我正在尝试设置本地身份验证机制基于 RSA 的 IPsec IKEv2 隧道。因此,我设置了一个信任点,并为此设置获得了签名证书。
导入成功,然而,当 StrongSwan Android 客户端尝试打开连接时,IOS 抱怨它无法获取私有 rsa 密钥并且连接失败。
关于错误实施的任何线索?
一些有用的输出:
用于创建信任点的命令:
crypto key generate rsa exportable label ipsec modulus 2048
crypto ca trustpoint tp_ipsec_2017
enrollment terminal pem
crl optional
fqdn rtr.example.net
rsakeypair ipsec
subject-name C=BE,ST=city,L=area,O=Private,OU=Familly,CN=rtr.example.net
crypto ca enroll tp_ipsec_2017
! save the csr and submit to CA
crypto ca authenticate tp_ipsec_2017
! paste the ca bundle crt
crypto ca import tp_ipsec_2017 certificate
! paste the site crt
sh crypto pki 信任点状态:
rtr01#sh crypto pki trustpoints status
Trustpoint tp_ipsec_2017:
Issuing CA certificate configured:
Subject Name:
cn=COMODO RSA Domain Validation Secure Server CA,o=COMODO CA Limited,l=Salford,st=Greater Manchester,c=GB
Fingerprint MD5: 83E10465 B722EF33 FF0B6F53 5E8D996B
Fingerprint SHA1: 339CDD57 CFD5B141 169B615F F3142878 2D1DA639
Router General Purpose certificate configured:
Subject Name:
cn=rtr.example.net,ou=PositiveSSL,ou=Domain Control Validated
Fingerprint MD5: 6212CDAA 4DA68FF0 AE96F78A 315CC4F7
Fingerprint SHA1: A038723A 42EEB9D1 735F65FE 8F7C369B F6DFDD81
State:
Keys generated ............. Yes (General Purpose, exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
sh 日志:
000399: Jul 19 20:20:21.846: IKEv2:Received Packet [From 94.109.21.28:3148/To 67.209.124.251:500/VRF i0:f0]
Initiator SPI : 5369918ED0805852 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
000400: Jul 19 20:20:21.846: IKEv2:(SESSION ID = 8,SA ID = 1):Verify SA init message
000401: Jul 19 20:20:21.846: IKEv2:(SESSION ID = 8,SA ID = 1):Insert SA
000402: Jul 19 20:20:21.846: IKEv2:Searching Policy with fvrf 0, local address 67.209.124.251
000403: Jul 19 20:20:21.846: IKEv2:Found Policy 'ikev2-policy'
000404: Jul 19 20:20:21.846: IKEv2:(SESSION ID = 8,SA ID = 1):Processing IKE_SA_INIT message
000405: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
000406: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp_ipsec_2017'
000407: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
000408: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
000409: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
000410: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
000411: Jul 19 20:20:21.850: IKEv2:(SESSION ID = 8,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
000412: Jul 19 20:20:21.850: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
000413: Jul 19 20:20:21.850: IKEv2:(SESSION ID = 8,SA ID = 1):Request queued for computation of DH key
000414: Jul 19 20:20:21.850: IKEv2:(SESSION ID = 8,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
000415: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
000416: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):Request queued for computation of DH secret
000417: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
000418: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
000419: Jul 19 20:20:21.862: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
000420: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):Generating IKE_SA_INIT message
000421: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
000422: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
000423: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp_ipsec_2017'
000424: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
000425: Jul 19 20:20:21.862: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
000426: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):Sending Packet [To 94.109.21.28:3148/From 67.209.124.251:500/VRF i0:f0]
Initiator SPI : 5369918ED0805852 - Responder SPI : 33466755FF746037 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
000427: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):Completed SA init exchange
000428: Jul 19 20:20:21.862: IKEv2:(SESSION ID = 8,SA ID = 1):Starting timer (30 sec) to wait for auth message
000429: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):Received Packet [From 94.109.21.28:3863/To 67.209.124.251:500/VRF i0:f0]
Initiator SPI : 5369918ED0805852 - Responder SPI : 33466755FF746037 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) CFG NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr NOTIFY(Unknown - 16396) NOTIFY(Unknown - 16399) NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420)
000430: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):Stopping timer to wait for auth message
000431: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):Checking NAT discovery
000432: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):NAT OUTSIDE found
