各位大神,最新使用IOS配置IKEv2的anyconnect使用IKE-RSA无法连接。
介绍。单个CSR的IOS,无三方AAA服务器,无三方CA,无域环境。
配置如下:
==========================================
csr1kv#show version
Cisco IOS XE Software, Version 03.16.06.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 24-Jul-17 20:01 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
csr1kv uptime is 1 day, 4 hours, 26 minutes
Uptime for this control processor is 1 day, 4 hours, 28 minutes
System returned to ROM by reload at 11:27:53 Beijing Tue Dec 11 2018
System restarted at 11:30:10 Beijing Tue Dec 11 2018
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax
cisco CSR1000V (VXE) processor (revision VXE) with 1090317K/6147K bytes of memory.
Processor board ID 9ZMT9E7R1HJ
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3022272K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
Configuration register is 0x2102
csr1kv#
csr1kv#show running-config
Building configuration...
Current configuration : 16673 bytes
!
! Last configuration change at 13:41:06 Beijing Wed Dec 12 2018
! NVRAM config last updated at 13:26:02 Beijing Wed Dec 12 2018
!
version 15.5
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname csr1kv
!
logging buffered 102400
!
aaa new-model
!
aaa authentication suppress null-username
aaa authentication login anyconnect local
aaa authorization network anyconnect local
!
clock timezone Beijing 8 0
!
ip name-server 114.114.114.114
!
crypto pki server ca.iteachs.com
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 3650
auto-rollover 365
eku server-auth client-auth
database url flash:/ca
!
crypto pki trustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pki trustpoint ca.iteachs.com
revocation-check crl
rsakeypair ca.iteachs.com
!
crypto pki trustpoint csr1kv.iteachs.com
enrollment url http://10.1.1.1:80
fqdn csr1kv.iteachs.com
ip-address 202.100.1.100
subject-name cn=csr1kv.iteachs.com
revocation-check crl
rsakeypair csr1kv.iteachs.com
auto-enroll regenerate
hash sha512
!
!
crypto pki certificate map anyconnect-cert 10
issuer-name co cn = ca.iteachs.com
!
crypto pki certificate chain csr1kv.local
certificate self-signed 01
3082032A 30820212 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2E311530 13060355 0403130C 63737231 6B762E6C 6F63616C 31153013 06092A86
quit
crypto pki certificate chain ca.iteachs.com
certificate ca 01
27CDC049 27CC238B AFE5A8A4 52D39225 718BEB2B 99182112 E4487755 2E81A4E2
973FD4F6 CC01EFBF 50E6B6CB A25AB583 95D7AEB9
quit
crypto pki certificate chain csr1kv.iteachs.com
certificate 02
316C9C5D 721E666F EB3BEC27 4F6C11C3 7FF8EC60 5A1F1765 1E56BF23 4A593D2D
23E1A15B 48C6B405 CA4EE84C F99D0C63 B5B9732E A73C2BD7 B6C746EC E5E54D58 1D1F
quit
certificate ca 01
27CDC049 27CC238B AFE5A8A4 52D39225 718BEB2B 99182112 E4487755 2E81A4E2
973FD4F6 CC01EFBF 50E6B6CB A25AB583 95D7AEB9
quit
!
username admin privilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username cisco password 7 02050D480809
!
crypto ikev2 authorization policy anyconnect-auth-policy
pool anyconnect
dns 10.1.1.1
def-domain iteachs.com
route set access-list anyconnect-tunnel
!
crypto ikev2 proposal anyconnect-prop
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy anyconnect-policy
proposal anyconnect-prop
!
crypto ikev2 profile anyconnect-cert-profile
match certificate anyconnect-cert
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint csr1kv.iteachs.com
aaa authorization group cert list anyconnect anyconnect-auth-policy
virtual-template 2
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set anyconnect esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile anyconncet-cert-profile
set transform-set anyconnect
set ikev2-profile anyconnect-cert-profile
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile anyconncet-cert-profile
!
ip local pool anyconnect 20.1.1.1 20.1.1.20
ip http server
ip route 0.0.0.0 0.0.0.0 202.100.1.1
!
ip access-list standard anyconnect-tunnel
permit 10.1.1.0 0.0.0.255
!
