MSR系列路由器使用PKI认证建立IPSec隧道功能的配置

1、MSR系列路由器使用PKI认证建立IPSec隧道功能的配置关键词：MSR;IPSec;IKE;PKI;RSA;Win2003;证书服务器一、组网需求：如下面的组网图，使用Win2003作为证书服务器，2台MSR路由器需要通过IKE建立IPSec隧道，IKE的认证方式使用PKI证书方式，证书服务器使用Win2003设备清单：MSR系列路由器2台，Win2003主机一台二、组网图：三、配置步骤：设备和版本：MSR系列、Version 5.20, Release 1509配置前的操作步骤/MSR1和MSR2都执行如下操作，生成1024位的rsa本地密钥对（含公钥和私钥）MSR1public-key

2、local create rsaThe range of public key size is (512 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.Input the bits of the modulusdefault = 1024:Generating Keys.+.+.+.+MSR1配置#/定义IKE提议，序号为1，优先度最高，使用rsa签名方式认证ike proposal 1 authentication-method r

3、sa-signature#/pki实体msr1pki entity msr1 /实体的名字 common-name msr1 /所属组织部门，注意与CA保持一致 organization-unit ts-msr /所属组织，与CA保持一致 organization h3c /城市，与CA保持一致 locality bj /所属国家，与CA保持一致，CN表示中国 country CN#/pki认证域h3cpki domain h3c /CA的名字，可以从后面介绍中获得 ca identifier win2003 /证书获取URL，可以从后面介绍获得 certificate request url

4、 11/certsrv/mscep/mscep.dll /证书获取方式为RA，注册委员会，使用Win2003时必须配置 certificate request from ra /指定注册实体为msr1 certificate request entity msr1 /指定注册模式和密钥长度 certificate request mode auto key-length 1024 /输入CA证书的指纹，即CA证书的缩略图，可以从后面的介绍中获得 root-certificate fingerprint sha1 c4cb24743e26d601f23b7618b4e7

5、49a1061d9eb0 /CRL，即证书吊销列表的获取URL crl url 11/certenroll/win2003.crl#/建立IKE Peer MSR2ike peer msr2 remote-address local-address /指定证书域为h3c certificate domain h3c#/IPSec提议，即安全提议ipsec proposal default#/IPSec策略ipsec policy msr2 1 isakmp security acl 3000 ike-peer msr2 proposal

6、 default#/定义安全流量的ACLacl number 3000 rule 0 permit ip source 55 destination 55#interface Ethernet0/0 port link-mode route ip address /在出接口上绑定IPSec策略 ipsec policy msr2#interface Ethernet0/1 port link-mode route ip address 255.255.

7、255.0# /指定访问对方私网的静态路由 ip route-static #MSR2配置#/定义IKE提议，序号为1，优先度最高，使用rsa签名方式认证ike proposal 1 authentication-method rsa-signature#/pki实体msr2pki entity msr2 /实体的名字 common-name msr2 /所属组织部门，注意与CA保持一致 organization-unit ts-msr /所属组织，与CA保持一致 organization h3c /城市，与CA保持一致 loc

8、ality bj /所属国家，与CA保持一致，CN表示中国 country CN#/pki认证域h3cpki domain h3c /CA的名字，可以从后面介绍中获得 ca identifier win2003 /证书获取URL，可以从后面介绍获得 certificate request url 11/certsrv/mscep/mscep.dll /证书获取方式为RA，注册委员会，使用Win2003时必须配置 certificate request from ra /指定注册实体为msr2 certificate request entity msr2 /指定注册模

9、式和密钥长度 certificate request mode auto key-length 1024 /输入CA证书的指纹，即CA证书的缩略图，可以从后面的介绍中获得 root-certificate fingerprint sha1 c4cb24743e26d601f23b7618b4e749a1061d9eb0 /CRL，即证书吊销列表的获取URL crl url 11/certenroll/win2003.crl#/建立IKE Peer MSR1ike peer msr1 remote-address local-address 1.1.1.

