 200.1.13.3 255.255.255.255 #如果设置为any则可以接纳任何远端设备,这里通过限制IP增强安全性

authentication remote pre-share #用PSK认证

authentication local rsa-sig #用证书PKI认证,local可以和remote认证方式不同

keyring local mykeys #调用密钥

pki trustpoint S2S-CA #调用证书作为local认证

dpd 60 2 on-demand #设置dead peer detection参数

 

 

  1. IPsec profileIKEv2 profile

crypto ipsec profile default

set ikev2-profile FLEXVPN-Static

 

  1. tunnel interfaceIPsec profile加密

CSR-HUB1#show run interface tu 0

Building configuration…

 

Current configuration : 165 bytes

!

interface Tunnel0

ip address 10.1.13.1 255.255.255.0

tunnel source GigabitEthernet3

tunnel destination 200.1.13.3

tunnel protection ipsec profile default

end

 

 

CSRSPOKE1配置

  1. 配置trustpoint

crypto pki trustpoint S2S-CA

enrollment url http://192.168.1.91:80 #向HUB1申请证书

revocation-check none

 

  1. 验证CA

crypto pki authenticate S2S-CA #一定要设备时间同步,否则无法验证CA

 

  1. Enrol证书

crypto pki enroll S2S-CA

 

  1. 配置预设PSK

参照CSR-HUB1对应配置

 

 

  1. 配置IKEv2 profile

crypto ikev2 profile FLEXVPN-Static

match identity remote address 200.1.13.1 255.255.255.255

authentication remote rsa-sig

authentication local pre-share

keyring local mykeys

pki trustpoint S2S-CA

dpd 60 2 on-demand

 

 

  1. IPsec profileIKEv2 profile

参照CSR-HUB1对应配置

 

  1. tunnel interfaceIPsec profile加密

参照CSR-HUB1对应配置

 

 

验证

 

CSR-SPOKE1#show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA

 

Tunnel-id Local                 Remote               fvrf/ivrf           Status

1         200.1.13.3/500       200.1.13.1/500       none/none           READY

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA

Life/Active Time: 86400/2710 sec

CE id: 1614, Session-id: 2

Status Description: Negotiation done

Local spi: 13B9D098A68EDB27       Remote spi: 30286D68C2F74D76

Local id: 200.1.13.3

Remote id: 200.1.13.1

Local req msg id: 3             Remote req msg id: 0

Local next msg id: 3             Remote next msg id: 0

Local req queued: 3             Remote req queued: 0

Local window:     5             Remote window:     5

DPD configured for 60 seconds, retry 2

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

 

IPv6 Crypto IKEv2 SA

 

CSR-SPOKE1#show crypto ipsec sa

 

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3

 

protected vrf: (none)

local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)

current_peer 200.1.13.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 650, #pkts encrypt: 650, #pkts digest: 650

#pkts decaps: 650, #pkts decrypt: 650, #pkts verify: 650

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 200.1.13.3, remote crypto endpt.: 200.1.13.1

plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3

current outbound spi: 0x49CE8E7B(1238273659)

PFS (Y/N): N, DH group: none

 

inbound esp sas:

spi: 0x21CABA55(566934101)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4607906/817)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

 

inbound ah sas:

 

inbound pcp sas:

 

outbound esp sas:

spi: 0x49CE8E7B(1238273659)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4607933/817)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

 

outbound ah sas:

 

outbound pcp sas:

 

 

 

CSR-SPOKE1# show crypto session

Crypto session current status

 

Interface: Tunnel0

Profile: FLEXVPN-Static

Session status: UP-ACTIVE

Peer: 200.1.13.1 port 500

Session ID: 3

IKEv2 SA: local 200.1.13.3/500 remote 200.1.13.1/500 Active

IPSEC FLOW: permit 47 host 200.1.13.3 host 200.1.13.1

Active SAs: 2, origin: crypto map

 

CSR-SPOKE1#show ip int br

Tunnel0               10.1.13.3       YES manual up                    up

 

CSR-SPOKE1#ping 10.1.13.1 source 10.1.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.13.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s