请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

   思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 912|回复: 1

【原创】IOS-XE远程连接之三Anyconnect证书认证

[复制链接]
发表于 2018-12-28 14:40:50 | 显示全部楼层 |阅读模式
现在最新的已经不支持ikev1的remotevpn客户端的认证,所以研究了下,ikev2下的anyconnect客户端连接,这个比之前发的anyconnect-eap认证配置难度大点。
要求:
1,ca服务器(IOS自带)
2,win的anyconnect客户端
3,win的anyconnect配置文件编辑工具(可以不需要,手动改xml文件)
4,ntp服务器,时间很重要

拓扑和上篇文章中的是一样的

如下是配置的重要部分:
service timestampsdebug datetime msec localtime
service timestampslog datetime msec localtime
servicepassword-encryption
!
hostname csr1kv
!
enable secret 5$1$sCqH$3EjUmJF.RnihD09/8pjY00
!
aaa new-model
!
!         
aaa authenticationlogin ikev2-win local
aaa authorizationnetwork ikev2-win local
!
clock timezoneBeijing 8 0
!
ip name-server114.114.114.114
!
crypto pki serverca.iteachs.com
database level names
no database archive
grant auto
#启用自动颁发证书,简化流程
hash sha512
lifetime certificate 3650
lifetime ca-certificate 3650
auto-rollover 365
eku server-auth client-auth
#必须敲,用于认证服务器和客户端
!
crypto pkitrustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pkitrustpoint ca.iteachs.com
revocation-check crl
rsakeypair ca.iteachs.com
!
crypto pkitrustpoint csr1kv.iteachs.com
enrollment url http://10.1.1.1:80
ip-address 202.100.1.100
subject-name cn=csr1kv.iteachs.com
revocation-check crl
rsakeypair csr1kv.iteachs.com
auto-enroll regenerate
#自动申请证书
hash sha512
!
!
crypto pkicertificate map ikev2-win-cert-map 10
issuer-name eq cn = ca.iteachs.com
#根证书的cn名称
!
crypto pkicertificate chain csr1kv.local
certificate self-signed 01
  3082052A 30820312 A0030201 02020101 300D06092A864886 F70D0101 05050030
  5D4C2FF2 DB7060E5 A7983ED4 2997E88C 9AC0754574D6BBDD 23B24A3A E123AF4B
  390B15F1 B966483F 4C7987C4 1E1E
        quit
crypto pkicertificate chain ca.iteachs.com
certificate ca 01
  30820510 308202F8 A0030201 02020101 300D06092A864886 F70D0101 0D050030
  F549E40B 49F2D1DE 9480B66A 98EE25EB 9B82AC2E2DB49890 8F37E521 A848FB1E
  C120ED30 FFC74359 38204C97 AFFD27DC 268B86C1
        quit
crypto pkicertificate chain csr1kv.iteachs.com
certificate 02
  C1C8CF14 1ECC5C59 583DEE52 8B393B95 2F1A5B7B3C46761E 3D709F10 FFC15BA4
  14F5B26C 1C14066A 1163E133 9405F4C7 A82403C7B55F11EA 6F6D13C9 0B22BF4C
  55AD7CD0 D8772947 4A110B67 02FEBFF7 6AB2DA28C168
        quit
certificate ca 01
  BD4B5877 831F215A A143EE0F F20BBD05 EF56872E611623A2 1B5E07B8 A2A03323
  F549E40B 49F2D1DE 9480B66A 98EE25EB 9B82AC2E2DB49890 8F37E521 A848FB1E
  C120ED30 FFC74359 38204C97 AFFD27DC 268B86C1
        quit
#省去了自签名证书,根证书和自签名证书
!
!
username adminprivilege 15 password 7 13261E010803247B79777C66
username ciscopassword 7 05080F1C2243
!
redundancy
!
crypto ikev2authorization policy ikev2-win-auth-policy
pool win-pool
dns 10.1.1.1
def-domain iteachs.com
route set access-list ikev2-win-acl
!         
crypto ikev2proposal ikev2-win-proposal
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policyikev2-win-policy
proposal ikev2-win-proposal
!
crypto ikev2 profileikev2-win-profile
match certificate ikev2-win-cert-map
identity local dn
authentication remote rsa-sig    #双向证书认证
authentication local rsa-sig    #双向证书认证
pki trustpoint csr1kv.iteachs.com
dpd 60 2 on-demand
aaa authorization group cert list ikev2-winikev2-win-auth-policy
virtual-template 1
!
no cryptoikev2 http-url cert
!
crypto ipsectransform-set ikev2-win-trans esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profileikev2-win-profile
set transform-set ikev2-win-trans
set ikev2-profile ikev2-win-profile
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interfaceGigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interfaceVirtual-Template1 type tunnel
ip unnumbered GigabitEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profileikev2-win-profile
!
ip local poolwin-pool 30.1.1.1 30.1.1.100
ip forward-protocolnd
ip http server
#CA服务器需要,必须开启
no ip httpsecure-server
!
ip route 0.0.0.00.0.0.0 202.100.1.1
ip ssh version 2
!
ip access-liststandard ikev2-win-acl
permit 10.1.1.0 0.0.0.255
!
ntp serverntp3.aliyun.com
ntp serverntp2.aliyun.com
ntp serverntp1.aliyun.com