!
line con 0
stopbits 1
line vty 1
length 0
line vty 2 4
!
ntp server ntp3.aliyun.com
ntp server ntp2.aliyun.com
ntp server ntp1.aliyun.com
!
end
==========================================
查看密钥及证书:
csr1kv#show crypto key mypubkey rsa
% Key pair was generated at: 16:11:46 Beijing Dec 6 2018
Key name: csr1kv.local
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B62358 3CBFC1FB 8D5A623F 206E7DFA 99E5A5E2 BF043098 0F090998 A8BEA5D5
9852DC74 CEBCF66F DED4E0E7 95D6DA10 936D0A37 10BCCD94 C81C91D6 FF5A7349
ED0AB77D 008DC60C A7D8436A 92239786 12CCEDAD 0E3E1DE0 E99B89A7 E7759681
D062D6F9 B58D2564 01989B8D C0B2C4B4 AD18474F 4DA7206B B1A50B63 7F76C17C
09DB15E0 25874F06 DE2CFFB9 B70C2C12 16C24387 CB7F4E1C A241D950 EFC078B4
84BAAF56 0172937A 3A2BBF35 7B24488C F13ADAA0 9CFA06D1 EB91C91E DC2A69A5
613944E3 159E011D 10268AB8 0EEF3CBB EBE1010A 22E68655 7E1FFEEF 7FB336DD
0DFA27A1 B5A1BEFD 9C03A3FB ADD70E70 A66164A5 9B823EC6 0F87A464 4ED38DE1
C3020301 0001
% Key pair was generated at: 11:31:03 Beijing Dec 11 2018
Key name: csr1kv.local.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00998E3F F0C711F7
6D722E38 F02BFD73 6F6E637E EAB973EB F509A56D 14951BB2 EF691023 4C54756F
C1E1F533 EA15C015 6FFCFFA8 9A55F9D5 B8556131 5DCD0D47 515BFB78 3234D891
4C836ECA 9F7BB89C 86D1BC15 FFD27095 D4769EBA 1394F25B 3B020301 0001
% Key pair was generated at: 09:42:08 Beijing Dec 12 2018
Key name: ca.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
C70FD758 5F727765 1C597F2C B76FB4A4 97FBC011 63910C83 5FEB5417 7A37C129
CF020301 0001
% Key pair was generated at: 09:45:12 Beijing Dec 12 2018
Key name: csr1kv.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00A8B18E 361300FC C7E62CED 8E0555BE E93842E3 20515A64 B51C7F32 C8E22B40
2CA59EC1 0A80CF09 FFD97E16 4B93934B AAE4A1F1 7560B3C7 15179605 93744D21
C1020301 0001
csr1kv#
csr1kv#show crypto pki server ca.iteachs.com requests
The Enrollment Request Database is empty.
csr1kv#
csr1kv#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.iteachs.com
Subject:
Name: csr1kv.iteachs.com
IP Address: 202.100.1.100
ipaddress=202.100.1.100+hostname=csr1kv.iteachs.com
cn=csr1kv.iteachs.com
Validity Date:
start date: 09:48:51 Beijing Dec 12 2018
end date: 09:42:34 Beijing Dec 9 2028
Associated Trustpoints: csr1kv.iteachs.com
Storage: nvram:caiteachscom#2.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.iteachs.com
Subject:
cn=ca.iteachs.com
Validity Date:
start date: 09:42:34 Beijing Dec 12 2018
end date: 09:42:34 Beijing Dec 9 2028
Associated Trustpoints: csr1kv.iteachs.com ca.iteachs.com
Storage: nvram:caiteachscom#1CA.cer
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=csr1kv
cn=csr1kv.local
Subject:
Name: csr1kv
hostname=csr1kv
cn=csr1kv.local
Validity Date:
start date: 16:12:10 Beijing Dec 6 2018
end date: 08:00:00 Beijing Jan 1 2020
Associated Trustpoints: csr1kv.local
Storage: nvram:csr1kv#1.cer
csr1kv#
csr1kv#
csr1kv#show crypto pki server
Certificate Server ca.iteachs.com:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ca.iteachs.com
CA cert fingerprint: F9D47883 1DBA7AD6 7065FB01 91325B1D
Granting mode is: manual
Last certificate issued serial number (hex): 3
CA certificate expiration timer: 09:42:34 Beijing Dec 9 2028
CRL NextUpdate timer: 21:42:34 Beijing Dec 12 2018
Current primary storage dir: flash:/ca
Database Level: Names - subject name data written as.cnm
Auto-Rollover configured, overlap period 365 days
Autorollover timer: 09:42:34 Beijing Dec 10 2027
csr1kv#
csr1kv#
IOS有个人证书和CA根证书。
===============================
下面为客户端生成证书:
crypto key generate rsa general modulus 4096 exportable label user1@iteachs.com #客户端单独生成密钥
crypto pki trustpoint user1@iteachs.com #客户端的信任点
enrollment url http://10.1.1.1
serial-number none
fqdn none
ip-address none
subject-name CN=user1@iteachs.com
revocation-check none
rsakeypair user1@iteachs.com
auto-enroll
hash sha512
crypto pki authenticate user1@iteachs.com
crypto pki enroll user1@iteachs.com
do crypto pki server ca-server grant 1 #颁发客户端证书
crypto pki export user1@iteachs.com pem tftp://192.168.100.100 #导出到客户端上
导出后删除用户的个人证书和rsa的key。
客户端安装根证书和个人证书。
anyconnect的配置文件
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
Company
202.100.1.100
IPsec
true
IKE-RSA
拨号直接无法连接
下面是IOS的debug信息。
csr1kv#
Dec 12 16:25:49.913: IKEv2:Received Packet [From 192.168.100.100:49827/To 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Verify SA init message