000433: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):NAT detected float to init port 3863, resp port 4500
000434: Jul 19 20:20:21.910: IKEv2:(SESSION ID = 8,SA ID = 1):Searching policy based on peer's identity 'barbara' of type 'FQDN'
000435: Jul 19 20:20:21.914: IKEv2:found matching IKEv2 profile 'ikev2-profile'
000436: Jul 19 20:20:21.914: IKEv2:Searching Policy with fvrf 0, local address 67.209.124.251
000437: Jul 19 20:20:21.914: IKEv2:Found Policy 'ikev2-policy'
000438: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Verify peer's policy
000439: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Peer's policy verified
000440: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Check for EAP exchange
000441: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Generate my authentication data
000442: Jul 19 20:20:21.914: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
000443: Jul 19 20:20:21.914: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
000444: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Get my authentication method
000445: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):My authentication method is 'RSA'
000446: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Sign authentication data
000447: Jul 19 20:20:21.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
000448: Jul 19 20:20:21.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key FAILED
000449: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):: Failed to generate auth data: Failed to sign data
000450: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Verification of peer's authentication data FAILED
000451: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Sending authentication failure notify
000452: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
000453: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Sending Packet [To 94.109.21.28:3863/From 67.209.124.251:4500/VRF i0:f0]
Initiator SPI : 5369918ED0805852 - Responder SPI : 33466755FF746037 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
000454: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Auth exchange failed
000455: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):: Auth exchange failed
000456: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Abort exchange
000457: Jul 19 20:20:21.914: IKEv2:(SESSION ID = 8,SA ID = 1):Deleting SA
000458: Jul 19 20:20:21.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
000459: Jul 19 20:20:21.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
000460: Jul 19 20:30:36 CET: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (IPV6)
运行:
Current configuration : 21755 bytes
!
! Last configuration change at 20:30:36 CET Thu Jul 19 2018 by admin
! NVRAM config last updated at 20:30:43 CET Thu Jul 19 2018 by admin
! NVRAM config last updated at 20:30:43 CET Thu Jul 19 2018 by admin
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr01
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.153-3.M10.bin
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
aaa new-model
!
!
aaa group server radius nas
server name nas
!
aaa authentication enable default none
aaa authorization exec default none
aaa authorization commands 0 default none
aaa authorization commands 15 default none
aaa authorization network default if-authenticated
aaa authorization network ikev2_author_local if-authenticated
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1 0
!
crypto pki trustpoint tp_ipsec_2017
enrollment terminal pem
fqdn rtr.example.net
subject-name C=BE,ST=City,L=Area,O=Private,OU=Familly,CN=rtr.example.net
revocation-check none
rsakeypair ipsec
!
!
crypto pki certificate chain tp_ipsec_2017
certificate 4C0299EF6970C3E2E975E30FE1430091
REMOVED_CERT
quit
certificate ca 2B2E6EEAD975366C148A6EDBA37C8C07
COMMODO_BUNDLE_CA
quit
no ip source-route
!
!
!
!
!
ip dhcp bootp ignore
!
ip dhcp pool 192.168.11.0/24
relay source 192.168.11.0 255.255.255.0
relay destination 192.168.10.5
!
ip dhcp pool 192.168.12.0/24
relay source 192.168.12.0 255.255.255.0
relay destination 192.168.10.5
!
!
!
no ip bootp server
ip domain name example.net
ip name-server 192.168.10.5
ip multicast-routing
ip cef
ip wccp check services all
ip wccp source-interface Vlan10
ip wccp web-cache redirect-list acl4_out_wccp group-list acl4_wccp_servers
ip wccp 70 redirect-list acl4_out_wccp group-list acl4_wccp_servers
ipv6 unicast-routing
ipv6 cef
ipv6 wccp check services all
ipv6 wccp source-interface Vlan10
ipv6 wccp web-cache redirect-list acl6_out_wccp group-list acl4_wccp_servers
ipv6 wccp 70 redirect-list acl6_out_wccp group-list acl4_wccp_servers
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C897VA-K9 sn REMOVED
!