10、2 /指定证书域为h3c certificate domain h3c#/IPSec提议，即安全提议ipsec proposal default#/IPSec策略ipsec policy msr1 1 isakmp security acl 3000 ike-peer msr1 proposal default#/定义安全流量的ACLacl number 3000 rule 0 permit ip source 55 destination 55#interface Ethernet0/0 port link-mode

11、 route ip address /在出接口上绑定IPSec策略 ipsec policy msr1#interface Ethernet0/1 port link-mode route ip address # /指定访问对方私网的静态路由 ip route-static #手工获取证书的操作/做完上述配置之后，可以通过一些命令来检查证书是否可以正确获取/第一步，获取CA证书，可以根据提示判断是否正确获得MSR2pki retrie

12、val-certificate ca domain h3cRetrieving CA/RA certificates. Please wait a while.Saving CA/RA certificates chain, please wait a moment.%Dec 20 21:02:08:705 2006 2 PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain h3c is trusted.CA certificates retrieval success.MSR2%Dec 20 21:02:08:754 2006

13、 2 PKI/4/Update_CA_Cert:Update CA certificates of the Domain h3c successfully.%Dec 20 21:02:08:755 2006 2 PKI/4/CA_Cert_Retrieval:Retrieval CA certificates of the domain h3c successfully./上述信息提示正确获得CA证书，即根证书，第二步，获取CA签名的本地证书MSR2pki request-certificate domain h3cCertificate is being requested, please

14、wait.MSR2Enrolling the local certificate,please wait a while.Certificate request Successfully!Saving the local certificate to device.Done!%Dec 20 21:02:29:02 2006 2 PKI/4/Local_Cert_Request:Request local certificate of the domain h3c successfully./上述信息提示本地证书获取成功，第三步，获取CRL，可以检查同一个CA签名的证书是否过期MSR2pki r

15、etrieval-crl domain h3cConnecting to server for retrieving CRL. Please wait a while.CRL retrieval success!MSR2%Dec 20 21:03:59:211 2006 MSR2 PKI/4/Update_CRL:Update CRL of the domain h3c successfully.%Dec 20 21:03:59:212 2006 MSR2 PKI/4/Retrieval_CRL:Retrieval CRL of the domain h3c successfully. MSR

16、2/显示CA证书MSR2dis pki cert ca d h3cCertificate: Data: Version: 3 (0x2) Serial Number: 613E1A31 0002 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=win2003 Validity Not Before: Dec 20 12:08:59 2006 GMT Not After : Dec 20 12:18:59 2007 GMT Subject: C=CN ST=bj L=bj O=h3c OU=ts-msr CN=win2003 Subje

17、ct Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00C2A4CE C CC 0680FA75 26E77572 D06E32F9 E717C20C 6D87A6C1 CF1F2C9A 46323DC6 0C72B06E 7B1D8C3E 0565EFF7 FEBEA570 F6DE66FF AD1EE75E 3E481A80 6A5FE282 CA41FD2B 6FB06093 E880F237 F984AA21 A53E52C8 752

18、9C486 58965EB5 DFAEA99D 8A5B338D FCAEAA1F AC1EA4B2 44F77393 E76EE67C D1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Extended Key Usage: .4.1.3 .4.1.311.20.2: .,.E.n.r.o.l.l.m.e.n.t.A.g.e.n.t.O.f.f.l.i.n.e X5

19、09v3 Subject Key Identifier: 4E5E380E DB22491E 3C5EE3DA FB26ED51 F7DD47F5 X509v3 Authority Key Identifier: keyid:C818C4A6 0A5C766B E7C51760 2789A402 75181ABD X509v3 CRL Distribution Points: URI:http:/ts-msr/CertEnroll/win2003.crl URI:file:/ts-msrCertEnrollwin2003.crl Authority Information Access: CA

20、 Issuers - URI:http:/ts-msr/CertEnroll/ts-msr_win2003.crt CA Issuers - URI:file:/ts-msrCertEnrollts-msr_win2003.crt Signature Algorithm: sha1WithRSAEncryption 6DA0B262 BACC97AA 614CEEED E7C377F5 62F6B9E6 C21965DC D17FC116 7957E7E5 6FAE97A3 97BD1A65 27ADC066 7547DB45 74B5BC65 32CD45A6 FC1F2D69 EA8F80

21、55 91E48C06 3FC63D58 18F1F130 37CDFF4B 6DCEC700 9DFAC050 DF4BF36D 2EA4D4F8 F09726AA 5C24D9D6 329BF4ED 69FA7948 E1C1058C D45E06FD E05BFE20 C0C01CCB B 791B6573 68927EEA FBCA6283 6D2CA93A 7E32A9E8 E42B49AC 0ACAF60B 85FFBC00 FC2E427C 25EA55F0 DDE64A3F 06BF8001 2CC5FBC6 96ED277D 0AF4308B EE06C7DD 4D89FAF