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Insert SA
Dec 12 16:25:49.913: IKEv2:Searching Policy with fvrf 0, local address 202.100.1.100
Dec 12 16:25:49.913: IKEv2:Found Policy 'anyconnect-policy'
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Processing IKE_SA_INIT message
Dec 12 16:25:49.923: IKEv2-ERROR:(SESSION ID = 92,SA ID = 1):: The peer's KE payload contained the wrong DH group
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Sending invalid ke notification, peer sent group 1, local policy prefers group 2
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Sending Packet [To 192.168.100.100:49827/From 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Failed SA init exchange
Dec 12 16:25:49.923: IKEv2-ERROR:(SESSION ID = 92,SA ID = 1):Initial exchange failed: Initial exchange failed
Dec 12 16:25:49.924: IKEv2:(SESSION ID = 92,SA ID = 1):Abort exchange
Dec 12 16:25:49.924: IKEv2:(SESSION ID = 92,SA ID = 1):Deleting SA
Dec 12 16:25:49.931: IKEv2:Received Packet [From 192.168.100.100:49827/To 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Verify SA init message
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Insert SA
Dec 12 16:25:49.931: IKEv2:Searching Policy with fvrf 0, local address 202.100.1.100
Dec 12 16:25:49.931: IKEv2:Found Policy 'anyconnect-policy'
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Processing IKE_SA_INIT message
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Received valid config mode data
Dec 12 16:25:49.935: IKEv2:Config data recieved:
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Config-type: Config-request
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Dec 12 16:25:49.935: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Set received config mode data
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'csr1kv.iteachs.com' 'ca.iteachs.com' 'csr1kv.local'
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 12 16:25:49.936: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Dec 12 16:25:49.936: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Dec 12 16:25:49.936: IKEv2:(SESSION ID = 93,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
Dec 12 16:25:49.937: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 12 16:25:49.937: IKEv2:(SESSION ID = 93,SA ID = 1):Request queued for computation of DH key
Dec 12 16:25:49.937: IKEv2:(SESSION ID = 93,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):Request queued for computation of DH secret
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Dec 12 16:25:49.938: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):Generating IKE_SA_INIT message
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'csr1kv.iteachs.com' 'ca.iteachs.com' 'csr1kv.local'
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Sending Packet [To 192.168.100.100:49827/From 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0AB0DC5CC71D9AED Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Completed SA init exchange
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Starting timer (30 sec) to wait for auth message
Dec 12 16:26:19.939: IKEv2-ERROR:(SESSION ID = 93,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
Dec 12 16:26:19.939: IKEv2:(SESSION ID = 93,SA ID = 1):Auth exchange failed
Dec 12 16:26:19.939: IKEv2-ERROR:(SESSION ID = 93,SA ID = 1):: Auth exchange failed
Dec 12 16:26:19.940: IKEv2:(SESSION ID = 93,SA ID = 1):Abort exchange
Dec 12 16:26:19.940: IKEv2:(SESSION ID = 93,SA ID = 1):Deleting SA
Dec 12 16:26:19.940: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Dec 12 16:26:19.940: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
csr1kv#
此问题已研究多日,目前还搞不定。请各位大神帮忙看看。。
介绍。单个CSR的IOS,无三方AAA服务器,无三方CA,无域环境。
配置如下:
==========================================
csr1kv#show version
Cisco IOS XE Software, Version 03.16.06.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 24-Jul-17 20:01 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
csr1kv uptime is 1 day, 4 hours, 26 minutes
Uptime for this control processor is 1 day, 4 hours, 28 minutes
System returned to ROM by reload at 11:27:53 Beijing Tue Dec 11 2018
System restarted at 11:30:10 Beijing Tue Dec 11 2018
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax
cisco CSR1000V (VXE) processor (revision VXE) with 1090317K/6147K bytes of memory.
