ASA 8.4 ikev2 预共享密钥加证书认证和双方都用证

发布时间:2020-03-02 14:33:06 作者:wenlf136
来源:网络 阅读:1228

拓扑:

ASA 8.4 ikev2 预共享密钥加证书认证和双方都用证

配置:

ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone UUTC 8
access-list l2lacl extended permit ip 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route inside 0.0.0.0 0.0.0.0 192.168.2.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.2.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap 10 set trustpoint CA
crypto map l2lmap interface outside
crypto ca trustpoint CA
 enrollment url http://172.16.1.1:80
 fqdn l2l***.asa.net
 subject-name CN=l2l***.asa.net
 crl configure
crypto ca certificate chain CA
 certificate 02
    30820230 30820199 a0030201 02020102 300d0609 2a864886 f70d0101 04050030
    15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330
    31323436 32385a17 0d313330 39333031 32343632 385a3038 31173015 06035504
    03130e6c 326c7670 6e2e6173 612e6e65 74311d30 1b06092a 864886f7 0d010902
    160e6c32 6c76706e 2e617361 2e6e6574 30819f30 0d06092a 864886f7 0d010101
    05000381 8d003081 89028181 00b98122 d26bc36d aa686c66 ff997da5 90988b71
    37c1ad65 dcb717c1 19b2225a bf74326f 73f97b51 e36d55f4 081590ac 5ae847af
    023311a5 1392ded5 d805a398 560e8110 d7b1dd4e 0b32c3cb 13eac878 3f5a1c0a
    08f0015c 3ee4ab8d 27c47d32 cd1b9f14 0d6ae7cd efd3b1d1 992d3735 fb95caff
    c1f65b07 a397d60a 97dbce0b 07020301 0001a36d 306b3019 0603551d 11041230
    10820e6c 326c7670 6e2e6173 612e6e65 74300e06 03551d0f 0101ff04 04030205
    a0301f06 03551d23 04183016 80146a76 5c5ccd21 0e438f1f ff87facd 3da58ab6
    bc0f301d 0603551d 0e041604 14dd60d1 9e8d68c6 435c50fe f3b5cf99 d7cb0a69
    bd300d06 092a8648 86f70d01 01040500 03818100 4a35c971 bf139f7e 7e861808
    8285d930 dbe167fa 38a94d34 5d10a0e4 194ff222 06de01af f894ee7e e5885b29
    35bb57ef f2f212ed efc2035c 49b9fa70 8babcb3a 772833e1 6b634a35 6cced1a0
    20d62f5b 0ba6084f d99a4e1d 309b3408 5cd6fd54 bc8f4fdf dde6a59c 17ebdbc1
    b06759bb 79cc7cdb d75d64bd 56825e19 80f56e95
  quit
 certificate ca 01
    30820203 3082016c a0030201 02020101 300d0609 2a864886 f70d0101 04050030
    15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330
    31323334 32315a17 0d313530 39333031 32333432 315a3015 31133011 06035504
    03130a63 612e6173 612e6e65 7430819f 300d0609 2a864886 f70d0101 01050003
    818d0030 81890281 8100b4bf 956af267 3d56a6b5 95b0b03f 02616f6e 75a75af0
    08f222c7 a84fb541 bbf7ec4f 914ba045 19a39401 bc1a171d 9a9a06dd 2f3691e7
    ea2f4a25 af91a63a 0ac11f94 3f7c9b59 c1c7660b d1a1924c cb9d71f9 2a66f730
    29dd203c dfa22721 563b7b5f 388aef4b c430bfc2 efd58bda 254e3f22 8fd21c11
    74d09da7 7d672cf3 61d50203 010001a3 63306130 0f060355 1d130101 ff040530
    030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680
    146a765c 5ccd210e 438f1fff 87facd3d a58ab6bc 0f301d06 03551d0e 04160414
    6a765c5c cd210e43 8f1fff87 facd3da5 8ab6bc0f 300d0609 2a864886 f70d0101
    04050003 818100ab d7892a8b 808d6ffe 696f7466 7f8c1166 3732b615 fd0b816c
    c7c474bb 6ec8072a b8026df3 01775899 c878398b a3954659 511af9f5 fc0cf260
    24cc86da baeab2e2 7244753c da8c1f69 4ce00804 5e11db3f 005502af 1ce1d289
    371fc861 8e939e14 2b017679 52d09e72 f89d716f 546bf5c3 2c4c9bbf de0ebb84
    a18e112b 93b83e
  quit
crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.1.1
tunnel-group 172.16.2.10 type ipsec-l2l
tunnel-group 172.16.2.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication certificate CA
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h423 h325
  inspect h423 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
crashinfo save disable
Cryptochecksum:b6b7917f8e8d2807b9121cbaf606bd15
: end
---------------------------------------------------
ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.2.10 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.3.10 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.80.80 255.255.255.0
!
interface GigabitEthernet3
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone UTC 8
access-list l2lacl extended permit ip 3.3.3.0 255.255.255.0 2.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal l2lipsec
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto map l2lmap 10 match address l2lacl
crypto map l2lmap 10 set peer 172.16.1.10
crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec
crypto map l2lmap interface outside
crypto ca trustpoint CA
 enrollment url http://172.16.2.1:80
 fqdn l2l***.asa.net
 subject-name CN=l2l***.asa.net
 crl configure
crypto ca certificate chain CA
 certificate 03
    30820230 30820199 a0030201 02020103 300d0609 2a864886 f70d0101 04050030
    15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330
    31333032 35315a17 0d313330 39333031 33303235 315a3038 31173015 06035504
    03130e6c 326c7670 6e2e6173 612e6e65 74311d30 1b06092a 864886f7 0d010902
    160e6c32 6c76706e 2e617361 2e6e6574 30819f30 0d06092a 864886f7 0d010101
    05000381 8d003081 89028181 008eed31 ae94b917 c871abd2 8fa6ba0b 4adef132
    bc75f56a 0ffb7ad7 fa3f5926 24f8f744 a56aac9c 0da60b06 dde5f6c0 6b196b87
    b17a3270 91be7155 a3652eca 9f9916e5 3dc27bd8 ffdc355b 968876fa b8f3d0ee
    5193c4e7 5b75d942 83575aa4 887192e9 3ac0b3af 59651128 97079ec3 a4152812
    e3170718 37e7caa2 a61d066b af020301 0001a36d 306b3019 0603551d 11041230
    10820e6c 326c7670 6e2e6173 612e6e65 74300e06 03551d0f 0101ff04 04030205
    a0301f06 03551d23 04183016 80146a76 5c5ccd21 0e438f1f ff87facd 3da58ab6
    bc0f301d 0603551d 0e041604 149244b2 f609ba79 5767f332 e95d879b 937e4f2c
    1d300d06 092a8648 86f70d01 01040500 03818100 625707a0 e9d10a8a 5d40d696
    1190e7de aa5b1298 67bd2bb7 088b6b9e b46958a3 a960e13f b175208b 0a6350a6
    649d989a 1cd7034c 65ba0135 6f150e25 4d4ebf1d 17360375 f8b979a0 7cbfacac
    8d4853c9 7c054ce9 f122ae58 4eae5685 cb708c2e f56a4ba3 18e778f6 cca5fcf1
    a505a77b 99d70558 b8e0bb9b d749ff99 19a6ef10
  quit
 certificate ca 01
    30820203 3082016c a0030201 02020101 300d0609 2a864886 f70d0101 04050030
    15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330
    31323334 32315a17 0d313530 39333031 32333432 315a3015 31133011 06035504
    03130a63 612e6173 612e6e65 7430819f 300d0609 2a864886 f70d0101 01050003
    818d0030 81890281 8100b4bf 956af267 3d56a6b5 95b0b03f 02616f6e 75a75af0
    08f222c7 a84fb541 bbf7ec4f 914ba045 19a39401 bc1a171d 9a9a06dd 2f3691e7
    ea2f4a25 af91a63a 0ac11f94 3f7c9b59 c1c7660b d1a1924c cb9d71f9 2a66f730
    29dd203c dfa22721 563b7b5f 388aef4b c430bfc2 efd58bda 254e3f22 8fd21c11
    74d09da7 7d672cf3 61d50203 010001a3 63306130 0f060355 1d130101 ff040530
    030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680
    146a765c 5ccd210e 438f1fff 87facd3d a58ab6bc 0f301d06 03551d0e 04160414
    6a765c5c cd210e43 8f1fff87 facd3da5 8ab6bc0f 300d0609 2a864886 f70d0101
    04050003 818100ab d7892a8b 808d6ffe 696f7466 7f8c1166 3732b615 fd0b816c
    c7c474bb 6ec8072a b8026df3 01775899 c878398b a3954659 511af9f5 fc0cf260
    24cc86da baeab2e2 7244753c da8c1f69 4ce00804 5e11db3f 005502af 1ce1d289
    371fc861 8e939e14 2b017679 52d09e72 f89d716f 546bf5c3 2c4c9bbf de0ebb84
    a18e112b 93b83e
  quit
crypto ikev2 policy 10
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.2.1
tunnel-group 172.16.1.10 type ipsec-l2l
tunnel-group 172.16.1.10 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h423 h325
  inspect h423 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
crashinfo save disable
Cryptochecksum:590bda2136c39227c8bf0c0d3636e27f
: end
---------------------------------------------------
Building configuration...