!
object-group network grp_passthrough_from
host 192.168.11.10
host 192.168.11.9
!
object-group network grp_passthrough_to
host 8.8.8.8
host 8.8.4.4
!
username admin privilege 15 password 7 REMOVED
!
crypto ikev2 authorization policy ikev2-auth-policy
pool pool4-ipsec
dns 192.168.10.5
def-domain example.net
route set remote ipv4 0.0.0.0 0.0.0.0
!
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-128 aes-cbc-256
integrity sha256
group 2 15 16 19 20 21
!
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
!
!
crypto ikev2 profile ikev2-profile
match identity remote any
identity local fqdn rtr.example.net
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint tp_ipsec_2017
aaa authentication eap radius
aaa authorization group eap list ikev2_author_local ikev2-auth-policy
aaa authorization user eap cached
virtual-template 1
!
!
!
controller VDSL 0
shutdown
!
!
!
!
crypto ipsec transform-set ipsec-transform esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-profile
set transform-set ipsec-transform
set ikev2-profile ikev2-profile
!
!
!
!
!
!
!
interface Loopback20
description Internal Users IPSec
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect in
ip wccp 70 redirect in
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
ipv6 address IPV6_PREFIX:403::1/64
ipv6 enable
ipv6 wccp web-cache redirect in
ipv6 wccp 70 redirect in
ipv6 traffic-filter acl6_in_users in
ipv6 traffic-filter acl6_out_users out
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet0.10
description pppoe vdsl0 to bridge 1
encapsulation dot1Q 10
ip nat outside
ip virtual-reassembly in
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description Access Point
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,11,12,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description NAS
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
switchport access vlan 11
no ip address
shutdown
!
interface GigabitEthernet3
switchport access vlan 11
no ip address
shutdown
!
interface GigabitEthernet4
description Xbox One
switchport access vlan 11
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
description LG TV
switchport access vlan 11
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
switchport access vlan 11
no ip address
shutdown
!
interface GigabitEthernet7
switchport access vlan 12
no ip address
shutdown
!
interface GigabitEthernet8
description modem
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback20
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description DMZ LAN
ip address 192.168.10.1 255.255.255.0
ip access-group acl4_in_dmz in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
ipv6 address FE80::2000:1 link-local
ipv6 address IPV6_PREFIX:400::1/64
ipv6 enable
ipv6 traffic-filter acl6_in_dmz in
ipv6 traffic-filter acl6_out_dmz out
!
interface Vlan11
description Internal Users
ip address 192.168.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect in
ip wccp 70 redirect in
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
ipv6 address IPV6_PREFIX:402::1/64
ipv6 enable
ipv6 wccp web-cache redirect in
ipv6 wccp 70 redirect in
ipv6 traffic-filter acl6_in_users in
ipv6 traffic-filter acl6_out_users out
!
interface Vlan12
description Guest Users
ip address 192.168.12.1 255.255.255.0
ip access-group acl4_in_guests in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action continue exceed-action drop
rate-limit output 10024000 1879500 3759000 conform-action continue exceed-action drop
ipv6 address IPV6_PREFIX:405::1/64
ipv6 enable
ipv6 traffic-filter acl6_in_guests in
ipv6 traffic-filter acl6_out_guests out
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ipv6 address FE80::10 link-local
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd prefix_wan
ppp authentication pap chap callin
ppp chap hostname username@ISP
ppp chap password 7 REMOVED
ppp direction callout
ppp pap sent-username username@ISP password 7 REMOVED
ppp ipcp header-compression ack
ppp ipcp dns request accept
ppp ipcp address accept
no cdp enable
!