Processor board ID 9ZMT9E7R1HJ
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3022272K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
Configuration register is 0x2102
csr1kv#
csr1kv#show running-config
Building configuration...
Current configuration : 16673 bytes
!
! Last configuration change at 13:41:06 Beijing Wed Dec 12 2018
! NVRAM config last updated at 13:26:02 Beijing Wed Dec 12 2018
!
version 15.5
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname csr1kv
!
logging buffered 102400
!
aaa new-model
!
aaa authentication suppress null-username
aaa authentication login anyconnect local
aaa authorization network anyconnect local
!
clock timezone Beijing 8 0
!
ip name-server 114.114.114.114
!
crypto pki server ca.iteachs.com
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 3650
auto-rollover 365
eku server-auth client-auth
database url flash:/ca
!
crypto pki trustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pki trustpoint ca.iteachs.com
revocation-check crl
rsakeypair ca.iteachs.com
!
crypto pki trustpoint csr1kv.iteachs.com
enrollment url http://10.1.1.1:80
fqdn csr1kv.iteachs.com
ip-address 202.100.1.100
subject-name cn=csr1kv.iteachs.com
revocation-check crl
rsakeypair csr1kv.iteachs.com
auto-enroll regenerate
hash sha512
!
!
crypto pki certificate map anyconnect-cert 10
issuer-name co cn = ca.iteachs.com
!
crypto pki certificate chain csr1kv.local
certificate self-signed 01
3082032A 30820212 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2E311530 13060355 0403130C 63737231 6B762E6C 6F63616C 31153013 06092A86
quit
crypto pki certificate chain ca.iteachs.com
certificate ca 01
27CDC049 27CC238B AFE5A8A4 52D39225 718BEB2B 99182112 E4487755 2E81A4E2
973FD4F6 CC01EFBF 50E6B6CB A25AB583 95D7AEB9
quit
crypto pki certificate chain csr1kv.iteachs.com
certificate 02
316C9C5D 721E666F EB3BEC27 4F6C11C3 7FF8EC60 5A1F1765 1E56BF23 4A593D2D
23E1A15B 48C6B405 CA4EE84C F99D0C63 B5B9732E A73C2BD7 B6C746EC E5E54D58 1D1F
quit
certificate ca 01
27CDC049 27CC238B AFE5A8A4 52D39225 718BEB2B 99182112 E4487755 2E81A4E2
973FD4F6 CC01EFBF 50E6B6CB A25AB583 95D7AEB9
quit
!
username admin privilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username cisco password 7 02050D480809
!
crypto ikev2 authorization policy anyconnect-auth-policy
pool anyconnect
dns 10.1.1.1
def-domain iteachs.com
route set access-list anyconnect-tunnel
!
crypto ikev2 proposal anyconnect-prop
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy anyconnect-policy
proposal anyconnect-prop
!
crypto ikev2 profile anyconnect-cert-profile
match certificate anyconnect-cert
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint csr1kv.iteachs.com
aaa authorization group cert list anyconnect anyconnect-auth-policy
virtual-template 2
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set anyconnect esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile anyconncet-cert-profile
set transform-set anyconnect
set ikev2-profile anyconnect-cert-profile
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile anyconncet-cert-profile
!
ip local pool anyconnect 20.1.1.1 20.1.1.20
ip http server
ip route 0.0.0.0 0.0.0.0 202.100.1.1
!
ip access-list standard anyconnect-tunnel
permit 10.1.1.0 0.0.0.255
!
!
line con 0
stopbits 1
line vty 1
length 0
line vty 2 4
!
ntp server ntp3.aliyun.com
ntp server ntp2.aliyun.com
ntp server ntp1.aliyun.com
!
