基于签名的SVTI

 R1---R2---R3

R2做PKI server：

ip http server

ip domain name cisco.com 

clock set timezone GMT +8

clock set 21:07:00 mar 16 2013 

crypto pki server ca

 database level complete

 issuer-name CN=cisco C=cisco.com

 grant auto

 no shut

R1配置：

crypto pki trustpoint ca

 enrollment url http://12.1.1.2:80

 serial-number

 subject-name CN=cisco C=cisco.com

 revocation-check crl

!

crypto pki certificate map pkimap 10

 issuer-name co cn = cisco

crypto ipsec profile ***

!

interface Tunnel0

 ip address 100.1.1.1 255.255.255.0

 tunnel source Ethernet0/0

 tunnel mode ipsec ipv4

 tunnel destination 23.1.1.3

 tunnel protection ipsec profile ***

R3配置：

crypto pki trustpoint ca

 enrollment url http://12.1.1.2:80

 serial-number

 subject-name CN=cisco C=cisco.com

 revocation-check crl

!

crypto pki certificate map pkimap 10

 issuer-name co cn = cisco

crypto ipsec profile ***

!

interface Tunnel0

 ip address 100.1.1.3 255.255.255.0

 tunnel source Ethernet0/1

 tunnel mode ipsec ipv4

 tunnel destination 12.1.1.1

 tunnel protection ipsec profile ***

 

 

 

 

 

15.2T的IOS有默认的转换集和ISAKMP policy：

R1#show cry isakmp policy 

Global IKE policy

Protection suite of priority 10

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

R1#

R1#show crypto ipsec  transform-set 

Transform set default: { esp-aes esp-sha-hmac  } 

   will negotiate = { Tunnel,  }, 

debug：

R1(config-if)#

*Mar  4 08:39:01.333: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar  4 08:39:01.333: ISAKMP:(0): SA request profile is (NULL)

*Mar  4 08:39:01.333: ISAKMP: Created a peer struct for 23.1.1.3, peer port 500

*Mar  4 08:39:01.333: ISAKMP: New peer created peer = 0xAFC4F188 peer_handle = 0x80000016

*Mar  4 08:39:01.333: ISAKMP: Locking peer struct 0xAFC4F188, refcount 1 for isakmp_initiator

*Mar  4 08:39:01.333: ISAKMP: local port 500, remote port 500

*Mar  4 08:39:01.333: ISAKMP: set new node 0 to QM_IDLE      

*Mar  4 08:39:01.333: ISAKMP:(0):insert sa successfully sa = B2688610

*Mar  4 08:39:01.333: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar  4 08:39:01.333: ISAKMP:(0):No pre-shared key with 23.1.1.3!

*Mar  4 08:39:01.333: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.333: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.333: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar  4 08:39:01.333: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  4 08:39:01.333: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  4 08:39:01.334: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  4 08:39:01.334: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  4 08:39:01.334: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

*Mar  4 08:39:01.334: ISAKMP:(0): beginning Main Mode exchange

*Mar  4 08:39:01.334: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  4 08:39:01.334: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  4 08:39:01.335: ISAKMP (0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  4 08:39:01.335: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  4 08:39:01.335: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

*Mar  4 08:39:01.335: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  4 08:39:01.335: ISAKMP:(0): processing vendor id payload

*Mar  4 08:39:01.335: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  4 08:39:01.335: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  4 08:39:01.335: ISAKMP : Scanning profiles for xauth ...

*Mar  4 08:39:01.335: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.335: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.335: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  4 08:39:01.335: ISAKMP:      encryption DES-CBC

*Mar  4 08:39:01.335: ISAKMP:      hash SHA

*Mar  4 08:39:01.335: ISAKMP:      default group 1

*Mar  4 08:39:01.335: ISAKMP:      auth RSA sig

*Mar  4 08:39:01.335: ISAKMP:      life type in seconds

*Mar  4 08:39:01.335: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

*Mar  4 08:39:01.335: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  4 08:39:01.335: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar  4 08:39:01.335: ISAKMP:(0):Acceptable atts:life: 0

*Mar  4 08:39:01.335: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar  4 08:39:01.335: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar  4 08:39:01.335: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.335: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 23.1.1.3)

*Mar  4 08:39:01.335: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar  4 08:39:01.335: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  4 08:39:01.335: ISAKMP:(0): processing vendor id payload

*Mar  4 08:39:01.335: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar  4 08:39:01.335: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar  4 08:39:01.336: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  4 08:39:01.336: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

*Mar  4 08:39:01.336: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 23.1.1.3)

*Mar  4 08:39:01.336: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 23.1.1.3)

*Mar  4 08:39:01.336: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 23.1.1.3)

*Mar  4 08:39:01.336: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 23.1.1.3)

*Mar  4 08:39:01.336: ISAKMP (0): constructing CERT_REQ for issuer cn=cisco C=cisco.com

*Mar  4 08:39:01.336: ISAKMP (0): constructing CERT_REQ for issuer cn=DST Root CA X3,o=Digital Signature Trust Co.

