네트워크/Security 2015. 2. 16. 18:26
[LAB-26] PKI & IPSec VPN(RSA Signature).txt
@ PKI 서버 구성
1. R2에서 HTTP Server를 Enable한 다음, PKI 서버에 적당한 이름을 부여한 다음 활성화 실시
R2(config)#ip http server
R2(config)#crypto pki server ca1
R2(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:
Re-enter password:
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
May 31
May 31
% Certificate Server enabled.
R2(cs-server)#exit
R2#show crypto key mypubkey rsa
- 구성이 완료되었다면, 'show crypto pki certificates'와 'show crypto pki trustpoints status'를 실시한다.
R2#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=ca1
Subject:
cn=ca1
Validity Date:
start date:
end date:
Associated Trustpoints: ca1
R2#show crypto pki trustpoints status
Trustpoint ca1:
Issuing CA certificate configured:
Subject Name:
cn=ca1
Fingerprint MD5: ACD3D611 5447F9AD 770B53A6 EA03492C
Fingerprint SHA1: EA89EDCA 3D87B023 16A810D5 4F654579 04A014D1
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
2. R1과 R3에서 디지털 인증서를 받기위한 설정
① R1과 R3에서 사설키와 공개키를 생성한다.
R1(config)#ip domain-name cisco.com
R1(config)#crypto key generate rsa general-keys
The name for the keys will be: R1.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
.May 31
② 인증서 서버 IP 주소를 지정한다.
R1(config)#crypto pki trustpoint ca1
R1(ca-trustpoint)#enrollment url http://13.13.2.2
Translating "13.13.2.2"
③ CA 인증서를 다운로드하며, CA의 인증서를 인증한다.
R1(config)#crypto pki authenticate ca1
Translating "13.13.2.2"
Certificate has the following attributes:
Fingerprint MD5: ACD3D611 5447F9AD 770B53A6 EA03492C
Fingerprint SHA1: EA89EDCA 3D87B023 16A810D5 4F654579 04A014D1
% Do you accept this certificate? [yes/no]: yes
④ R1 정보를 PKI 인증 서버에게 전송하도록 한다. 이때, 패스워드를 사용하게 되는데, 의미는 다음과 같다.
- CA에게 새로운 인증서를 요청할때
- CA 관리자가 인증서를 취소할때
R1(config)#crypto pki enroll ca1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R1.cisco.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate ca1 verbose' commandwill show the fingerprint.
R1(config)#
Translating "13.13.2.2"
.May 31
.May 31
R1(config)#
3. CA를 수행하는 R2에서 'crypto pki server ca1 info requests'를 실시하여 등록 요청을 확인한다.
R2#crypto pki server ca1 info requests
Enrollment Request Database:
Subordinate CA certificate requests:
---------------------------------------------------------------------------
RA certificate requests:
---------------------------------------------------------------------------
Router certificates requests:
---------------------------------------------------------------------------
1 pending C8CE6EAFFEF7E3226845EE746F75017B hostname=R1.cisco.com
4. R2에서 'crypto pki server ca1 grant 1'를 실시하여 등록 요청을 수락한다.
R2#crypto pki server ca1 grant 1
- R2에서 'crypto pki server ca1 info requests'를 실시하여 등록 요청을 확인한 다.
R2#crypto pki server ca1 info requests
Enrollment Request Database:
Subordinate CA certificate requests:
---------------------------------------------------------------------------
RA certificate requests:
---------------------------------------------------------------------------
Router certificates requests:
---------------------------------------------------------------------------
1 granted C8CE6EAFFEF7E3226845EE746F75017B hostname=R1.cisco.com
5. R1, R3에서 'show crypto pki certificates'를 실시하여 인증서 등록 상태를 확인한다.
R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=ca1
Subject:
cn=ca1
Validity Date:
start date:
end date:
Associated Trustpoints: ca1
Certificate
Subject:
Name: R1.cisco.com
Status: Pending
Key Usage: General Purpose
Certificate Request Fingerprint MD5: C8CE6EAF FEF7E322 6845EE74 6F75017B
Certificate Request Fingerprint SHA1: 4FDFD0BF D7D45699 2160F24D 887A8B21 5E00F647
Associated Trustpoint: ca1
- 현재 'Certificate' 정보 내용을 보면, 'Pending' 상태를 확인할 수 있다. 한참뒤에 정보 확인을 다시 실시한다.
R1#
Translating "13.13.2.2"
.May 31
R1#
R1#
R1#
R1#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
cn=ca1
Subject:
Name: R1.cisco.com
hostname=R1.cisco.com
Validity Date:
start date:
end date:
Associated Trustpoints: ca1
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=ca1
Subject:
cn=ca1
Validity Date:
start date:
end date:
Associated Trustpoints: ca1
6. R3에서도 동일한 과정을 실시한다.
7. R1과 R3에서 IPSec VPN 설정을 실시한다.
@ R1
access-list 100 permit ip 150.1.13.0 0.0.0.255 150.3.13.0 0.0.0.255
!
crypto isakmp policy 10
encryption 3des
hash md5
authentication rsa-sig
group 2
!
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
!
crypto map IPSEC 10 ipsec-isakmp
set peer 13.13.10.3
set transform-set CISCO
match address 100
!
int s1/1.13
crypto map IPSEC
@ R3
access-list 100 permit ip 150.3.13.0 0.0.0.255 150.1.13.0 0.0.0.255
!
crypto isakmp policy 10
encryption 3des
hash md5
authentication rsa-sig
group 2
!
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
!
crypto map IPSEC 10 ipsec-isakmp
set peer 13.13.10.1
set transform-set CISCO
match address 100
!
int s1/1.13
crypto map IPSEC
8. IPSec VPN 정보 확인
R4#ping 150.3.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.3.13.254, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 72/73/76 ms
R1#show crypto session
Crypto session current status
Interface: Serial1/1.13
Session status: UP-ACTIVE
Peer: 13.13.10.3 port 500
IKE SA: local 13.13.10.1/500 remote 13.13.10.3/500 Active
IPSEC FLOW: permit ip 150.1.13.0/255.255.255.0 150.3.13.0/255.255.255.0
Active SAs: 2, origin: crypto map
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
13.13.10.3 13.13.10.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Se1/1.13 IPsec 3DES+MD5 0 3 13.13.10.1
2 Se1/1.13 IPsec 3DES+MD5 3 0 13.13.10.1
1001 Se1/1.13 IKE MD5+3DES 0 0 13.13.10.1
'네트워크 > Security' 카테고리의 다른 글
| Syslog (0) | 2015.03.30 |
|---|---|
| 리모트 접속 관리 & DNS & SSH & NTP (0) | 2015.03.27 |
| EZVPN (0) | 2015.02.16 |
| DMVPN(Dynamic Multipoint VPN) (0) | 2015.02.16 |
| GRE over IPSec VPN (0) | 2015.02.16 |
