3.1 IKEv2 最基本IOS vs IOS SVTI

3.1 IKEv2 最基本IOS vs IOS SVTI  

-------------------------------------------------
         tun0----192.168.1.0----tun0
          | .1                   .2 |
--------Site1------Internet------Site2--------
      .1   .1    .10    .10     .1    .1
172.16.1.1   202.100.1.0   61.128.1.0   10.1.1.1


----------------------------------------------------
alias exec i show ip inter brief 
alias exec e show crypto engine connections active 


---------------------------------------------


hostname Site1 


interface loopback 0 
 ip address 172.16.1.1 255.255.255.0 
 
interface FastEthernet 0/0 
 ip address 202.100.1.1 255.255.255.0 
 no shutdown 
 duplex full 


ip route 0.0.0.0 0.0.0.0 202.100.1.10 


hostname Internet 


interface FastEthernet 0/0 
 ip address 202.100.1.10 255.255.255.0 
 no shutdown 


interface FastEthernet 1/0 
 ip address 61.128.1.10 255.255.255.0 
 no shutdown 


hostname Site2 
 
interface loopback 0 
 ip address 10.1.1.1 255.255.255.0 
 
interface FastEthernet 1/0 
 ip address 61.128.1.1 255.255.255.0 
 no shutdown 
 duplex full 


ip route 0.0.0.0 0.0.0.0 61.128.1.10 


-----------------------------------------------
Site1: 


crypto ikev2 keyring CCIE-Keyring 
 peer Site2 
  address 61.128.1.1 
  pre-shared-key CCIE-Pre-Key 


crypto ikev2 profile CCIE-IKEv2-Profile 
 match identity remote address 61.128.1.1  
 identity local address 202.100.1.1 
 authentication remote pre-share 
 authentication local pre-share 
 keyring local CCIE-Keyring 


crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


interface tunnel 0 
 ip address 192.168.1.1 255.255.255.0 
 tunnel source FastEthernet 0/0 
 tunnel mode ipsec ipv4 
 tunnel destination 61.128.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 


---------------------------------------------------
Site2:


crypto ikev2 keyring CCIE-Keyring 
 peer Site1 
  address 202.100.1.1 
  pre-shared-key CCIE-Pre-Key 


crypto ikev2 profile CCIE-IKEv2-Profile 
 match identity remote addrss 202.100.1.1 
 identity local address 61.128.1.1 
 authentication remote pre-share 
 authentication local pre-share 
 keyring local CCIE-Keyring 


crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


interface tunnel 0 
 ip address 192.168.1.2 255.255.255.0 
 tunnel source FastEthernet 1/0 
 tunnel mode ipsec ipv4 
 tunnel destination 202.100.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 


---------------------------------------------------


alias exec i show ip inter brief 
alias exec e show crypto engine connections active 


show crypto engine connection active 


-----------------------------------------------------
Site1: 配置动态路由协议


router ospf 1
 exit
interface tunnel 0 
 ip ospf 1 area 0 
interface lo 0 
 ip ospf 1 area 0 


Site2: 配置动态路由协议


router ospf 1 
 exit
interface tunnel 0 
 ip ospf 1 area 0 
interface lo 0 
 ip ospf 1 area 0 


ping 172.16.1.1 so lo 0 re 10 


--------------------------------------------------
3.2 异步密钥


Site1 Keyring config：


crypto ikev2 keyring CCIE-Keyring 
 peer Site2 
  address 61.128.1.1 
  pre-shared-key local CCIE-Site1-Key 
  pre-shared-Key remote CCIE-Site2-Key 




Site2 Keyring config: 


crypto ikev2 keyring CCIE-Keyring 
 peer Site1 
  address 202.100.1.1 
  pre-shared-key local CCIE-Site2-Key 
  pre-shared-key remote CCIE-Site1-Key 


------------------------------------------------


clear crypto sa 


ping 10.1.1.1 so lo 0 


---------------------------------------------------


3.3 双向证书认证 


配置NTP （时间同步非常重要）


Internet config： 


clock timezone GMT +8 
clock set 13:20:00 4 oct 2012 
ntp master 


Site1 config: 


clock timezone GMT +8 
ntp server 202.100.1.10 


Site2 config: 


clock timezone GMT +8 
ntp server 61.128.1.10 


-------------


Internet config :


ip http server 


ip domain name mingjiao.org 


crypto pki server CA 
 issuer-name cn=Internet.mingjao.org,ou=mingjaosec
 database level complete 
 grant auto 
 no shutdown 


password:*********
repassword:*********


Router#show crypto pki server 
Certificate Server CA:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: cn=Inernet.mingjiao.org,ou=mingjiaosec
    CA cert fingerprint: 9CE09B70 1ED69F33 CB0F5473 89BA18D4 
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 02:26:13 UTC May 12 2019
    CRL NextUpdate timer: 08:26:19 UTC May 12 2016
    Current primary storage dir: nvram:
    Database Level: Complete - all issued certs written as <serialnum>.cer
Router#


