MSR系列路由器
使用PKI认证建立IPSec隧道功能的配置
关键词:MSR;IPSec;IKE;PKI;RSA;Win2003;证书服务器
一、组网需求:
如下面的组网图,使用Win2003作为证书服务器,2台MSR路由器需要通过IKE建立IPSec隧道,IKE的认证方式使用PKI证书方式,证书服务器使用Win2003
设备清单:MSR系列路由器2台,Win2003主机一台
二、组网图:
三、配置步骤:
设备和版本:MSR系列、Version 5.20, Release 1509
配置前的操作步骤 |
//MSR1和MSR2都执行如下操作,生成1024位的rsa本地密钥对(含公钥和私钥) [MSR1]public-key local
create rsa The range of
public key size is (512 ~ 2048). NOTES: If the
key modulus is greater than 512, It will take a
few minutes. Press CTRL+C to
abort. Input the bits
of the modulus[default = 1024]: Generating
Keys... ..++++++ ..........++++++ ...++++++++ ..++++++++ |
MSR1配置 |
# //定义IKE提议,序号为1,优先度最高,使用rsa签名方式认证 ike proposal 1 authentication-method rsa-signature # //pki实体msr1 pki entity msr1 //实体的名字
common-name msr1 //所属组织部门,注意与CA保持一致
organization-unit ts-msr //所属组织,与CA保持一致
organization h //城市,与CA保持一致
locality bj //所属国家,与CA保持一致,CN表示中国
country CN # //pki认证域h pki domain h //CA的名字,可以从后面介绍中获得
ca identifier win2003 //证书获取URL,可以从后面介绍获得
certificate request url http:// //证书获取方式为RA,注册委员会,使用Win2003时必须配置
certificate request from ra //指定注册实体为msr1
certificate request entity msr1 //指定注册模式和密钥长度
certificate request mode auto key-length 1024 //输入CA证书的指纹,即CA证书的缩略图,可以从后面的介绍中获得
root-certificate fingerprint sha //CRL,即证书吊销列表的获取URL
crl url http:// # //建立IKE Peer MSR2 ike peer msr2 remote-address local-address //指定证书域为h certificate domain h # //IPSec提议,即安全提议 ipsec proposal
default # //IPSec策略 ipsec policy msr2
1 isakmp security acl 3000 ike-peer msr2 proposal default # //定义安全流量的ACL acl number 3000 rule 0 permit ip
source 192.168.1.0 # interface
Ethernet0/0 port link-mode route ip address //在出接口上绑定IPSec策略 ipsec policy
msr2 # interface Ethernet0/1 port link-mode route ip address
192.168.1.1 255.255.255.0 # //指定访问对方私网的静态路由 ip
route-static 192.168.2.0 255.255.255.0 # |
MSR2配置 |
# //定义IKE提议,序号为1,优先度最高,使用rsa签名方式认证 ike proposal 1 authentication-method rsa-signature # //pki实体msr2 pki entity msr2 //实体的名字
common-name msr2 //所属组织部门,注意与CA保持一致
organization-unit ts-msr //所属组织,与CA保持一致
organization h //城市,与CA保持一致
locality bj //所属国家,与CA保持一致,CN表示中国
country CN # //pki认证域h pki domain h //CA的名字,可以从后面介绍中获得
ca identifier win2003 //证书获取URL,可以从后面介绍获得
certificate request url http:// //证书获取方式为RA,注册委员会,使用Win2003时必须配置
certificate request from ra //指定注册实体为msr2
certificate request entity msr2 //指定注册模式和密钥长度
certificate request mode auto key-length 1024 //输入CA证书的指纹,即CA证书的缩略图,可以从后面的介绍中获得
root-certificate fingerprint sha //CRL,即证书吊销列表的获取URL
crl url http:// # //建立IKE Peer MSR1 ike peer msr1 remote-address local-address //指定证书域为h certificate domain h # //IPSec提议,即安全提议 ipsec proposal
