FlexVPN是Cisco IOS®上新的基於Internet金鑰交換版本2(IKEv2)的VPN基礎設施,旨在成為統一VPN解決方案。本文檔介紹如何配置Windows 7中內建的IKEv2客戶端,以便利用證書頒發機構(CA)連線Cisco IOS頭端。
思科建議您瞭解以下主題:
本檔案中的資訊是根據以下硬體和軟體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
如需檔案慣例的相關資訊,請參閱思科技術提示慣例。
配置Windows 7內建IKEv2客戶端時需要執行四個主要步驟,以便使用CA連線Cisco IOS頭端:
CA應允許您在憑證中嵌入所需的延伸金鑰使用(EKU)。例如,在IKEv2伺服器上,需要「Server Auth EKU」,而客戶端證書需要「Client Auth EKU」。 本地部署可使用:
以下各節詳細說明了這些主要步驟中的每一步。
本文不提供如何設定CA的詳細步驟。但是,本節中的步驟說明如何配置CA,以便它可以為此類部署頒發證書。
OpenSSL CA是根據「config」檔案。OpenSSL伺服器的「config」檔案應具有:
[ extCSR ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
如果您使用Cisco IOS CA伺服器,請確保使用分配了EKU的最新Cisco IOS軟體版本。
IOS-CA# show run | section crypto pki
crypto pki server IOS-CA
issuer-name cn=IOS-CA.cisco.com,ou=TAC,o=cisco
grant auto
eku server-auth client-auth
對於Cisco IOS,證書的EKU欄位必須設定為「伺服器身份驗證」,對於客戶端必須設定為「客戶端身份驗證」。通常,相同的CA用於對客戶端和伺服器證書進行簽名。在這種情況下,伺服器憑證和使用者端憑證上分別會看到「伺服器驗證」和「使用者端驗證」,這是可接受的。
如果CA在IKEv2伺服器上以公鑰加密標準(PKCS)#12格式向使用者端和伺服器頒發憑證,且憑證撤銷清單(CRL)無法存取或可用,則必須設定:
crypto pki trustpoint FlexRootCA
revocation-check none
輸入以下命令以匯入PKCS#12證書:
copy ftp://user:***@OpenSSLServer/p12/ikev2.p12* flash:/
crypto pki import FlexRootCA pkcs12 flash:/ikev2.p12 password <password>
!! Note: ikev2.p12 is a pkcs12 format certificate that has CA Certificate bundled in it.
如果Cisco IOS CA伺服器自動授予證書,則必須使用CA伺服器URL配置IKEv2伺服器以接收證書,如以下示例所示:
crypto pki trustpoint IKEv2
enrollment url http://<CA_Sever_IP>:80
subject-name cn=ikev2.cisco.com,ou=TAC,o=cisco
revocation-check none
配置信任點時,您需要:
crypto pki authenticate FlexRootCA
crypto pki enroll FlexRootCA
若要檢視憑證是否包含所有所需的選項,請使用以下show指令:
ikev2#show crypto pki cert verbose
Certificate
Issuer:
Subject:
Name: ikev2.cisco.com
ou=TAC
o=Cisco
c=BE
cn=ikev2.cisco.com
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: 3FB01AE4 E36DF9D8 47F3C206 05F287C6
Fingerprint SHA1: DEE6C4D1 00CDD2D5 C0976274 203D2E74 2BC49BE8
X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
X509v3 Subject Key ID: CBCE6E9F F508927C E97040FD F49B52D1 D5919D45
X509v3 Authority Key ID: 4B86A079 A5738694 85721D0D 7A75892F 0CDAC723
Authority Info Access:
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: FlexRootCA
Key Label: FlexRootCA
以下是IKEv2配置的示例:
!! IP Pool for IKEv2 Clients
ip local pool mypool 172.16.0.101 172.16.0.250
!! Certificate MAP to match Remote Certificates, in our case the Windows 7 Clients
crypto pki certificate map win7_map 10
subject-name co ou = tac
!! One of the proposals that Windows 7 Built-In Client Likes
crypto ikev2 proposal win7
encryption aes-cbc-256
integrity sha1
group 2
!! IKEv2 policy to store a proposal
crypto ikev2 policy win7
proposal win7
!! IKEv2 Local Authorization Policy. Split-Tunneling does not work, as was
!! the case in good old l2tp over IPSec.
crypto ikev2 authorization policy win7_author
pool mypool
!! IKEv2 Profile
crypto ikev2 profile win7-rsa
match certificate win7_map
identity local fqdn ikev2.cisco.com
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint FlexRootCA
aaa authorization group cert list win7 win7_author
virtual-template 1
!! One of the IPSec Transform Sets that Windows 7 likes
crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha-hmac
!! IPSec Profile that calls IKEv2 Profile
crypto ipsec profile win7_ikev2
set transform-set aes256-sha1
set ikev2-profile win7-rsa
!! dVTI interface - A termination point for IKEv2 Clients
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile win7_ikev2
虛擬模板未編號的IP應為除IPsec連線使用的本地地址以外的任何內容。 [如果使用硬體客戶端,您將通過IKEv2配置節點交換路由資訊,並在硬體客戶端上建立遞迴路由問題。]
以下過程介紹了如何配置Windows 7內建客戶端。
使用者端憑證需要以下因素:
Client's PKCS12 Certificate will go into Local Machine Personal Certificate Store
CA Certificate goes into Local Machine Trusted Root Certificate Authorities Store
使用本節內容,確認您的組態是否正常運作。
輸出直譯器工具(僅供已註冊客戶使用)支援某些show命令。使用輸出直譯器工具來檢視show命令輸出的分析。
ikev2#show crypto ikev2 session detail
IPv4 Crypto IKEv2 Session
Session-id:4, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.3.1/4500 192.168.56.1/4500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: RSA,
Auth verify: RSA
Life/Active Time: 86400/17 sec
CE id: 1004, Session-id: 4
Status Description: Negotiation done
Local spi: A40828A826160328 Remote spi: C004B7103936B430
Local id: ikev2.cisco.com
Remote id: ou=TAC,o=Cisco,c=BE,cn=Win7
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 1 DPD configured for 0 seconds,
retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
ikev2#show crypto ipsec sa peer 192.168.56.1
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 10.0.3.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.104/255.255.255.255/0/0)
current_peer 192.168.56.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps:5, #pkts encaps:5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 55, #pkts decrypt: 55, #pkts verify: 55
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.3.1, remote crypto endpt.: 192.168.56.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x3C3D299(63165081)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE461ED10(3831622928)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4257423/0)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C3D299(63165081)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4257431/0)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
目前尚無適用於此組態的具體疑難排解資訊。
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
20-May-2013 |
初始版本 |