实验
拓扑:
需求1,各网段以及设备IP地址如拓扑所示
HUB上的配置:
HUB(config)#int f0/0
HUB(config-if)#ip add 202.100.1.100 255.255.255.0
HUB(config-if)#duplex full
HUB(config-if)#no sh
Spoke1上的配置:
Spoke1(config)#int f0/0
Spoke1(config-if)#ip add 202.100.1.1 255.255.255.0
Spoke1(config-if)#no sh
Spoke2上的配置:
Spoke2(config)#int f0/0
Spoke2(config-if)#ip add 202.100.1.2 255.255.255.0
Spoke2(config-if)#no sh
测试:
需求2,配置证书认证的DMVPN:
Tunnel地址段为172.16.1.0/24
需求,HUB端既作为CA服务器也作为NTP的服务器
需求,使用isakmp profile,名字为isaprof
需求,使用certficate map.匹配包含”o=qytang”关键字
先在HUB上开启NTP服务同步时间
HUB(config)#clock timezone GMT +8
HUB#clock set 12:00:00 19 mar 2016
HUB(config)#ntp master
Spoke1(config)#clock timezone GMT +8
Spoke1(config)#NTP SERver 202.100.1.100
Spoke2(config)#clock timezone GMT +8
Spoke2(config)#ntp server 202.100.1.100
时间已同步
激活HTTP服务器
HUB(config)#ip http server
配置域名
HUB(config)#ip domain name qyt.com
创建CA服务器,名字为CA
HUB(config)#crypto pki server CA
HUB(cs-server)#issuer-name cn=hub-ca,o=qytang,ou=qytsec
HUB(cs-server)#grant auto
HUB(cs-server)#lifetime certificate 300
HUB(cs-server)#lifetime ca-certificate 365
HUB(cs-server)#no sh
查看CA服务器状态
配置Spoke1,SCEP申请
Spoke1(config)#ip domain name qyt.com
配置Spoke1 trustpoint
Spoke1(config)#crypto pki trustpoint spoke1
Spoke1(ca-trustpoint)#enrollment url http://202.100.1.100
Spoke1(ca-trustpoint)#subject-name cn=Spoke1.qyt.com,o=qutang,ou=qytangrs
Spoke1(ca-trustpoint)#revocation-check crl
Spoke1认证服务器获取根证书
Spoke1(config)#crypto pki authenticate spoke1
Spoke1申请个人证书
Spoke1(config)#crypto pki enroll spoke1
CA服务器查看并且颁发证书(因grant auto,所以自动颁发了!)
配置Spoke2, PKCS#10申请
配置域名
Spoke2(config)#ip domain name qyt.com
配置Spoke2 trustpoint
Spoke2(config)#CRYpto pki trustpoint spoke2
Spoke2(ca-trustpoint)#enrollment terminal
Spoke2(ca-trustpoint)#subject-name cn=Spoke2.qyt.com,o=qutang,ou=qytangdc
Spoke2(ca-trustpoint)#revocation-check none
CA服务器导出根证书
HUB(config)#crypto pki export CA pem terminal
% The specified trustpoint is not enrolled (CA).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICPzCCAaigAwIBAgIBATANBgkqhkiG9w0BAQQFADAzMQ8wDQYDVQQLEwZxeXRz
ZWMxDzANBgNVBAoTBnF5dGFuZzEPMA0GA1UEAxMGaHViLWNhMB4XDTE2MDMxOTA0
MDE0N1oXDTE3MDMxOTA0MDE0N1owMzEPMA0GA1UECxMGcXl0c2VjMQ8wDQYDVQQK
EwZxeXRhbmcxDzANBgNVBAMTBmh1Yi1jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA5GOl+dxNOnREBCR2O+8QIhevUF6bSpYvqNod2+weWhzVcvzfpQJEwGHA
zuZlQ/KxdxNVRDR8iOJIPVKYqiaFEPoG8GMpNVLUQ+qd5mNbc0LkGDcaNQWgbFNA
ybdIVP2x8vFvLM7JLiM5ot2ebp9PnZsxvdx4QlYhBGCf/JVQ2isCAwEAAaNjMGEw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUGWMy
EB3jteefro3MvqPDYu4IzLAwHQYDVR0OBBYEFBljMhAd47Xnn66NzL6jw2LuCMyw
MA0GCSqGSIb3DQEBBAUAA4GBADQX8+8AwAkGUVD3V+1oN+fdO5UVxO6tXSLShfFr
Honx8E//F+nRXJBC9scmE7uhsItMpTHwldsCfgrQ+oeqFYVTcGq4dP2olwftCwJ9
AC+3XIgzHFgmb3GsIjEWiXnfxYLA15HvakSz5eJ1UlomD3Du5HwtsCxBY9PLW3mR
kv49
-----END CERTIFICATE-----
R2认证并且加载根证书
Spoke2(config)#crypto pki authenticate spoke2
Spoke2产生证书申请文件(PKCS#10)
Spoke2(config)#crypto pki enroll spoke2
CA服务器申请并且颁发证书
HUB#crypto pki server CA request pkcs10 terminal
spoke2导入个人证书