22、5 E26B681A 919D5F2D F7E8D6F7 BBD9F64D CD3C864B FC538A99 DED85FA9 A 084BA148 0A1BB899 Certificate: Data: Version: 3 (0x2) Serial Number: 613E1BA8 0003 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=win2003 Validity Not Before: Dec 20 12:08:59 2006 GMT Not After : Dec 20 12:18:59 2007 GMT Subje

23、ct: C=CN ST=bj L=bj O=h3c OU=ts-msr CN=win2003 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00B8C294 112CDA38 27FE4564 3DDDE52C A428A819 0DF0DD94 7ECD7B74 FB 1373BA5E 6A324BE4 98978E30 96036AC1 E B3D912FC E52DCDB1 24B05001 C26B2E08 46FCD

24、00F C C912AF39 311BDE7F 7396AF31 AF9E0642 DB E36B954F 5BB881D7 328BEC88 0EA1AA82 83900CBC E4E85A9B FE 136DF65D FF Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Key Encipherment, Data Encipherment S/MIME Capabilities: .80.+. 00 X509v3 Extended Key Usage: .4.1.311.20.2

25、.1 .4.1.311.20.2: .C.E.P.E.n.c.r.y.p.t.i.o.n X509v3 Subject Key Identifier: 6A80370A AF 5C A18CA358 BA43FD52 X509v3 Authority Key Identifier: keyid:C818C4A6 0A5C766B E7C51760 2789A402 75181ABD X509v3 CRL Distribution Points: URI:http:/ts-msr/CertEnroll/win2003.crl URI:file:/ts-msrCertEnrollwi

26、n2003.crl Authority Information Access: CA Issuers - URI:http:/ts-msr/CertEnroll/ts-msr_win2003.crt CA Issuers - URI:file:/ts-msrCertEnrollts-msr_win2003.crt Signature Algorithm: sha1WithRSAEncryption B7E66039 EEFA866A 6C3D937E B 49CF1C23 7D3ADD49 FC24AEBB DF525A91 6898EA6B 0CDF345F F73DE485 3F055FB

27、2 46AC212A 4D 5FA16E19 626FCECE ED0BF5A3 BFA8F44E F7315A5F EE55E2A2 74A343CE A867BEE8 2216AEFD 49AE27B7 81726DE5 F7D8CAC6 D4C6A50E D 3E0D3D76 7BDF7F24 733F7AFF 0CBA549D D3A15C2F 2E72D41D A105DBDF DA1D0093 84A9D124 6F22E8E4 9286CD2F 2F54A676 BC41698B 1C E7A6ECD4 CC7ABE80 9BFAAB29 23EB26AC AAB7D497 E1

28、9F3BBC 2EF1296F F7E31C3A 1CE462E6 F8BF881A B AF9832A3 EAADDC49 D77AB1E6 87556F81 FAD6985E 9BCD3A40 2ABB113E 63A8F226 Certificate: Data: Version: 3 (0x2) Serial Number: 26F6FBE6 C488F6A9 DEBF5922 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=win2003 Validity Not Before: Dec 20 11:26:56 2006 G

29、MT Not After : Dec 20 11:35:50 2011 GMT Subject: CN=win2003 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00B972CC D4E25117 6FB7DC29 A7FAE842 2EBB1F4B FCCC7DBC 647C0279 5211E996 ECB9480A 40AD9083 114BDF69 5ACA6A53 4DE3BAE8 FF272B2D 34063A

30、D0 78AB97EB BB436C8F 2BCEC1A0 AF7B24A2 6B20242F DB 4DB35A7E F27FB7AD 3A 1F6BEEAE 0159B1B8 1DDA3E2D 55DBAD94 39B20DC6 B4CC796B 1D72BC82 40E02532 363D7EB1 180AE197 40B76252 81B81A3A 99FC04DF 037D8557 0FF1C927 710AB91C A2C0F3F0 0B2CE823 4AE52781 F9F81982 AD 8BC21828 01139AD8 F1BBA955 19181DAD E F5 E1 3

31、1A9C164 BF0ADF6C 0F893FF7 093EFE72 204F8800 6BB19C4E F5C3B580 21C91F3C CAD69E75 83C0D9EC 2F Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: C818C4A6 0A5C766B E7C5176

32、0 2789A402 75181ABD X509v3 CRL Distribution Points: URI:http:/ts-msr/CertEnroll/win2003.crl URI:file:/ts-msrCertEnrollwin2003.crl .4.1.311.21.1: . Signature Algorithm: sha1WithRSAEncryption 9CC1B4CD 4D7ACB43 2853F3BC 0AA9C3A0 B2EA0D54 FA4005E9 EDF6BE97 D4745A64 9ADA54E7 37594F14 9C2AD46B 1559