ip local pool pool4-ipsec 192.168.20.10 192.168.20.100
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.10.5 25 interface Dialer1 25
ip nat inside source static tcp 192.168.10.5 80 interface Dialer1 80
ip nat inside source static tcp 192.168.10.5 465 interface Dialer1 465
ip nat inside source static tcp 192.168.10.5 587 interface Dialer1 587
ip nat inside source static tcp 192.168.10.5 873 interface Dialer1 873
ip nat inside source static tcp 192.168.10.5 993 interface Dialer1 993
ip nat inside source static tcp 192.168.10.5 5001 interface Dialer1 5001
ip nat inside source static tcp 192.168.10.5 5006 interface Dialer1 5006
ip nat inside source static tcp 192.168.10.5 6690 interface Dialer1 6690
ip nat inside source static tcp 192.168.10.5 6881 interface Dialer1 6881
ip nat inside source static tcp 192.168.10.5 8444 interface Dialer1 8444
ip nat inside source static tcp 192.168.10.5 16881 interface Dialer1 16881
ip nat inside source static tcp 192.168.10.5 38443 interface Dialer1 38443
ip nat inside source static tcp 192.168.10.5 41988 interface Dialer1 41988
ip nat inside source static udp 192.168.10.5 6881 interface Dialer1 6881
ip nat inside source static tcp 192.168.10.5 443 interface Dialer1 443
ip nat inside source static tcp 192.168.11.9 3074 interface Dialer1 3074
ip nat inside source static udp 192.168.11.9 88 interface Dialer1 88
ip nat inside source static udp 192.168.11.9 3544 interface Dialer1 3544
ip nat inside source static udp 192.168.11.9 3074 interface Dialer1 3074
ip nat inside source list acl4_nat_allowed interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.10.192 255.255.255.192 192.168.10.5
ip ssh version 2
!
ip access-list extended acl4_in_dmz
permit ip 192.168.10.0 0.0.0.255 host 192.168.10.1
permit tcp any any established
permit udp 192.168.10.0 0.0.0.255 eq domain ntp 1812 bootps bootpc 192.168.0.0 0.0.255.255
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended acl4_in_guests
permit ip any host 255.255.255.255
permit ip any host 192.168.12.1
permit udp any host 192.168.10.5 eq domain bootps bootpc
deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended acl4_nat_allowed
permit icmp any any
permit udp any any gt 1024
permit tcp any any gt 1024
permit ip any object-group grp_passthrough_to
permit ip object-group grp_passthrough_from any
deny ip 192.168.11.0 0.0.0.255 any log
deny ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl4_out_wccp
deny ip any object-group grp_passthrough_to
deny ip object-group grp_passthrough_from any
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended acl4_ssh_allowed
permit ip 192.168.0.0 0.0.255.255 any
deny ip any any
ip access-list extended acl4_wccp_servers
permit ip 192.168.10.192 0.0.0.63 any
!
ip radius source-interface Vlan10
ip access-list logging interval 10
kron occurrence backup at 0:30 1 recurring
policy-list backup
!
kron policy-list backup
cli copy running-config tftp://192.168.10.5/rtr01.txt
!
ipv6 route IPV6_PREFIX:400:FFFF:FFFF::/96 IPV6_PREFIX:400:211:32FF:FE92:491D
!
!
radius server nas
address ipv4 192.168.10.5 auth-port 1812 acct-port 1813
key 7 REMOVED
!
!
!
ipv6 access-list acl6_in_dmz
permit icmp any any
sequence 15 permit tcp any any established
sequence 16 deny ipv6 IPV6_PREFIX:400::/64 IPV6_PREFIX:400::/56
sequence 40 permit ipv6 IPV6_PREFIX:400::/64 any
!
ipv6 access-list acl6_in_guests
sequence 100 deny ipv6 IPV6_PREFIX:405::/64 IPV6_PREFIX:400::/62
permit ipv6 any any
!
ipv6 access-list acl6_in_users
sequence 5 permit icmp any any
sequence 10 permit tcp any any established
permit ipv6 IPV6_PREFIX:402::/63 IPV6_PREFIX:400::/62
sequence 25 permit tcp any any gt 1024
sequence 26 permit udp any any gt 1024
sequence 30 deny ipv6 any any
!
ipv6 access-list acl6_out_dmz
permit icmp any any
sequence 11 permit ipv6 IPV6_PREFIX:402::/63 IPV6_PREFIX:400::/64
permit ipv6 any host IPV6_PREFIX:400:211:32FF:FE92:491D
sequence 25 permit tcp any any established
sequence 30 deny ipv6 any any
!
ipv6 access-list acl6_out_guests
permit icmp any any
deny ipv6 any any
permit tcp any any established
!
ipv6 access-list acl6_out_users
sequence 5 permit icmp any any
sequence 10 permit tcp any any established
sequence 60 deny ipv6 any any
!
ipv6 access-list acl6_ssh_allowed
sequence 30 permit tcp IPV6_PREFIX:402::/63 any eq 22
deny ipv6 any any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
vstack
alias exec sri show run interface
alias exec sid show int desc
!
