我正在尝试使 IPSec/IKEv2 设置正常工作,这是在此之后实施 的密钥(请参阅日志),尽管密钥已成功导入。
非常感谢任何帮助或指针:)
一些额外的信息:
运行:
aaa new-model
!
!
aaa group server radius nas
server name nas
!
aaa authentication login ipsec-radius group nas
aaa authentication enable default none
aaa authorization exec default none
aaa authorization commands 0 default none
aaa authorization commands 15 default none
aaa authorization network ipsec-local local
!
!
!
crypto pki trustpoint pki_ca_commodo_2017
enrollment terminal pem
revocation-check crl
!
crypto pki trustpoint pki_crt_rtr.example.net_2017
chain-validation continue pki_ca_commodo_2017
revocation-check none
rsakeypair pki_crt_rtr.example.net_2017
!
!
crypto pki certificate chain pki_ca_commodo_2017
certificate ca SN
CRT_CONTENT
quit
crypto pki certificate chain pki_crt_rtr.example.net_2017
certificate ca SN
CRT_CONTENT
quit
no ip source-route
!
!
crypto ikev2 authorization policy crp_ph1_auth
pool pool4-ipsec
dns 192.168.10.5
def-domain example.net
!
crypto ikev2 proposal crp_ph1_proposal
encryption aes-cbc-256
integrity sha1 sha256
group 2 14 15 16 19
!
crypto ikev2 policy crp_ph1_policy
proposal crp_ph1_proposal
!
!
crypto ikev2 profile crp_ph1_profile
match identity remote any
identity local fqdn rtr.example.net
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint pki_crt_rtr.example.net_2017
aaa authentication eap ipsec-radius
aaa authorization group eap list ipsec-local crp_ph1_auth
aaa authorization user eap cached
virtual-template 1
!
!
!
!
crypto ipsec transform-set crp_ph2_ts esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile crp_ph2_profile
set transform-set crp_ph2_ts
set ikev2-profile crp_ph1_profile
!
!
!
!
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback20
ip mtu 1000
tunnel mode ipsec ipv4
tunnel protection ipsec profile crp_ph2_profile
!
!
!
interface Loopback20
description Internal Users IPSec
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect in
ip wccp 70 redirect in
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly in
ipv6 address IPV6_PREFIX::1/64
ipv6 enable
ipv6 wccp web-cache redirect in
ipv6 wccp 70 redirect in
ipv6 traffic-filter acl6_in_users in
ipv6 traffic-filter acl6_out_users out
ip local pool pool4-ipsec 192.168.20.10 192.168.20.150
!
radius server nas
address ipv4 192.168.10.5 auth-port 1812 acct-port 1813
key 7 SOME_SECRET
sh 日志:
000735: Jan 28 22:01:50.235: IKEv2:Received Packet [From 178.50.69.206:28781/To WAN_IP:500/VRF i0:f0]
Initiator SPI : 13AF6A7B85A1F8B2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
000736: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):Verify SA init message
000737: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):Insert SA
000738: Jan 28 22:01:50.235: IKEv2:Searching Policy with fvrf 0, local address WAN_IP
000739: Jan 28 22:01:50.235: IKEv2:Found Policy 'crp_ph1_policy'
000740: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):Processing IKE_SA_INIT message
000741: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
000742: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net_2017' 'pki_ca_commodo_2017'
000743: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
000744: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
000745: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
000746: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
000747: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
000748: Jan 28 22:01:50.235: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
000749: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):Request queued for computation of DH key
000750: Jan 28 22:01:50.235: IKEv2:(SESSION ID = 14,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
000751: Jan 28 22:01:50.247: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
000752: Jan 28 22:01:50.247: IKEv2:(SESSION ID = 14,SA ID = 1):Request queued for computation of DH secret
000753: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
000754: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
000755: Jan 28 22:01:50.251: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
000756: Jan 28 22:01:50.251: IKEv2:(SESSION ID = 14,SA ID = 1):Generating IKE_SA_INIT message
000757: Jan 28 22:01:50.251: IKEv2:(SESSION ID = 14,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
000758: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
000759: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net_2017' 'pki_ca_commodo_2017'
000760: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
000761: Jan 28 22:01:50.251: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
000762: Jan 28 22:01:50.251: IKEv2:(SESSION ID = 14,SA ID = 1):Sending Packet [To 178.50.69.206:28781/From WAN_IP:500/VRF i0:f0]
Initiator SPI : 13AF6A7B85A1F8B2 - Responder SPI : 7C8FBD9899854B23 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
000763: Jan 28 22:01:50.251: IKEv2:(SESSION ID = 14,SA ID = 1):Completed SA init exchange
000764: Jan 28 22:01:50.251: IKEv2:(SESSION ID = 14,SA ID = 1):Starting timer (30 sec) to wait for auth message
000765: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Received Packet [From 178.50.69.206:18974/To WAN_IP:500/VRF i0:f0]
Initiator SPI : 13AF6A7B85A1F8B2 - Responder SPI : 7C8FBD9899854B23 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) CFG NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr NOTIFY(Unknown - 16396) NOTIFY(Unknown - 16399) NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420)
000766: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Stopping timer to wait for auth message
000767: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Checking NAT discovery
000768: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):NAT OUTSIDE found
000769: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):NAT detected float to init port 18974, resp port 4500
000770: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Searching policy based on peer's identity 'nicolas' of type 'FQDN'
000771: Jan 28 22:01:50.499: IKEv2:found matching IKEv2 profile 'crp_ph1_profile'
000772: Jan 28 22:01:50.499: IKEv2:Searching Policy with fvrf 0, local address WAN_IP