*Mar  4 08:39:01.336: ISAKMP (0): constructing CERT_REQ for issuer cn=Cisco Root CA 2048,o=Cisco Systems

*Mar  4 08:39:01.336: ISAKMP (0): constructing CERT_REQ for issuer cn=Cisco Root CA 2048,o=Cisco Systems

*Mar  4 08:39:01.336: ISAKMP (0): constructing CERT_REQ for issuer cn=Cisco Root CA M1,o=Cisco

*Mar  4 08:39:01.336: ISAKMP:(0): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  4 08:39:01.336: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  4 08:39:01.337: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  4 08:39:01.337: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

*Mar  4 08:39:01.345: ISAKMP (0): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  4 08:39:01.345: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  4 08:39:01.345: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

*Mar  4 08:39:01.345: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  4 08:39:01.353: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  4 08:39:01.353: ISAKMP:(1046): processing CERT_REQ payload. message ID = 0

*Mar  4 08:39:01.353: ISAKMP:(1046): peer wants a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.353: ISAKMP:(1046): peer wants cert issued by cn=cisco C=cisco.com

*Mar  4 08:39:01.353:  Choosing trustpoint ca as issuer

*Mar  4 08:39:01.354: ISAKMP:(1046): processing CERT_REQ payload. message ID = 0

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants cert issued by cn=DST Root CA X3,o=Digital Signature Trust Co.

*Mar  4 08:39:01.354: ISAKMP:(1046): processing CERT_REQ payload. message ID = 0

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants cert issued by cn=Cisco Root CA 2048,o=Cisco Systems

*Mar  4 08:39:01.354: ISAKMP:(1046): processing CERT_REQ payload. message ID = 0

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants cert issued by cn=Cisco Root CA 2048,o=Cisco Systems

*Mar  4 08:39:01.354: ISAKMP:(1046): processing CERT_REQ payload. message ID = 0

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.354: ISAKMP:(1046): peer wants cert issued by cn=Cisco Root CA M1,o=Cisco

*Mar  4 08:39:01.354: ISAKMP:(1046): processing vendor id payload

*Mar  4 08:39:01.354: ISAKMP:(1046): vendor ID is Unity

*Mar  4 08:39:01.354: ISAKMP:(1046): processing vendor id payload

*Mar  4 08:39:01.354: ISAKMP:(1046): vendor ID is DPD

*Mar  4 08:39:01.354: ISAKMP:(1046): processing vendor id payload

*Mar  4 08:39:01.354: ISAKMP:(1046): speaking to another IOS box!

*Mar  4 08:39:01.354: ISAKMP:received payload type 20

*Mar  4 08:39:01.354: ISAKMP (1046): His hash no match - this node outside NAT

*Mar  4 08:39:01.354: ISAKMP:received payload type 20

*Mar  4 08:39:01.354: ISAKMP (1046): No NAT Found for self or peer

*Mar  4 08:39:01.354: ISAKMP:(1046):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  4 08:39:01.354: ISAKMP:(1046):Old State = IKE_I_MM4  New State = IKE_I_MM4 

*Mar  4 08:39:01.354: ISAKMP:(1046):Send initial contact

*Mar  4 08:39:01.354: ISAKMP:(1046): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.354: ISAKMP:(1046): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.354: ISAKMP:(1046): IKE->PKI Get SubjectName state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.354: ISAKMP:(1046): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.354: ISAKMP:(1046):My ID configured as IPv4 Addr, but Addr not in Cert!

*Mar  4 08:39:01.354: ISAKMP:(1046):Using FQDN as My ID

*Mar  4 08:39:01.354: ISAKMP:(1046):SA is doing RSA signature authentication using id type ID_FQDN

*Mar  4 08:39:01.355: ISAKMP (1046): ID payload 

        next-payload : 6

        type         : 2 

        FQDN name    : R1 

        protocol     : 17 

        port         : 500 

        length       : 10

*Mar  4 08:39:01.355: ISAKMP:(1046):Total payload length: 10

*Mar  4 08:39:01.355: ISAKMP:(1046): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.355: ISAKMP:(1046): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.355: ISAKMP (1046): constructing CERT payload for serialNumber=2050049+hostname=R1,cn=cisco C=cisco.com

*Mar  4 08:39:01.355: ISAKMP:(1046): using the ca trustpoint's keypair to sign

*Mar  4 08:39:01.357: ISAKMP:(1046): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar  4 08:39:01.357: ISAKMP:(1046):Sending an IKE IPv4 Packet.