line con 0
exec-timeout 30 0
password 7 REMOVED
logging synchronous
no modem enable
line aux 0
line vty 0 4
session-timeout 30
access-class acl4_ssh_allowed in
exec-timeout 30 0
ipv6 access-class acl6_ssh_allowed in
logging synchronous
length 0
transport input ssh
line vty 5 15
session-timeout 30
access-class acl4_ssh_allowed in
exec-timeout 30 0
ipv6 access-class acl6_ssh_allowed in
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp source Dialer1
ntp master 3
ntp update-calendar
ntp server ip europe.pool.ntp.org
ntp server ipv6 be.pool.ntp.org prefer
sh 加密密钥 mypubkey rsa
rtr01#sh crypto key mypubkey rsa
% Key pair was generated at: 20:06:49 CET Jul 19 2018
Key name: ipsec
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is exportable.
Key Data:
DATA
% Key pair was generated at: 20:06:49 CET Jul 19 2018
Key name: ipsec.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
KEY_DATA
rtr01#
rtr01#show crypto key storage
Default keypair storage device has not been set
Keys will be stored in NVRAM private config
sh 加密 pki 证书:
rtr01#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 4C0299EF6970C3E2E975E30FE1430091
Certificate Usage: General Purpose
Issuer:
cn=COMODO RSA Domain Validation Secure Server CA
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
Subject:
Name: rtr.example.net
cn=rtr.example.net
ou=PositiveSSL
ou=Domain Control Validated
CRL Distribution Points:
http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Validity Date:
start date: 01:00:00 CET Jul 19 2018
end date: 00:59:59 CET Sep 29 2020
Associated Trustpoints: tp_ipsec_2017
Storage: nvram:COMODORSADom#91.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 2B2E6EEAD975366C148A6EDBA37C8C07
Certificate Usage: Signature
Issuer:
cn=COMODO RSA Certification Authority
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
Subject:
cn=COMODO RSA Domain Validation Secure Server CA
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
CRL Distribution Points:
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Validity Date:
start date: 01:00:00 CET Feb 12 2014
end date: 00:59:59 CET Feb 12 2029
Associated Trustpoints: tp_ipsec_2017
Storage: nvram:COMODORSACer#8C07CA.cer
sh 版本
rtr01>sh ver
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Fri 28-Jul-17 15:47 by prod_rel_team
ROM: System Bootstrap, Version 15.2(3r)XC, RELEASE SOFTWARE (fc1)
rtr01 uptime is 4 days, 14 hours, 24 minutes
System returned to ROM by power-on
System restarted at 06:13:12 CET Mon Jul 16 2018
System image file is "flash:c800-universalk9-mz.SPA.153-3.M10.bin"
Last reload type: Normal Reload
Last reload reason: power-on
Cisco C897VA-K9 (revision 1.0) with 472064K/52224K bytes of memory.
Processor board ID FGL204825EN
1 DSL controller
1 Ethernet interface
9 Gigabit Ethernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 32 bits wide
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash (Read/Write)
License Information for 'c800'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
Configuration register is 0x2102
sh 日志(加密 pki 调试):
000481: Jul 21 10:18:51.630: CRYPTO_PKI: (A000E) Session started - identity not specified
000482: Jul 21 10:18:51.706: CRYPTO_PKI: Rcvd request to end PKI session A000E.
000483: Jul 21 10:18:51.706: CRYPTO_PKI: PKI session A000E has ended. Freeing all resources
sh crypto ikev2 诊断错误:
rtr01#sh crypto ikev2 diagnose error Exit Path Table - status: enable, current entry 2, deleted 0, max allow 50
Error(1): Expected keypair is unavailable
-Traceback= 689743Cz 60A1280z 604F908z 60BA3C4z 6043484z 6047660z 6047AF8z 60852E0z 6085368z 6054F80z 60A6888z 5CA00E8z 5C873BCz
Error(1): Detected NAT-d hash doesn't match
-Traceback= 689743Cz 60A1280z 604F908z 6063C1Cz 60661A8z 60437C8z 6047660z 6047AF8z 60852E0z 6085368z 6054F80z 60A6888z 5CA00E8z 5C873BCz