default # //IPSec策略 ipsec policy msr1
1 isakmp security acl 3000 ike-peer msr1 proposal default # //定义安全流量的ACL acl number 3000 rule 0 permit ip
source 192.168.2.0 # interface
Ethernet0/0 port link-mode route ip address //在出接口上绑定IPSec策略 ipsec policy
msr1 # interface Ethernet0/1 port link-mode route ip address
192.168.2.1 255.255.255.0 # //指定访问对方私网的静态路由 ip
route-static 192.168.1.0 255.255.255.0 # |
手工获取证书的操作 |
//做完上述配置之后,可以通过一些命令来检查证书是否可以正确获取 //第一步,获取CA证书,可以根据提示判断是否正确获得 [MSR2]pki
retrieval-certificate ca domain h Retrieving
CA/RA certificates. Please wait a while...... Saving CA/RA
certificates chain, please wait a moment...... %Dec 20
21:02:08:705 2006 2 PKI/4/Verify_CA_Root_Cert:CA
root certificate of the domain h CA certificates
retrieval success. [MSR2] %Dec 20
21:02:08:754 2006 2 PKI/4/Update_CA_Cert: %Dec 20
21:02:08:755 2006 2 PKI/4/CA_Cert_Retrieval:Retrieval
CA certificates of the domain h //上述信息提示正确获得CA证书,即根证书,第二步,获取CA签名的本地证书 [MSR2]pki
request-certificate domain h Certificate is
being requested, please wait...... [MSR2] Enrolling the
local certificate,please
wait a while...... Certificate
request Successfully! Saving the
local certificate to device...... Done! %Dec 20 21:02:29:02
2006 2 PKI/4/Local_Cert_Request:Request local
certificate of the domain h //上述信息提示本地证书获取成功,第三步,获取CRL,可以检查同一个CA签名的证书是否过期 [MSR2]pki
retrieval-crl domain h Connecting to
server for retrieving CRL. Please wait a while..... CRL retrieval
success! [MSR2] %Dec 20
21:03:59:211 2006 MSR2 PKI/4/Update_CRL:Update CRL
of the domain h %Dec 20
21:03:59:212 2006 MSR2 PKI/4/Retrieval_CRL:Retrieval
CRL of the domain h [MSR2] //显示CA证书 [MSR2]dis pki cert ca d h Certificate: Data:
Version: 3 (0x2)
Serial Number:
613E
Signature Algorithm: sha1WithRSAEncryption
Issuer:
CN=win2003
Validity
Not Before: Dec 20 12:08:59 2006 GMT
Not After : Dec 20 12:18:59 2007 GMT
Subject:
C=CN
ST=bj
L=bj
O=h
OU=ts-msr
CN=win2003
Subject Public Key Info: Public
Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
26E77572 D06E
CF
0565EFF7 FEBEA
3E
6FB06093 E
FCAEAA
D1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
.,.E.n.r.o.l.l.m.e.n.t.A.g.e.n.t.O.f.f.l.i.n.e
X509v3 Subject Key Identifier:
4E5E380E DB22491E
X509v3 Authority Key Identifier:
keyid:C
X509v3 CRL Distribution Points:
URI:http://ts-msr/CertEnroll/win2003.crl
URI:file://\\ts-msr\CertEnroll\win2003.crl
Authority Information Access:
CA Issuers - URI:http://ts-msr/CertEnroll/ts-msr_win2003.crt