end

下面是重要部分,为客户端颁发证书
为客户端加载证书
cryptokey generate rsa general modulus 4096 exportable label user1@iteachs.com

cryptopki trustpoint user1@iteachs.com
enrollment url http://10.1.1.1
serial-number none
fqdn none
ip-address none
subject-name CN=user1@iteachs.com
revocation-check none
rsakeypair user1@iteachs.com
auto-enroll
hash sha512

#此处IOS会知道颁发个人证书,如果没有自动颁发证书,进行如下手动颁发。
crypto pki authenticate user1@iteachs.com
crypto pki enroll user1@iteachs.com

#查看证书服务器的证书申请请求
do show crypto pki server ca-server requests

#颁发个人申请请求,此处为1号申请请求,这里已经自动颁发了证书。
do crypto pki server ca-server grant 1

#将证书导出到客户机器,然后备份到本地flash
crypto pki export user1@iteachs.com pkcs12 tftp://192.168.100.100/user.pfx password<password>
crypto pki export user1@iteachs.com pkcs12 bootflash0:/user.pfx password <password>

#导出之后清除个人证书和密钥,否则客户端将无法连接
cryptokey zeroize rsa user1@iteachs.com

no crypto pki trustpoint user1@iteachs.com

客户端加载证书
客户端双击输入导出的密码,然后默认导入证书。
此时客户端的个人证书和根证书都有了。
对客户端进行设置
由于IOS开启了http server,需要在客户端关闭portal检查。否则anyconnect客户端会出现webauth required的提示,导致无法连接成功。
确定后将文件另存到“%ProgramData%\Cisco\CiscoAnyConnect Secure Mobility Client\Profile\”下。

客户端连接直接成功。

下面是设备信息:
csr1kv#show version
Cisco IOS XESoftware, Version 16.03.07
Cisco IOS Software[Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7,RELEASE SOFTWARE (fc4)
Copyright (c)1986-2018 by Cisco Systems, Inc.
Compiled Sat04-Aug-18 00:29 by mcpre

Cisco IOS-XEsoftware, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rightsreserved.  Certain components of CiscoIOS-XE software are
licensed under theGNU General Public License ("GPL") Version 2.0.  The
software codelicensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NOWARRANTY.  You can redistribute and/ormodify such
GPL code under theterms of GPL Version 2.0.  For moredetails, see the
documentation or"License Notice" file accompanying the IOS-XE software,
or the applicableURL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

csr1kv uptime is 18hours, 29 minutes
Uptime for thiscontrol processor is 18 hours, 30 minutes
System returned toROM by reload
System restarted at15:21:45 Beijing Thu Dec 13 2018
System image file is"bootflash:packages.conf"
Last reload reason:Unknown reason

This productcontains cryptographic features and is subject to United
States and localcountry laws governing import, export, transfer and
use. Delivery ofCisco cryptographic products does not imply
third-partyauthority to import, export, distribute or use encryption.
Importers,exporters, distributors and users are responsible for
compliance with U.S.and local country laws. By using this product you
agree to comply withapplicable laws and regulations. If you are unable
to comply with U.S.and local laws, return this product immediately.

