[CA] 基于CA认证的IPsec VPN问题

基于CA认证的IPsec VPN问题

1、环境描述

(fa0/1:192.168.0.212)RR5(fa0/0:10.2.1.1)-------(fa0/0:10.2.1.3)RR7(fa0/1:192.168.0.213)

RR5配置为CA server。
其中10是外口，其VPN隧道；192是内口，模拟各自的内网。

2、问题描述
两台router均能顺利从ca server上获取证书。
在ipsec vpn过程中，ike交换失败。

3、配置和debug

RR5：

Current configuration : 5616 bytes
!
! Last configuration change at 16:45:51 CST Fri Jan 4 2008
! NVRAM config last updated at 16:36:51 CST Fri Jan 4 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RR5
!
boot-start-marker
boot-end-marker
!

logging buffered 52000 debugging
!
no aaa new-model
memory-size iomem 5
clock timezone CST 8
ip cef
!
!
!
!
no ip domain lookup
ip domain name sys
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server sys

database archive pem password 7 08701E1D5D4C53404A
grant auto
cdp-url [url]192.168.0.212[/url] 高建钢
!
crypto pki trustpoint sys
revocation-check crl
rsakeypair sys
!
crypto pki trustpoint sys1
enrollment url [url]192.168.0.212:80[/url]
serial-number none
fqdn RR5.sys
ip-address none
滚珠滑轨password 芯片处理
revocation-check crl

rsakeypair RR5.sys
auto-enroll
!
!
crypto pki certificate chain sys
certificate ca 01
308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A
170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB
5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85
F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3
C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C1937

15
0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100
01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF
04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5
687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568
7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC
30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E
44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1
DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838C

D3F
92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43
quit
crypto pki certificate chain sys1
certificate 02
308201D2 3082013B A0030201 02020102 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3835345A
棱镜片 170D3039 30313033 30383338 35345A30 1C311A30 1806092A 864886F7 0D010902
160B5252 352E7379 732E636F 6D305C30 0D06092A 864886F7 0D010101 0500034B
00304802 4100D720 734C8D41 FE3C6A68 EF6946DB 60EAF693 201FC5CA 14A93C7D
2266E36B E45596AD 1D3982A2 EDC3EE95 16EEB484 65259C3D 01F33729 C164CC6B
33190AB8 B98B0203 010001A3 76307430 25060355 1D1F041E 301C301A A018A016

86146874 74703A2F 2F313932 2E313638 2E302E32 3132300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 E8647D86 7C2B0570 F3A9B74D A5687FF5
50CE4772 301D0603 551D0E04 16041480 43458F97 109EFD97 15C262C1 0FC6B0D8
E23F5E30 0D06092A 864886F7 0D010104 05000381 81008ED0 8E41CAEE EE2185CA
320D5D28 6894DE8B B49A8622 CCCA3063 D313E3BB F2B56F6A 926219A9 624486C9
E7CDC4F5 504DB1EB 37864782 E783D13B 60FC16C8 3BBEFF89 2ADBEA99 0FD9FF06
D5148A52 7B6FC37A 0B61F551 CEFFFABE 5CCC47CC 7DE3D912 EC4A975D F78F3611
6404CB77 F3FD1E47 D2ACBF6F 8532E36F 45968AC2 BC44 u型吊臂

quit
certificate ca 01
308201F5 3082015E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0E310C30 0A060355 04031303 73797330 1E170D30 38303130 34303833 3333325A
170D3131 30313033 30383333 33325A30 0E310C30 0A060355 04031303 73797330
819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 C381C6FB
5821BAD9 91F5B2F6 C818223D 2662EC3A 05C4047A F7452F2F 161082BA 3064CC85
F6434CEC BDA7AABD BB1E31F4 5E5D3F3F D54A2064 C6F654B4 40751949 6C4460F3
C444C2CE 0244FCE4 890CC35A EFC56E97 61626351 290C2DA4 A8010698 9C193715
0F297659 D28B41A5 7B5A4A91 02A956DA DCC8EAAA 8F5D1A62 ACBD3083 02030100
01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF

04040302 0186301F 0603551D 23041830 168014E8 647D867C 2B0570F3 A9B74DA5
687FF550 CE477230 1D060355 1D0E0416 0414E864 7D867C2B 0570F3A9 B74DA568
7FF550CE 4772300D 06092A86 4886F70D 01010405 00038181 004571EF 7A855DDC
30061D85 7B03ED0F 20BC4B94 6E4BE588 F165D030 56A1A12F CB85C7C6 7F39EC2E
44021504 35C3AE49 C13B65F5 4580ED2F A5C38E59 C71AFC18 7A0ECBD2 F7AF71C1
DC608917 B675BBC5 6428EFDE 6EDD6A13 05597A6E FF3DC9F3 F38FB619 0838CD3F
92BC7EC3 E30D3586 CB3FB38C D810AD94 C7BECFB2 D98D2217 43
quit
username sys privilege 15 password 0 sys
!

!
!
crypto isakmp policy 1
encr 3des
group 2
!
绝缘子串!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.2.1.3
set peer 10.2.1.3
set transform-set ESP-3DES-SHA
match address 100
!

!
!
!
interface FastEthernet0/0
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.0.212 255.255.255.0
duplex auto
speed auto
!

ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.1.0 0.0.0.255
no cdp advertise-v2
!
!
!
!
control-plane
!

!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 35791 0
timeout login response 300
line aux 0
line vty 0 4

exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
line vty 5 15
exec-timeout 35791 0
timeout login response 300
login local
transport input ssh
!
ntp clock-period 17179838
ntp server 202.112.10.60 source FastEthernet0/1
!
end

本文发布于:2024-09-22 03:53:21，感谢您对本站的认可！

本文链接：https://www.17tex.com/tex/4/223271.html

上一篇：一年级下100以内加减法列竖式

下一篇：五上数学解方程100道及答案

标签：描述模拟证书失败滚珠芯片内网

留言与评论（共有 0 条评论）