000773: Jan 28 22:01:50.499: IKEv2:Found Policy 'crp_ph1_policy'
000774: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Verify peer's policy
000775: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Peer's policy verified
000776: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Check for EAP exchange
000777: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Generate my authentication data
000778: Jan 28 22:01:50.499: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
000779: Jan 28 22:01:50.499: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
000780: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Get my authentication method
000781: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):My authentication method is 'RSA'
000782: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Sign authentication data
000783: Jan 28 22:01:50.499: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
000784: Jan 28 22:01:50.499: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key FAILED
000785: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):: Failed to generate auth data: Failed to sign data
000786: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Verification of peer's authentication data FAILED
000787: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Sending authentication failure notify
000788: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
000789: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Sending Packet [To 178.50.69.206:18974/From WAN_IP:4500/VRF i0:f0]
Initiator SPI : 13AF6A7B85A1F8B2 - Responder SPI : 7C8FBD9899854B23 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
000790: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Auth exchange failed
000791: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):: Auth exchange failed
000792: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Abort exchange
000793: Jan 28 22:01:50.499: IKEv2:(SESSION ID = 14,SA ID = 1):Deleting SA
000794: Jan 28 22:01:50.499: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
000795: Jan 28 22:01:50.499: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
sh 加密(pki 信任点、密钥和证书):
rtr01#sh crypto key mypubkey rsa
% Key pair was generated at: 21:57:36 CET Jan 28 2018
Key name: pki_crt_rtr.example.net_2017
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
STRIPPED_DATA
% Key pair was generated at: 21:57:36 CET Jan 28 2018
Key name: pki_crt_rtr.example.net_2017.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
STRIPPED_DATA
rtr01#
rtr01#
rtr01#sh crypto pki trustpoints status
Trustpoint pki_ca_commodo_2017:
Issuing CA certificate configured:
Subject Name:
cn=COMODO RSA Domain Validation Secure Server CA,o=COMODO CA Limited,l=Salford,st=Greater Manchester,c=GB
Fingerprint MD5: 83E10465 B722EF33 FF0B6F53 5E8D996B
Fingerprint SHA1: 339CDD57 CFD5B141 169B615F F3142878 2D1DA639
State:
Keys generated ............. No
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
Trustpoint pki_crt_rtr.example.net_2017:
Issuing CA certificate configured:
Subject Name:
cn=COMODO RSA Domain Validation Secure Server CA,o=COMODO CA Limited,l=Salford,st=Greater Manchester,c=GB
Fingerprint MD5: 83E10465 B722EF33 FF0B6F53 5E8D996B
Fingerprint SHA1: 339CDD57 CFD5B141 169B615F F3142878 2D1DA639
Router General Purpose certificate configured:
Subject Name:
cn=rtr.example.net,ou=PositiveSSL,ou=Domain Control Validated
Fingerprint MD5: 423DA121 920A9DF4 16CAB00E 7D18FAF3
Fingerprint SHA1: 7C9D98BC F099DF12 03FA9E59 F5A49562 A0057CC8
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
rtr01#
rtr01#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3903CD8ED57A5EDA411E33F1A1725DE0
Certificate Usage: General Purpose
Issuer:
cn=COMODO RSA Domain Validation Secure Server CA
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
Subject:
Name: rtr.example.net
cn=rtr.example.net
ou=PositiveSSL
ou=Domain Control Validated
CRL Distribution Points:
http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Validity Date:
start date: 01:00:00 CET Sep 29 2017
end date: 00:59:59 CET Sep 29 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 423DA121 920A9DF4 16CAB00E 7D18FAF3
Fingerprint SHA1: 7C9D98BC F099DF12 03FA9E59 F5A49562 A0057CC8
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 044109EC DD63A6A4 3893B206 6D39CE3F 08E7ABE0
X509v3 Basic Constraints:
CA: FALSE
X509v3 Subject Alternative Name:
www.rtr.example.net rtr.example.net
X509v3 Authority Key ID: 90AF6A3A 945A0BD8 90EA1256 73DF43B4 3A28DAE7
Authority Info Access:
OCSP URL: http://ocsp.comodoca.com
X509v3 CertificatePolicies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.6449.1.2.2.7
Qualifier ID: 1.3.6.1.5.5.7.2.1
Qualifier Info: https://secure.comodo.com/CPS
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: pki_crt_rtr.example.net_2017
Key Label: pki_crt_rtr.example.net_2017
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2B2E6EEAD975366C148A6EDBA37C8C07
Certificate Usage: Signature
Issuer:
cn=COMODO RSA Certification Authority
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
Subject:
cn=COMODO RSA Domain Validation Secure Server CA
o=COMODO CA Limited
l=Salford
st=Greater Manchester
c=GB
CRL Distribution Points:
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Validity Date:
start date: 01:00:00 CET Feb 12 2014
end date: 00:59:59 CET Feb 12 2029
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA384 with RSA Encryption
Fingerprint MD5: 83E10465 B722EF33 FF0B6F53 5E8D996B
Fingerprint SHA1: 339CDD57 CFD5B141 169B615F F3142878 2D1DA639
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 90AF6A3A 945A0BD8 90EA1256 73DF43B4 3A28DAE7
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: BBAF7E02 3DFAA6F1 3C848EAD EE3898EC D93232D4
Authority Info Access:
OCSP URL: http://ocsp.comodoca.com
X509v3 CertificatePolicies:
Policy: 2.23.140.1.2.1
Policy: 2.5.29.32.0
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: pki_crt_rtr.example.net_2017 pki_ca_commodo_2017
Storage: nvram:COMODORSACer#8C07CA.cer
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116837-config-strongswan-ios-00.html