Схема такая:
Cisco7206/NPE-G2 (adventerprise 12.4(24)T2)
Cisco1841 (adventerprise 12.4(24)T3)
Cisco2811 (adventerprise 12.4(11)T3)
Начиная с IOS версии 12.3(7)T и далее команды "crypto ca" были заменены на "crypto pki". Потому, если роутер имеет старую прошивку, необходимо это учесть.
Настройка сервера
устанавливаем время (clock set или через ntp), hostname, domain-name, включаем http-сервер:
Router#clock set 14:08:00 oct 14 2010 Router#conf t Router(config)#hostname cisco7200 cisco7200(config)#ip domain name pittest.ru cisco7200(config)#ip http serverгенерим ключи:
cisco7200(config)#crypto key generate rsa modulus 1024 label CA The name for the keys will be: CA % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Запускаем сервер CA:
cisco7200(config)#crypto pki server CA cisco7200(cs-server)#no shut %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: Re-enter password: % Certificate Server enabled. cisco7200(cs-server)# Oct 14 14:22:01.495: %PKI-6-CS_ENABLED: Certificate server now enabled.Сохраняемся:
cisco7200(config)#do wr Building configuration... [OK]Наш сервер готов. Проверяем:
cisco7200#sh crypto pki server Certificate Server CA: Status: enabled State: enabled Server's configuration is locked (enter "shut" to unlock it) Issuer name: CN=CA CA cert fingerprint: D97789F0 86BD46AE 13F7D3AB 7B87B4BF Granting mode is: manual Last certificate issued serial number (hex): 1 CA certificate expiration timer: 14:21:59 UTC Oct 13 2013 CRL NextUpdate timer: 20:21:59 UTC Oct 14 2010 Current primary storage dir: nvram: Database Level: Minimum - no cert data written to storage cisco7200#sh crypto pki certificates CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=CA Subject: cn=CA Validity Date: start date: 14:21:59 UTC Oct 14 2010 end date: 14:21:59 UTC Oct 13 2013 Associated Trustpoints: CA Storage: nvram:CA#1CA.cerПриступаем к настройке клиента:
устанавливаем время (clock set или через ntp), hostname, domain-name:
Router#clock set 14:35:00 oct 14 2010 Router#conf t Router(config)#hostname cisco1841 cisco1841(config)#ip domain-name pittest.ruГенерим пару ключей:
cisco1841(config)#crypto key generate rsa modulus 1024 The name for the keys will be: cisco1841.pittest.ru % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]Задаем доменное имя сервера CA и проверяем доступность этого сервера:
cisco1841(config)#ip host cisco7200 192.168.100.3 cisco1841(config)#do ping cisco7200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.3, timeout is 2 seconds: !!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 msЗадаем CA trustpoint:
cisco1841(config)#crypto pki trustpoint cisco7200 cisco1841(ca-trustpoint)#enrollment mode ra cisco1841(ca-trustpoint)#enrollment url http://cisco7200:80Проводим аутентификацию сервера CA:
cisco1841(config)#crypto pki authenticate cisco7200 Certificate has the following attributes: Fingerprint MD5: D97789F0 86BD46AE 13F7D3AB 7B87B4BF Fingerprint SHA1: 05E10C1F 664FA4BB 3D0E8BB0 10D4B7FF 8E634966 % Do you accept this certificate? [yes/no]: y Trustpoint CA certificate accepted.Запрашиваем сертификат:
cisco1841(config)#crypto pki enroll cisco7200 % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will include: cisco1841.pittest.ru % Include the router serial number in the subject name? [yes/no]: n % Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: y % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose cisco7200' commandwill show the fingerprint. cisco1841(config)# Oct 14 14:50:12.135: CRYPTO_PKI: Certificate Request Fingerprint MD5: 4A8A9E5E EA609C4B CA6A1554 96BC4D38 Oct 14 14:50:12.135: CRYPTO_PKI: Certificate Request Fingerprint SHA1: C5E724D3 38B47ECB E8782244 0CBDB512 F786C81CПроверяем статус запроса на сертификат:
cisco1841#sh crypto pki certificates CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=CA Subject: cn=CA Validity Date: start date: 14:21:59 UTC Oct 14 2010 end date: 14:21:59 UTC Oct 13 2013 Associated Trustpoints: cisco7200 Certificate Subject: Name: cisco1841.pittest.ru Status: Pending Key Usage: General Purpose Certificate Request Fingerprint MD5: 4A8A9E5E EA609C4B CA6A1554 96BC4D38 Certificate Request Fingerprint SHA1: C5E724D3 38B47ECB E8782244 0CBDB512 F786C81C Associated Trustpoint: cisco7200Важно! Сохраняем конфигурацию на этом этапе. Без сохранения клиент так и будет сидеть в статусе Pending, даже после разрешения на сервере. С чем связано такое поведение - непонятно.
cisco1841#wrВозвращаемся на сервер, где видим список неодобренных запросов:
cisco7200#sh crypto pki server CA requests Enrollment Request Database: Subordinate CA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- RA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- Router certificates requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- 1 pending 4A8A9E5EEA609C4BCA6A155496BC4D38 hostname=cisco1841.pittest.ruОдобряем запрос:
cisco7200#crypto pki server CA grant 1На клиенте через некоторое время получаем сообщение:
%PKI-6-CERTRET: Certificate received from Certificate AuthorityПроверяем статус:
cisco1841#sh crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: General Purpose Issuer: cn=CA Subject: Name: cisco1841.pittest.ru hostname=cisco1841.pittest.ru Validity Date: start date: 15:01:14 UTC Oct 14 2010 end date: 15:01:14 UTC Oct 14 2011 Associated Trustpoints: cisco7200Сохраняем сертификат:
cisco1841#wr Building configuration... [OK]Можем видеть его в nvram:
cisco1841#dir nvram: Directory of nvram:/ 187 -rw- 1733Дальше наслаждаемся преимуществами использования сертификатов, например при создании ipsec-туннелей:startup-config 188 ---- 1930 private-config 189 -rw- 1733 underlying-config 1 -rw- 0 ifIndex-table 2 -rw- 2945 cwmp_inventory 5 ---- 16 persistent-data 6 -rw- 503 CA#1CA.cer 7 -rw- 507 CA#1.cer 196600 bytes total (185717 bytes free)
ip access-list extended SECACL permit ip host 192.168.100.2 host 192.168.100.1 crypto isakmp policy 100 auth rsa-sig encr aes hash md5 group 2 crypto isakmp peer address 192.168.100.1 crypto ipsec transform-set TEST esp-aes esp-md5-hmac crypto map TEST 100 ipsec-isakmp set peer 192.168.100.1 set transform-set TEST match address SECACL interface FastEthernet0/1 ip address 192.168.100.2 255.255.255.0 crypto map TESTПри зеркальном конфиге на ipsec-пире получаем:
cisco1841#ping 192.168.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms cisco1841#sh crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1001 192.168.100.2 192.168.100.1 ACTIVE aes md5 rsig 2 23:53:03 Engine-id:Conn-id = SW:1
Комментариев нет:
Отправить комментарий