A summary of U.S.laws governing Cisco cryptographic products may be found at:

If you requirefurther assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type:Default. No valid license found.
Next reload licenseLevel: ax

cisco CSR1000V (VXE)processor (revision VXE) with 1077534K/3075K bytes of memory.
Processor board ID9KK51W8HWKD
4 Gigabit Ethernetinterfaces
32768K bytes ofnon-volatile configuration memory.
3019320K bytes ofphysical memory.
7774207K bytes ofvirtual hard disk at bootflash:.
0K bytes of  at webui:.

Configurationregister is 0x2102


查看IKEv2的状态
csr1kv#show cryptopki server ca.iteachs.com
Certificate Serverca.iteachs.com:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=ca.iteachs.com
    CA cert fingerprint: 2B899259 B3633B317B4F6EC8 5673CF49
    Granting mode is: auto
    Last certificate issued serial number(hex): 3
    CA certificate expiration timer: 16:06:38Beijing Dec 10 2028
    CRL NextUpdate timer: 10:06:11 Beijing Dec14 2018
    Current primary storage dir: nvram:
    Database Level: Names - subject name datawritten as <serialnum>.cnm
    Auto-Rollover configured, overlap period365 days
    Autorollover timer: 16:06:37 Beijing Dec 112027
csr1kv#
csr1kv#show cryptopki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=ca.iteachs.com
  Subject:
    Name: csr1kv
    IP Address: 202.100.1.100
    hostname=csr1kv+ipaddress=202.100.1.100
    cn=csr1kv.iteachs.com
  Validity Date:
    start date: 16:09:47 Beijing Dec 13 2018
    end  date: 16:06:38 Beijing Dec 10 2028
  Associated Trustpoints: csr1kv.iteachs.com
  Storage: nvram:caiteachscom#2.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=ca.iteachs.com
  Subject:
    cn=ca.iteachs.com
  Validity Date:
    start date: 16:06:38 Beijing Dec 13 2018
    end  date: 16:06:38 Beijing Dec 10 2028
  Associated Trustpoints: csr1kv.iteachs.comca.iteachs.com
  Storage: nvram:caiteachscom#1CA.cer

Router Self-SignedCertificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    hostname=csr1kv
    cn=csr1kv.local
  Subject:
    Name: csr1kv
    hostname=csr1kv
    cn=csr1kv.local
  Validity Date:
    start date: 15:54:32 Beijing Dec 13 2018
    end  date: 08:00:00 Beijing Jan 1 2020
  Associated Trustpoints: csr1kv.local
  Storage: nvram:csr1kv#1.cer


csr1kv#      
csr1kv#show cryptopki certificates verbose
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=ca.iteachs.com
  Subject:
    Name: csr1kv
    IP Address: 202.100.1.100
    hostname=csr1kv+ipaddress=202.100.1.100
    cn=csr1kv.iteachs.com
  Validity Date:
    start date: 16:09:47 Beijing Dec 13 2018
    end  date: 16:06:38 Beijing Dec 10 2028
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
  Signature Algorithm: SHA512 with RSAEncryption
  Fingerprint MD5: EC54CC31 8584913F 5F8C3951C09A5AD3
  Fingerprint SHA1: 1EB1857E C7BCB608 A743BD94FBD0C395 8F042FFF
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 5ACF0D3F 6996EE9EAC6D842B D725ACA8 98899B29

    X509v3 Authority Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
    Authority Info Access:
    Extended Key Usage:
        Client Auth
        Server Auth
  Associated Trustpoints: csr1kv.iteachs.com
  Storage: nvram:caiteachscom#2.cer
  Key Label: csr1kv.iteachs.com
  Key storage device: private config

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=ca.iteachs.com
  Subject:
    cn=ca.iteachs.com
  Validity Date:
    start date: 16:06:38 Beijing Dec 13 2018
    end  date: 16:06:38 Beijing Dec 10 2028
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
  Signature Algorithm: SHA512 with RSAEncryption
  Fingerprint MD5: 2B899259 B3633B31 7B4F6EC85673CF49
  Fingerprint SHA1: E46666A0 C79B941C 14F51042184E7C2D 8EE08E0F
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
    X509v3 Basic Constraints:
        CA: TRUE