end
==========================================
查看密钥及证书:
csr1kv#show crypto key mypubkey rsa
% Key pair was generated at: 16:11:46 Beijing Dec 6 2018
Key name: csr1kv.local
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B62358 3CBFC1FB 8D5A623F 206E7DFA 99E5A5E2 BF043098 0F090998 A8BEA5D5
9852DC74 CEBCF66F DED4E0E7 95D6DA10 936D0A37 10BCCD94 C81C91D6 FF5A7349
ED0AB77D 008DC60C A7D8436A 92239786 12CCEDAD 0E3E1DE0 E99B89A7 E7759681
D062D6F9 B58D2564 01989B8D C0B2C4B4 AD18474F 4DA7206B B1A50B63 7F76C17C
09DB15E0 25874F06 DE2CFFB9 B70C2C12 16C24387 CB7F4E1C A241D950 EFC078B4
84BAAF56 0172937A 3A2BBF35 7B24488C F13ADAA0 9CFA06D1 EB91C91E DC2A69A5
613944E3 159E011D 10268AB8 0EEF3CBB EBE1010A 22E68655 7E1FFEEF 7FB336DD
0DFA27A1 B5A1BEFD 9C03A3FB ADD70E70 A66164A5 9B823EC6 0F87A464 4ED38DE1
C3020301 0001
% Key pair was generated at: 11:31:03 Beijing Dec 11 2018
Key name: csr1kv.local.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00998E3F F0C711F7
6D722E38 F02BFD73 6F6E637E EAB973EB F509A56D 14951BB2 EF691023 4C54756F
C1E1F533 EA15C015 6FFCFFA8 9A55F9D5 B8556131 5DCD0D47 515BFB78 3234D891
4C836ECA 9F7BB89C 86D1BC15 FFD27095 D4769EBA 1394F25B 3B020301 0001
% Key pair was generated at: 09:42:08 Beijing Dec 12 2018
Key name: ca.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
C70FD758 5F727765 1C597F2C B76FB4A4 97FBC011 63910C83 5FEB5417 7A37C129
CF020301 0001
% Key pair was generated at: 09:45:12 Beijing Dec 12 2018
Key name: csr1kv.iteachs.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00A8B18E 361300FC C7E62CED 8E0555BE E93842E3 20515A64 B51C7F32 C8E22B40
2CA59EC1 0A80CF09 FFD97E16 4B93934B AAE4A1F1 7560B3C7 15179605 93744D21
C1020301 0001
csr1kv#
csr1kv#show crypto pki server ca.iteachs.com requests
The Enrollment Request Database is empty.
csr1kv#
csr1kv#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.iteachs.com
Subject:
Name: csr1kv.iteachs.com
IP Address: 202.100.1.100
ipaddress=202.100.1.100+hostname=csr1kv.iteachs.com
cn=csr1kv.iteachs.com
Validity Date:
start date: 09:48:51 Beijing Dec 12 2018
end date: 09:42:34 Beijing Dec 9 2028
Associated Trustpoints: csr1kv.iteachs.com
Storage: nvram:caiteachscom#2.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.iteachs.com
Subject:
cn=ca.iteachs.com
Validity Date:
start date: 09:42:34 Beijing Dec 12 2018
end date: 09:42:34 Beijing Dec 9 2028
Associated Trustpoints: csr1kv.iteachs.com ca.iteachs.com
Storage: nvram:caiteachscom#1CA.cer
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=csr1kv
cn=csr1kv.local
Subject:
Name: csr1kv
hostname=csr1kv
cn=csr1kv.local
Validity Date:
start date: 16:12:10 Beijing Dec 6 2018
end date: 08:00:00 Beijing Jan 1 2020
Associated Trustpoints: csr1kv.local
Storage: nvram:csr1kv#1.cer
csr1kv#
csr1kv#
csr1kv#show crypto pki server
Certificate Server ca.iteachs.com:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ca.iteachs.com
CA cert fingerprint: F9D47883 1DBA7AD6 7065FB01 91325B1D
Granting mode is: manual
Last certificate issued serial number (hex): 3
CA certificate expiration timer: 09:42:34 Beijing Dec 9 2028
CRL NextUpdate timer: 21:42:34 Beijing Dec 12 2018
Current primary storage dir: flash:/ca
Database Level: Names - subject name data written as
Auto-Rollover configured, overlap period 365 days
Autorollover timer: 09:42:34 Beijing Dec 10 2027
csr1kv#
csr1kv#
IOS有个人证书和CA根证书。
===============================
下面为客户端生成证书:
crypto key generate rsa general modulus 4096 exportable label user1@iteachs.com #客户端单独生成密钥
crypto pki trustpoint user1@iteachs.com #客户端的信任点
enrollment url http://10.1.1.1
serial-number none
fqdn none
ip-address none
subject-name CN=user1@iteachs.com
revocation-check none
rsakeypair user1@iteachs.com
auto-enroll
hash sha512
crypto pki authenticate user1@iteachs.com
crypto pki enroll user1@iteachs.com
do crypto pki server ca-server grant 1 #颁发客户端证书
crypto pki export user1@iteachs.com pem tftp://192.168.100.100 #导出到客户端上
导出后删除用户的个人证书和rsa的key。
客户端安装根证书和个人证书。
anyconnect的配置文件
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
拨号直接无法连接
下面是IOS的debug信息。
csr1kv#