33、CABC CD9C4B1F B7E962EC 85BCC642 A09202A6 C4428D15 E497C690 23568CD5 224B35DE C 98CA687A E46B744E 38EE40FF 6B82C9EE BF3CE970 26C6F3F8 F4A30750 DD1BA047 98535CFA 43429DFC 2305D6A6 790CF8D3 45D2B5B2 0C848AC1 E176CE1A 2DC0FCEB 600CD283 8B13AD0C DFCD61E0 6CE7010E 0B A78CAEB3 BCF6977C 7F FD75AD34 A9A21061

34、 13DD4D91 7495FB9F 326C5FB2 4B5A71B5 1A81A81A 2A3AAE73 A2132E17 4BDF858D 12C9B3B9 3228BCE5 E4 BC0C4006 2DB479F1 0E1F2464 BB225BCC 8BAFCD78 E8999DB3 /显示CA颁发的本地证书MSR2dis pki cer lo d h3cCertificate: Data: Version: 3 (0x2) Serial Number: 61608B93 0005 Signature Algorithm: sha1WithRSAEncryption Issuer:

35、CN=win2003 Validity Not Before: Dec 20 12:46:36 2006 GMT Not After : Dec 20 12:56:36 2007 GMT Subject: C=CN L=bj O=h3c OU=ts-msr CN=msr2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D4EB90 98FB12A7 41A15813 19985CDD 7DD83A29 AF0C9D10 9

36、CD94786 C0AAADC5 73E5A23B 4CF3BE4D 7A408E5D F55EE37E CB E CBCD06F9 A4BED5D7 104AE9B7 FCA53D0E FBE2D180 18AFC129 10A357A0 4EAF61C6 7B3158AE D1CF87D7 E6EF1F84 7242F29D DC9AADF3 C20A26DC 2E49BA05 20B960D2 5AC6D1FD 5A1AC51C 85 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6

37、AE6C77D 21727F21 3A1970CF CABAD8F6 5C2820EE X509v3 Authority Key Identifier: keyid:C818C4A6 0A5C766B E7C51760 2789A402 75181ABD X509v3 CRL Distribution Points: URI:http:/ts-msr/CertEnroll/win2003.crl URI:file:/ts-msrCertEnrollwin2003.crl Authority Information Access: CA Issuers - URI:http:/ts-msr/Ce

38、rtEnroll/ts-msr_win2003.crt CA Issuers - URI:file:/ts-msrCertEnrollts-msr_win2003.crt .4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption B022F111 82AF0DD8 AFECA34C 4C0CB048 0DCA97C5 B2B532E1 0CB4349B 90051CDE C311DE4D 2CA1041A 45A5A984

39、 CDBDA22C F6A79EF8 DDC14A69 F8DF49C4 B3E9D16B 67AC787E A 24A55E36 BCFC67E6 E1 4DA05968 B33FA3E5 45EF00CE 54FA37A6 DC4AD003 72171B1B E45727F5 5767EA21 E F74A7DDD 7F07D850 C558BA9A FD6F64AA 4B9D6A23 D8BD06B4 46670EBF B87E9FC3 EDB2A805 D5041C85 B676D667 B 92025B10 BA 997A183A 7B3A16DC 3A875E41 9A78FCBD

40、 F 06BD185C 9D6E31F8 F8DD8073 63A80207 54E1805E BB9D7FAD C2F33F8C 776B8C82 F1755E5F 888E3EDF /显示CRL（证书吊销列表）MSR2dis pki cr d h3cCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=win2003 Last Update: Dec 20 11:27:13 2006 GMT Next Update: Dec 27 23

41、:47:13 2006 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:C818C4A6 0A5C766B E7C51760 2789A402 75181ABD .4.1.311.21.1: . X509v3 CRL Number: 1 .4.1.311.21.4: 3Z . .4.1.311.21.14: 0.0.ldap:/CN=win2003,CN=ts-msr,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=Unavailab

42、leConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPointNo Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption 9BF1D1AA 74562C8D D79D6A02 9E60FDE3 F53476A1 9D6E2E0F A8 93D14D7A 9F C0E93C62 EAA175B6 1DDBE9EA 10A8A686 88FC6A93 247C35B9 78B862A8 BFCA1CCC C6 EA506D1A 75147A7D 50B2EAA9 134BF910 751AC