    X509v3 Authority Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
    Authority Info Access:
  Associated Trustpoints: csr1kv.iteachs.comca.iteachs.com
  Storage: nvram:caiteachscom#1CA.cer

Router Self-SignedCertificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    hostname=csr1kv
    cn=csr1kv.local
  Subject:
    Name: csr1kv
    hostname=csr1kv
    cn=csr1kv.local
  Validity Date:
    start date: 15:54:32 Beijing Dec 13 2018
    end  date: 08:00:00 Beijing Jan 1 2020
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (4096 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 3727293A 4A97EC99 D80CE5ADF12CE209
  Fingerprint SHA1: 70959153 505DFF3A 3F26671249EC90E6 D494575D
  X509v3 extensions:
    X509v3 Subject Key ID: A31844D0 FDDD84F57416513B 15475ECC 51BF284F
    X509v3 Basic Constraints:
        CA: TRUE

    X509v3 Authority Key ID: A31844D0 FDDD84F57416513B 15475ECC 51BF284F
    Authority Info Access:
  Associated Trustpoints: csr1kv.local
  Storage: nvram:csr1kv#1.cer


csr1kv#         
csr1kv#show cryptoikev2 session detailed
IPv4 Crypto IKEv2 Session

Session-id:12,Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         202.100.1.100/4500    192.168.100.100/53321 none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/61 sec
      CE id: 1025, Session-id: 12
      Status Description: Negotiation done
      Local spi: C36E62B63C53AC2F       Remote spi: 28A069048829B80A
      Local id:hostname=csr1kv+ipaddress=202.100.1.100,cn=csr1kv.iteachs.com
      Remote id: cn=user1@iteachs.com
      Local req msg id:  0             Remote req msg id:  3         
      Local next msg id: 0              Remote next msg id: 3         
      Local req queued:  0             Remote req queued:  3         
      Local window:      5              Remote window:      1        
      DPD configured for 60 seconds, retry 2
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 30.1.1.12
      Initiator of SA : No
Child sa: localselector  0.0.0.0/0 -255.255.255.255/65535
          remote selector 30.1.1.12/0 -30.1.1.12/65535
          ESP spi in/out:0xDCEA552E/0xBB95F31B  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256,esp_hmac: SHA256
          ah_hmac: None, comp: IPCOMP_NONE,mode tunnel

IPv6 Crypto IKEv2 Session

csr1kv#
csr1kv#show cryptoipsec sa

interface:Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0,local addr 202.100.1.100

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port):(30.1.1.12/255.255.255.255/0/0)
   current_peer 192.168.100.100 port 53321
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pktsdigest: 13
    #pkts decaps: 88, #pkts decrypt: 88, #pktsverify: 88
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr.failed: 0
    #pkts not decompressed: 0, #pkts decompressfailed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.100.1.100, remotecrypto endpt.: 192.168.100.100
     plaintext mtu 1422, path mtu 1500, ip mtu1500, ip mtu idb GigabitEthernet1
     current outbound spi:0xBB95F31B(3147166491)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xDCEA552E(3706344750)
        transform: esp-256-aes esp-sha256-hmac,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2023, flow_id: CSR:23,sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime(k/sec): (4607990/3532)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB95F31B(3147166491)
        transform: esp-256-aes esp-sha256-hmac,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2024, flow_id: CSR:24,sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime(k/sec): (4607999/3532)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
csr1kv#
csr1kv#show cryptoikev2 sa
IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         202.100.1.100/4500    192.168.100.100/53321 none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/84 sec

IPv6 Crypto IKEv2  SA

csr1kv#

csr1kv#

下面有时间再研究下win自带客户端的ikev2连接。


相关链接:
【原创】IOS-XE远程连接之一SSLVPN
【原创】IOS-XE远程连接之二Anyconnect-EAP
【原创】IOS-XE远程连接之四和OpenWrt组DMVPN

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2018-12-28 14:46:12 | 显示全部楼层
有个重要的关键点我放在一楼:
1,开启http的时候,拨号会出现web auth的请求,导致拨号不成功,需要在profile中关闭web auth的选项,帖子共已经说明。
2,设备重启后或者在时间同步前时间前面是有个*号,导致重启后ca server无法启动,vpn连接不成功。需要加上clock calendar-valid命令。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-8-21 18:39 , Processed in 0.104117 second(s), 31 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表