Spoke2(config)#crypto pki import spoke2 certificate
HUB(config)#crypto pki trustpoint ca
HUB(ca-trustpoint)#enrollment url http://202.100.1.100
HUB(ca-trustpoint)#subject-name cn=hub-ca,o=qytang,ou=qytsec
HUB(ca-trustpoint)#revocation-check crl
HUB(ca-trustpoint)#rsakeypair hub.qyt.com
HUB(ca-trustpoint)#no sh
HUB(config)#crypto pki certificate map hub.pkimap 10
HUB(ca-certificate-map)#subject-name co o=qytang
HUB(config)#crypto isakmp policy 10
HUB(config-isakmp)#encryption 3des
HUB(config-isakmp)#hash md5
HUB(config-isakmp)#group 2
HUB(config)#crypto isakmp profile isaprof
HUB(conf-isa-prof)#ca trust-point ca
HUB(conf-isa-prof)#match certificate hub.pkimap
HUB(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac
HUB(config)#crypto ipsec profile ipsecprof
HUB(ipsec-profile)# set transform-set cisco
HUB(ipsec-profile)#set
HUB(ipsec-profile)#set isa
HUB(ipsec-profile)#set isakmp-profile isaprof
HUB(config)#int tunnel 0
HUB(config-if)#ip add 172.16.1.100 255.255.255.0
HUB(config-if)#no ip redirects
HUB(config-if)#ip mtu 1400
HUB(config-if)#no ip next-hop-self eigrp 100
HUB(config-if)#ip nhrp authentication cisco
HUB(config-if)#ip nhrp map multicast dynamic
HUB(config-if)#ip nhrp network-id 321
HUB(config-if)#no ip split-horizon eigrp 100
HUB(config-if)#tunnel source f0/0
HUB(config-if)#tunnel mode gre multipoint
HUB(config-if)#tunnel key 123
HUB(config-if)#tunnel protection ipsec profile ipsecprof
HUB(config)#router eigrp 100
HUB(config-router)#network 172.16.1.0 0.0.0.255
Spoke1(config)#crypto pki trustpoint spoke1
Spoke1(ca-trustpoint)#rsakeypair spoke1.qyt.com
Spoke1(config)#crypto pki certificate map spoke1.pkimap 10
Spoke1(ca-certificate-map)#subject-name co o=qytang
Spoke1(config)#crypto isakmp policy 10
Spoke1(config-isakmp)#encryption 3des
Spoke1(config-isakmp)#hash md5
Spoke1(config-isakmp)#group 2
Spoke1(config)#crypto isakmp profile isaprof
Spoke1(conf-isa-prof)#ca trust-point spoke1
Spoke1(conf-isa-prof)#match certificate spoke1.pkimap
Spoke1(config)#crypto ipsec transform-set cisco esp-des esp-md5-hmac
Spoke1(config)#crypto ipsec profile ipsecprof
Spoke1(ipsec-profile)#set transform-set cisco
Spoke1(ipsec-profile)#set isakmp-profile isaprof
Spoke1(config)#int lo 0
Spoke1(config-if)#ip add 10.1.1.1 255.255.255.0
Spoke1(config-if)#no sh
Spoke1(config)#int tunnel 0
Spoke1(config-if)#ip add 172.16.1.1 255.255.255.0
Spoke1(config-if)#no ip redirects
Spoke1(config-if)#ip mtu 1400
Spoke1(config-if)#ip nhrp authentication cisco
Spoke1(config-if)#ip nh map 172.16.1.100 202.100.1.100
Spoke1(config-if)#ip nh map multicast 202.100.1.100
Spoke1(config-if)#ip nh network-id 321
Spoke1(config-if)#ip nhrp nhs 172.16.1.100
Spoke1(config-if)#tunnel source f0/0
Spoke1(config-if)#tunnel mode gre multipoint
Spoke1(config-if)#tunnel key 123
Spoke1(config-if)#tunnel protection ipsec profile ipsecprof
Spoke1(config)#router eigrp 100
Spoke1(config-router)#network 10.1.1.0 0.0.0.255
Spoke1(config-router)#net 172.16.1.0 0.0.0.255
Spoke1(config-router)#no auto-summary
由于GETVPN还没学,就只能只做证书认证了,实在没办法…