*Mar  4 08:39:01.358: ISAKMP:(1046):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  4 08:39:01.358: ISAKMP:(1046):Old State = IKE_I_MM4  New State = IKE_I_MM5 

*Mar  4 08:39:01.369: ISAKMP (1046): received packet from 23.1.1.3 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar  4 08:39:01.369: ISAKMP:(1046): processing ID payload. message ID = 0

*Mar  4 08:39:01.369: ISAKMP (1046): ID payload 

        next-payload : 6

        type         : 2 

        FQDN name    : R3 

        protocol     : 17 

        port         : 500 

        length       : 10

*Mar  4 08:39:01.369: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  4 08:39:01.369: ISAKMP:(1046): processing CERT payload. message ID = 0

*Mar  4 08:39:01.369: ISAKMP:(1046): processing a CT_X509_SIGNATURE cert

*Mar  4 08:39:01.369: ISAKMP:(1046): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): peer's pubkey is cached

*Mar  4 08:39:01.370: ISAKMP:(1046): IKE->PKI Validate certificate chain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): PKI->IKE Validate certificate chain state (I) MM_KEY_EXCH (peer 23.1.1.3)

*Mar  4 08:39:01.370: ISAKMP:(1046): Unable to get DN from certificate!

*Mar  4 08:39:01.370: ISAKMP:(1046): Cert presented by peer contains no OU field.

*Mar  4 08:39:01.370: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  4 08:39:01.370: ISAKMP:(1046): processing SIG payload. message ID = 0

*Mar  4 08:39:01.375: ISAKMP:(1046):SA authentication status:

        authenticated

*Mar  4 08:39:01.375: ISAKMP:(1046):SA has been authenticated with 23.1.1.3

*Mar  4 08:39:01.375: ISAKMP: Trying to insert a peer 12.1.1.1/23.1.1.3/500/,  and inserted successfully AFC4F188.

*Mar  4 08:39:01.375: ISAKMP:(1046):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  4 08:39:01.375: ISAKMP:(1046):Old State = IKE_I_MM5  New State = IKE_I_MM6 

*Mar  4 08:39:01.375: ISAKMP:(1046):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  4 08:39:01.375: ISAKMP:(1046):Old State = IKE_I_MM6  New State = IKE_I_MM6 

*Mar  4 08:39:01.375: ISAKMP:(1046):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  4 08:39:01.375: ISAKMP:(1046):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

*Mar  4 08:39:01.375: ISAKMP:(1046): IKE->PKI End PKI Session state (I) QM_IDLE       (peer 23.1.1.3)

*Mar  4 08:39:01.375: ISAKMP:(1046): PKI->IKE Ended PKI session state (I) QM_IDLE       (peer 23.1.1.3)

*Mar  4 08:39:01.375: ISAKMP:(1046):beginning Quick Mode exchange, M-ID of 1131231461

*Mar  4 08:39:01.375: ISAKMP:(1046):QM Initiator gets spi

*Mar  4 08:39:01.375: ISAKMP:(1046): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE      

*Mar  4 08:39:01.375: ISAKMP:(1046):Sending an IKE IPv4 Packet.

*Mar  4 08:39:01.377: ISAKMP:(1046):Node 1131231461, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar  4 08:39:01.377: ISAKMP:(1046):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  4 08:39:01.377: ISAKMP:(1046):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  4 08:39:01.377: ISAKMP:(1046):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

*Mar  4 08:39:01.377: ISAKMP (1046): received packet from 23.1.1.3 dport 500 sport 500 Global (I) QM_IDLE      

*Mar  4 08:39:01.377: ISAKMP:(1046): processing HASH payload. message ID = 1131231461

*Mar  4 08:39:01.377: ISAKMP:(1046): processing SA payload. message ID = 1131231461

*Mar  4 08:39:01.377: ISAKMP:(1046):Checking IPSec proposal 1

*Mar  4 08:39:01.377: ISAKMP: transform 1, ESP_AES 

*Mar  4 08:39:01.377: ISAKMP:   attributes in transform:

*Mar  4 08:39:01.377: ISAKMP:      encaps is 1 (Tunnel)

*Mar  4 08:39:01.377: ISAKMP:      SA life type in seconds

*Mar  4 08:39:01.377: ISAKMP:      SA life duration (basic) of 3600

*Mar  4 08:39:01.377: ISAKMP:      SA life type in kilobytes

*Mar  4 08:39:01.377: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

*Mar  4 08:39:01.377: ISAKMP:      authenticator is HMAC-SHA

*Mar  4 08:39:01.377: ISAKMP:      key length is 128

*Mar  4 08:39:01.377: ISAKMP:(1046):atts are acceptable.

*Mar  4 08:39:01.377: ISAKMP:(1046): processing NONCE payload. message ID = 1131231461

*Mar  4 08:39:01.377: ISAKMP:(1046): processing ID payload. message ID = 1131231461

*Mar  4 08:39:01.377: ISAKMP:(1046): processing ID payload. message ID = 1131231461

*Mar  4 08:39:01.377: ISAKMP:(1046): sending packet to 23.1.1.3 my_port 500 peer_port 500 (I) QM_IDLE      

*Mar  4 08:39:01.377: ISAKMP:(1046):Sending an IKE IPv4 Packet.

*Mar  4 08:39:01.378: ISAKMP:(1046):deleting node 1131231461 error FALSE reason "No Error"

*Mar  4 08:39:01.378: ISAKMP:(1046):Node 1131231461, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar  4 08:39:01.378: ISAKMP:(1046):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE

R1(config-if)#

R1(config-if)#

R1(config-if)#

R1(config-if)#

*Mar  4 08:39:01.378: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up