Current configuration : 2399 bytes
!
! Last configuration change at 20:41:54 UTC Sun Sep 30 2012
! NVRAM config last updated at 20:29:33 UTC Sun Sep 30 2012
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
clock timezone UTC 8
ip cef
!
!
!        
!
no ip domain lookup
ip domain name cisco.com
!
multilink bundle-name authenticated
!       
crypto pki server CA
 issuer-name CN=ca.asa.net
 grant auto
!
crypto pki trustpoint CA
 revocation-check crl
 rsakeypair CA
!
!
crypto pki certificate chain CA
 certificate ca 01
  30820203 3082016C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  15311330 11060355 0403130A 63612E61 73612E6E 6574301E 170D3132 30393330
  31323334 32315A17 0D313530 39333031 32333432 315A3015 31133011 06035504
  03130A63 612E6173 612E6E65 7430819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100B4BF 956AF267 3D56A6B5 95B0B03F 02616F6E 75A75AF0
  08F222C7 A84FB541 BBF7EC4F 914BA045 19A39401 BC1A171D 9A9A06DD 2F3691E7
  EA2F4A25 AF91A63A 0AC11F94 3F7C9B59 C1C7660B D1A1924C CB9D71F9 2A66F730
  29DD203C DFA22721 563B7B5F 388AEF4B C430BFC2 EFD58BDA 254E3F22 8FD21C11
  74D09DA7 7D672CF3 61D50203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  146A765C 5CCD210E 438F1FFF 87FACD3D A58AB6BC 0F301D06 03551D0E 04160414
  6A765C5C CD210E43 8F1FFF87 FACD3DA5 8AB6BC0F 300D0609 2A864886 F70D0101
  04050003 818100AB D7892A8B 808D6FFE 696F7466 7F8C1166 3732B615 FD0B816C
  C7C474BB 6EC8072A B8026DF3 01775899 C878398B A3954659 511AF9F5 FC0CF260
  24CC86DA BAEAB2E2 7244753C DA8C1F69 4CE00804 5E11DB3F 005502AF 1CE1D289
  371FC861 8E939E14 2B017679 52D09E72 F89D716F 546BF5C3 2C4C9BBF DE0EBB84
  A18E112B 93B83E
        quit
!
!
!
!
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.2.1 255.255.255.0
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
!control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
ntp master
!
end

-------------------------------------
R2#show run
Building configuration...

Current configuration : 928 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!no ip domain lookup
ip domain name lab.local
!        
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.2.10
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
------------------------------
R3#show run
Building configuration...

Current configuration : 928 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip domain name lab.local
!        
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!

interface Loopback3
 ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.3.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.3.10
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

验证:

ASA 8.4 ikev2 预共享密钥加证书认证和双方都用证

 拓展:

仿造上面的例子可,双方都用证书认证。

推荐阅读:
  1. Cisco ASA防火墙实现IPSec 虚拟专用网,可跟做!
  2. ASA系统管理与日志_02

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

asa ikev2

上一篇:VMware vSAN6.7 设计和优化 vSAN 主机--

下一篇:html5 的 details 标记 ,summary标记,

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》