CA Issuers - URI:file://\\ts-msr\CertEnroll\ts-msr_win2003.crt Signature Algorithm:
sha1WithRSAEncryption 6DA0B262
BACC97AA 614CEEED 83300939 E
7957E7E5 6FAE
92241702 7547DB45 74B5BC65 32CD FC
DF4BF36D 2EA4D 29708256 329BF4ED 69FA7948 E
D45E06FD E05BFE
791B6573 68927EEA FBCA6283 6D2CA
7E
FC2E
2CC5FBC6 96ED277D 0AF4308B EE
26364063 4D89FAF5 E26B
F7E8D
DED85FA9 Certificate: Data:
Version: 3 (0x2)
Serial
Number:
613E1BA8 00000000 0003
Signature Algorithm: sha1WithRSAEncryption
Issuer:
CN=win2003
Validity
Not Before: Dec 20 12:08:59 2006 GMT
Not After : Dec 20 12:18:59 2007 GMT
Subject:
C=CN
ST=bj
L=bj
O=h
OU=ts-msr
CN=win2003
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00B
A
1373BA5E
2703324E B3D912FC E52DCDB1 24B05001
C26B2E08 46FCD
311BDE
E36B
83900CBC E4E
FF
Exponent: 65537 (0x10001) X509v3
extensions:
X509v3 Key Usage: critical
Key Encipherment, Data Encipherment
S/MIME Capabilities: ....80...+.... 0'0
X509v3 Extended Key Usage:
...C.E.P.E.n.c.r.y.p.t.i.o.n
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
keyid:C
X509v3
CRL Distribution Points:
URI:http://ts-msr/CertEnroll/win2003.crl
URI:file://\\ts-msr\CertEnroll\win2003.crl
Authority Information Access:
CA Issuers - URI:http://ts-msr/CertEnroll/ts-msr_win2003.crt
CA Issuers - URI:file://\\ts-msr\CertEnroll\ts-msr_win2003.crt Signature Algorithm:
sha1WithRSAEncryption
B7E66039 EEFA
49CF
6898EA6B 0CDF
626FCECE ED0BF
F
2216AEFD 49AE27B7 81726DE D
A105DBDF DA1D0093
66763469 9286CD 23EB F7E AF
FAD6985E 9BCD Certificate: Data:
Version: 3 (0x2)
Serial Number: Signature
Algorithm: sha1WithRSAEncryption
Issuer:
CN=win2003
Validity
Not Before: Dec 20 11:26:56 2006 GMT
Not After : Dec 20 11:35:50 2011 GMT Subject:
CN=win2003
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00B972CC D4E25117 6FB7DC
2EBB
ECB
5ACA
78AB97EB BB
6B
F27FB7AD
1DDA3E2D 55DBAD94 39B20DC6 B4CC796B
1D72BC82 40E02532 363D7EB1 180AE197
40B76252
81B
0FF
4AE
01139AD
F
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
C
X509v3 CRL Distribution Points:
URI:http://ts-msr/CertEnroll/win2003.crl
URI:file://\\ts-msr\CertEnroll\win2003.crl
... Signature Algorithm:
sha1WithRSAEncryption 9CC1B4CD 4D7ACB43
B2EA0D54 FA4005E9 EDF6BE97 D
9ADA54E7
CD
C4428D15 E 6B
DD1BA047 98535CFA 43429DFC 2305D
790CF8D3 45D2B5B2 2DC0FCEB 600CD283 8B13AD
6CE7010E 0B
7495FB
3228BCE5 040560E4 BC
0E //显示CA颁发的本地证书 [MSR2]dis pki cer lo d h Certificate: Data:
Version: 3 (0x2)
Serial Number: 61608B93
00000000 0005
Signature Algorithm: sha1WithRSAEncryption
Issuer:
CN=win2003
Validity
Not Before: Dec 20 12:46:36 2006 GMT