Dec 12 16:25:49.913: IKEv2:Received Packet [From 192.168.100.100:49827/To 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Verify SA init message
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Insert SA
Dec 12 16:25:49.913: IKEv2:Searching Policy with fvrf 0, local address 202.100.1.100
Dec 12 16:25:49.913: IKEv2:Found Policy 'anyconnect-policy'
Dec 12 16:25:49.913: IKEv2:(SESSION ID = 92,SA ID = 1):Processing IKE_SA_INIT message
Dec 12 16:25:49.923: IKEv2-ERROR:(SESSION ID = 92,SA ID = 1):: The peer's KE payload contained the wrong DH group
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Sending invalid ke notification, peer sent group 1, local policy prefers group 2
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Sending Packet [To 192.168.100.100:49827/From 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
Dec 12 16:25:49.923: IKEv2:(SESSION ID = 92,SA ID = 1):Failed SA init exchange
Dec 12 16:25:49.923: IKEv2-ERROR:(SESSION ID = 92,SA ID = 1):Initial exchange failed: Initial exchange failed
Dec 12 16:25:49.924: IKEv2:(SESSION ID = 92,SA ID = 1):Abort exchange
Dec 12 16:25:49.924: IKEv2:(SESSION ID = 92,SA ID = 1):Deleting SA
Dec 12 16:25:49.931: IKEv2:Received Packet [From 192.168.100.100:49827/To 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Verify SA init message
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Insert SA
Dec 12 16:25:49.931: IKEv2:Searching Policy with fvrf 0, local address 202.100.1.100
Dec 12 16:25:49.931: IKEv2:Found Policy 'anyconnect-policy'
Dec 12 16:25:49.931: IKEv2:(SESSION ID = 93,SA ID = 1):Processing IKE_SA_INIT message
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Received valid config mode data
Dec 12 16:25:49.935: IKEv2:Config data recieved:
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Config-type: Config-request
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
Dec 12 16:25:49.935: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
Dec 12 16:25:49.935: IKEv2:(SESSION ID = 93,SA ID = 1):Set received config mode data
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'csr1kv.iteachs.com' 'ca.iteachs.com' 'csr1kv.local'
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 12 16:25:49.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 12 16:25:49.936: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Dec 12 16:25:49.936: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Dec 12 16:25:49.936: IKEv2:(SESSION ID = 93,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
Dec 12 16:25:49.937: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 12 16:25:49.937: IKEv2:(SESSION ID = 93,SA ID = 1):Request queued for computation of DH key
Dec 12 16:25:49.937: IKEv2:(SESSION ID = 93,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):Request queued for computation of DH secret
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Dec 12 16:25:49.938: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):Generating IKE_SA_INIT message
Dec 12 16:25:49.938: IKEv2:(SESSION ID = 93,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'csr1kv.iteachs.com' 'ca.iteachs.com' 'csr1kv.local'
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Dec 12 16:25:49.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Sending Packet [To 192.168.100.100:49827/From 202.100.1.100:500/VRF i0:f0]
Initiator SPI : B6A1173CBDE0ADB8 - Responder SPI : 0AB0DC5CC71D9AED Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Completed SA init exchange
Dec 12 16:25:49.939: IKEv2:(SESSION ID = 93,SA ID = 1):Starting timer (30 sec) to wait for auth message
Dec 12 16:26:19.939: IKEv2-ERROR:(SESSION ID = 93,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
Dec 12 16:26:19.939: IKEv2:(SESSION ID = 93,SA ID = 1):Auth exchange failed
Dec 12 16:26:19.939: IKEv2-ERROR:(SESSION ID = 93,SA ID = 1):: Auth exchange failed
Dec 12 16:26:19.940: IKEv2:(SESSION ID = 93,SA ID = 1):Abort exchange
Dec 12 16:26:19.940: IKEv2:(SESSION ID = 93,SA ID = 1):Deleting SA
Dec 12 16:26:19.940: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Dec 12 16:26:19.940: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
csr1kv#
此问题已研究多日,目前还搞不定。请各位大神帮忙看看。。
1 个已接受解答
已接受的解答