----------------------------
Site1: 


1.config Trustpoint 


ip domain name mingjiao.org 


crypto pki trustpoint CA
 enrollment url http://202.100.1.10:80 
 subject-name cn=Site1.mingjiao.org,ou=mingjiaosec
 revocation-check crl (此命令为自动产生)


2.获取根证书


crypto pki authenticat CA 


yes 
show crypto pki certificates 


3.申请个人证书


crypto pki enroll CA 


no
no
yes


show crypto pki certificates 


----------------------------------------------


Site2: 


1.config Trustpoint 


ip domain name mingjao.org 


crypto pki trustpoint CA 
 enrollment url http://202.100.1.10:80 
 subject-name cn=Site2.mingjiao.org,ou=mingjiaosec
 revocation-check crl (此命令为自动产生)


2. 获取根证书


crypto pki authenticate CA 
yes


3.申请个人证书


crypto pki enroll CA 
no
no
yes


show cryp pki certificates 
------------------------------------------------


Site1: 


crypto pki certificate map CCIE-Cert-Map 10 
 sudject-name co ou=mingjiaosec




crypto ikev2 profile CCIE-IKEv2-Profile 
 match certificate CCIE-Cert-Map
 authentication remote rsa-sig 
 authentication local rsa-sig 
 pki trustpoint CA 


crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


interface tunnel 0 
 ip address 192.168.1.1 255.255.255.0 
 tunnel source FastEthernet 0/0 
 tunnel mode ipsec ipv4 
 tunnel destination 61.128.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 


---------------------------------------------------
Site2:


crypto pki certificate map CCIE-Cert-Map 10 
 subject-name co ou=mingjiaosec


crypto ikev2 profile CCIE-IKEv2-Profile 
 match certificate CCIE-Cert-Map 
 authentication remote rsa-sig 
 authentication local rsa-sig
 pki trustpoint CA 


crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


interface tunnel 0 
 ip address 192.168.1.2 255.255.255.0 
 tunnel source FastEthernet 1/0 
 tunnel mode ipsec ipv4 
 tunnel destination 202.100.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 


---------------------------------------------------


alias exec i show ip inter brief 
alias exec e show crypto engine connections active 


show crypto engine connection active 


clear crypto ikev2 sa
clear crypto sa 




shwo cryp ipsec sa 


e 


ping 192.168.1.2 so 192.168.1.1 


ping 10.1.1.1 so lo 0 re 10 




-----------------------------------------------------


3.4 证书+预共享密钥认证


Site1: 


1.config Keyring 


crypto ikev2 keyring CCIE-Keyring 
 peer Site2 
  address 61.128.1.1 
  pre-shared-key local CCIE-Site1-Key 


2. config Cert Map 


crypto pki certificate map CCIE-Cert-Map 10 
 subject-name co ou=mingjiaosec 




3.config ikev2 profile 


crypto ikev2 profile CCIE-IKEv2-Profile 
 match certificate CCIE-Cert-Map 
 identity local address 202.100.1.1 
 authentication remote rsa-sig 
 authentication local pre-share 
 keyring local CCIE-Keyring 
 pki trustpoint CA 


4. config ipsec profile 




crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


5. config tunnel 


interface tunnel 0 
 ip address 192.168.1.1 255.255.255.0 
 tunnel source FastEthernet 0/0 
 tunnel mode ipsec ipv4 
 tunnel destination 61.128.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 




------------------------------


Site2: 


1.config Keyring 


crypto ikev2 keyring CCIE-Keyring 
 peer Site1 
  address 202.100.1.1 
  pre-shared-key remote CCIE-Site1-Key 


2. config Cert Map 


crypto pki certificate map CCIE-Cert-Map 10 
 subject-name co ou=mingjiaosec 




3.config ikev2 profile 


crypto ikev2 profile CCIE-IKEv2-Profile 
 match identity remote address 202.100.1.1 
 identity local fqdn Site2.mingjiao.org (option)
 authentication remote pre-share
 authentication local rsa-sig 
 keyring local CCIE-Keyring 
 pki trustpoint CA 


4. config ipsec profile 


crypto ipsec profile CCIE-IPSec-Profile 
 set ikev2-profile CCIE-IKEv2-Profile 


5. config tunnel 


interface tunnel 0 
 ip address 192.168.1.2 255.255.255.0 
 tunnel source FastEthernet 1/0 
 tunnel mode ipsec ipv4 
 tunnel destination 202.100.1.1 
 tunnel protection ipsec profile CCIE-IPSec-Profile 


-----------------------------------------------


clear cryp sa 
clear cryp ikev2 sa 
clear cryp session 


interface tunnel 0 
 shutdown 
 no shutdown 




alias exec i show ip inter brief 
alias exec e show crypto engine connections active 


show crypto engine connection active 


clear crypto ikev2 sa
clear crypto sa 




show crypto engine connection active 


---------------------------------------------------


show ip route


ping ip ospf route 


----------------------------------------------------