5BB99d8MUibLTzcmlQ2xzbJ/Zth63lo52VE0xPQDGzirszNVZfgBh8pTwz4ax+0I
taClOXX99/TcLM/Ek3Ig7W5LQ12RSPuttp/R9T6cRixQCAkzxUBqH10HzFWCzK6A
QkxouEHX7AEbNC+zRnS5+qVPWysiSk/z05goamUmd1HFdwXA9P0kpmYBn+FjhNyI uM5kNiA6o/uJjIF2ey0= -----END CERTIFICATE----- quit ERROR: Certificate already exists in the trustpoint ASDM_TrustPoint1 ERROR: Failed to parse or verify imported certificate
ciscoasa(config)# CRYPTO_PKI: status = 1795: failed to verify or insert the cert into storage
---------------------------导入会提示错不,不过可以协商(没理解错误原因)
ciscoasa(config)# write memory ---保存配置 ciscoasa(config)# show crypto ca certificates ----可以看到导入成功的两个证书(ca证书和本地证书)
2.3 ipsec/ike 配置(基于证书认证)
此章节基本配置基于证书认证,如果使用预共享密钥方式,只需要修改ike 认证方法和tunnel group,具体请参见2.5节
配置ike proposal Ikev1:
crypto ikev1 policy 111 ----配置ike proposal
authentication rsa-sig -----认证方法选择证书(预共享密钥时选pre-share) encryption des hash sha group 2 lifetime 86400 ikev2:
crypto ikev2 policy 111 encryption des integrity sha group 2 prf sha lifetime seconds 86400 配置认证方式
crypto isakmp identity auto --------认证对端方式为auto,自适应证书和预共享密钥
接口使能ikev1
crypto ikev1 enable if_e0/0
配置acl
access-list if_e0/0_cryptomap_1 extended permit ip host 2.2.2.2 host 1.1.1.1
配置ipsec proposal
crypto ipsec ikev1 transform-set 111 esp-des esp-md5-hmac
配置ipsec policy 组
crypto map if_e0/0_map 1 match address if_e0/0_cryptomap_1 ---acl绑定策略 crypto map if_e0/0_map 1 set peer 10.0.0.1 -----设置对端ip crypto map if_e0/0_map 1 set ikev1 phase1-mode aggressive ------野蛮模式
crypto map if_e0/0_map 1 set ikev1 transform-set 111 -----引用ipsec proposal crypto map if_e0/0_map 1 set trustpoint ASDM_TrustPoint1 -----引用证书 crypto map if_e0/0_map interface if_e0/0 ------绑定接口
配置tunnel group
tunnel-group 10.0.0.1 type ipsec-l2l -----配置tunnel group,名字为对端ip地址 tunnel-group 10.0.0.1 ipsec-attributes ikev1 trust-point ASDM_TrustPoint1 -------引用本地证书配置
注:使用名字为ip地址的tunnel group,可以接收对端是ip/name/user-fqdn方式的认证
使用名字为非ip地址的tunnel group,只能接收对端为非ip地址方式的认证,且名字必须为对端的ID.、
2.4 使用ikev2配置
如果需要同时支持ikev2,只需在上面配置基础上增加如下配置(即同时支持V1V2),如果只支持ikev2,把其中相似的配置替换成如下配置 创建ike proposal
crypto ikev2 policy 1 encryption des integrity sha group 2 prf sha lifetime seconds 86400
使能接口ikev2
crypto ikev2 enable if_e0/0
创建ipsecproposal
crypto ipsec ikev2 ipsec-proposal 1 protocol esp encryption des
protocol esp integrity md5
策略上引用ipsec proposal
crypto map if_e0/0_map 1 set ikev2 ipsec-proposal 1
配置tunnel group
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate ASDM_TrustPoint1
2.5 使用预共享密钥方式
基本配置同2.3节,不同的地方如下:
配置tunnel-group
tunnel-group 10.0.0.1 type ipsec-l2l tunnel-group 10.0.0.1 ipsec-attributes
ikev1 pre-shared-key ***** ----使用ikev1时 ikev2 remote-authentication pre-shared-key ***** ------使用ikev2时 ikev2 local-authentication pre-shared-key *****
ike proposal中的认证方式选择预共享密钥 crypto ikev1 policy 111 authentication pre-share
2.6 开启cisco debug的方法
Debug crypto ikev1/ikev2 Debug crypto ca Debug crypto ipsec