Not After : Dec 20 12:56:36 2007 GMT
Subject:
C=CN
L=bj
O=h
OU=ts-msr
CN=msr2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit): 00D4EB90
98FB
7DD
73E
084586CB 7380528E CBCD
104AE9B7 FCA53D0E FBE2D180 18AFC129
E6EF
2E49BA05 20B960D2
85
Exponent: 65537 (0x10001) X509v3 extensions:
X509v3 Subject Key Identifier:
6AE
X509v3 Authority Key Identifier:
keyid:C
X509v3 CRL Distribution Points:
URI:http://ts-msr/CertEnroll/win2003.crl
URI:file://\\ts-msr\CertEnroll\win2003.crl
Authority Information Access:
CA Issuers - URI:http://ts-msr/CertEnroll/ts-msr_win2003.crt
CA Issuers -
URI:file://\\ts-msr\CertEnroll\ts-msr_win2003.crt
.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm:
sha1WithRSAEncryption B 0DCA
C311DE4D 2CA F
B3E9D16B BCFC67E6 43183057 950542E1 4DA05968
B33FA3E5 45EF00CE 54FA
72171B1B E F
C558BA 46670EBF
B87E9FC3 EDB
B676D667 9142963B 92025B10 647237BA
F7434673 06BD C //显示CRL(证书吊销列表) [MSR2]dis pki cr d h Certificate Revocation List (CRL):
Version 2 (0x1)
Signature
Algorithm: sha1WithRSAEncryption
Issuer:
CN=win2003
Last Update: Dec 20 11:27:13 2006 GMT
Next Update: Dec 27 23:47:13 2006 GMT
CRL extensions: X509v3
Authority Key Identifier:
keyid:C
...
X509v3 CRL Number:
1
061227113713Z .
0..0...........ldap:///CN=win2003,CN=ts-msr,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint No Revoked
Certificates. Signature Algorithm:
sha1WithRSAEncryption 9BF1D1AA F
BFCA1CCC
66841328 50B2EAA9 46915962 134BF910
F4B9BB9E F349E067 008FD44B A F886AB92
D0B43FAE 7AABA
7B8B3882 6ECAA1B2 DDE CC68352E
29E14B27 131FEE59 3BF9D
C49231FC 20E3170B
4CC D
04E09DDF |
Win2003上CA服务器的架设 |
1、安装CA服务器,选择左边的添加/删除Windows组件(A) 2、在Windows组件向导中选择证书服务,把勾选上,然后点击下一步
3、出现提示框,选择“是” 4、选择独立根CA,然后点击下一步 5、输入CA的标识,这里使用win2003 6、证书数据库设置使用默认设置,点击下一步完成安装,注意:保证可以找到Win2003的安装盘或文件(安装文件的i386文件夹) 7、安装SCEP,可以从微软官方网站下载cepsetup.exe,SCEP(Simple Certificate
Enrollment Protocol)是路由器用于获取证书的协议,默认Win2003是没有安装该协议的。 8、上图选择Yes后,点击下一步 9、把“Require SCEP Challenge Phrase to Enroll”复选框取消勾选后点击下一步 10、输入RA的信息,这里的信息和路由器申请证书时的信息相关,所以注意填写,如Name、Company、Department、City和Country等。 11、上面填写完毕后,点击下一步就完成了 12、上图点击完成后,提示你证书申请的URL,即pki domain h 13、下面进入控制面板,选择管理工具 14、选择证书颁发机构 15、在win2003上点击右键,选择属性 16、把属性页面切换到“策略模块”,再选择属性 17、选择“如果可以的话……”,选择确定 18、系统提示重启证书服务 19、在桌面“我的电脑”右键选择管理 20、在目录树中选择服务和应用程序中的服务页面 21、在右边页面选择“Certificate Services”,点击右键选择重启,Win2003证书服务配置完毕 22、接15,在常规选项中,点击查看证书,获得RA的名字信息,用于路由器申请时指定RA的名字等信息 23、可以查看使用者是win2003,即pki domain h 24、可以获得微缩图算法和微缩图,就是路由器PKI Domain h |
四、配置关键点:
1) Win2003上的图形化配置远比路由器命令行配置复杂,需要耐心;
2) 可以参考《中低端路由器典型配置实例》中相关配置;