- 积分
- 276
- 鸿鹄币
- 个
- 好评度
- 点
- 精华
- 注册时间
- 2017-9-3
- 最后登录
- 1970-1-1
- 阅读权限
- 30
- 听众
- 收听
初级工程师
|
楼主 |
发表于 2018-4-9 14:20:13
|
显示全部楼层
拓扑图
R1配置
R1#sh run
Building configuration...
Current configuration : 4530 bytes
!
! Last configuration change at 13:50:34 UTC Mon Apr 9 2018
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
ip domain name cisco.com
!
!
!
!
!
crypto pki trustpoint CA-Client1
enrollment url http://10.1.1.3:80
subject-name CN=R1.cisco.com,ou=yyy
revocation-check crl
rsakeypair key-1
!
!
!
crypto pki certificate map Cert-1 10
subject-name co ou = yyy
!
crypto pki certificate chain CA-Client1
certificate 02
30820232 3082019B A0030201 02020102 300D0609 2A864886 F70D0101 04050030
2B311230 10060355 04071309 4775616E 677A686F 75311530 13060355 0403130C
52332E63 6973636F 2E636F6D 301E170D 31383034 30393133 32353435 5A170D31
38313030 36313332 3534355A 3042310C 300A0603 55040B13 03797979 31153013
06035504 03130C52 312E6369 73636F2E 636F6D31 1B301906 092A8648 86F70D01
0902160C 52312E63 6973636F 2E636F6D 30819F30 0D06092A 864886F7 0D010101
05000381 8D003081 89028181 00A668F5 27C54933 DA44F943 642B33E9 F1D4C09C
E5101CFB E511CDAA D48EF50C 7278A870 5C25A7FF 73DEE7A9 779C80FD FF8A8EF2
63AF9889 29D0229D 8FE0F9E9 B27D039C 1B4B1E7E 41830024 A77FFD69 52514FFA
70B0146C D7CD2A44 A5C307C8 32AA2665 32C87555 BC5AFD6D F3511EF7 1F1824C7
9ABA771F 6375FA72 B0D5C177 EF020301 0001A34F 304D300B 0603551D 0F040403
0205A030 1F060355 1D230418 30168014 33365D55 290F4088 E8256118 51A0E9F0
6BD71454 301D0603 551D0E04 16041466 8A5A836D 6E762103 6BC30675 91C81B97
08805630 0D06092A 864886F7 0D010104 05000381 8100C523 142CB687 A10EBFE7
AEC26049 D1CFDC20 86398F3C 539B0A82 E1E1BEF7 6A245307 478AC6D6 6B945449
0372D146 7DEE453B 593DDEF5 6E17751C 74DE117C 47C6DB91 22A1F2A4 E730AB73
4E403679 E4C1C563 83AAFEC6 DCAD892F 75BDFA20 FFBA5BEC 4EAEE39F 9A646A8E
B0AF3DBB 2C37160B 1D400925 2350CB4B 15F9E922 578B
quit
certificate ca 01
3082022F 30820198 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2B311230 10060355 04071309 4775616E 677A686F 75311530 13060355 0403130C
52332E63 6973636F 2E636F6D 301E170D 31383034 30393133 32323131 5A170D31
39303430 39313332 3231315A 302B3112 30100603 55040713 09477561 6E677A68
6F753115 30130603 55040313 0C52332E 63697363 6F2E636F 6D30819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 8100F3AA A43F9F79 18222C6F
DE71D6EB 49F38E46 F542E7A9 0FECD1D4 9A1C265D C4116E9A 2D28EA45 50586A66
D6B7F048 0A4378AA 133CA51A E86F5B4B 267C57C2 DE6F50BC B16765CD 87BA6484
C3146C74 F1B0F563 CFFA97E2 0C049945 043B99F9 FCA8C579 6630A557 1E74C7A8
3F361D3A B9B182E3 C02CF999 AEFBE3F8 8A7D110D DBAB0203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1433365D 55290F40 88E82561 1851A0E9 F06BD714
54301D06 03551D0E 04160414 33365D55 290F4088 E8256118 51A0E9F0 6BD71454
300D0609 2A864886 F70D0101 04050003 818100A4 0FE17D6D 161B50F3 8D4F4731
C6A3B70A 76208741 5E93FF92 E1CC2518 B1245661 A4A92A39 4A0DD1A9 8AB0E812
033C0D98 2324DC9B 19C51AC1 F524BDF2 CF6DCC14 73287F4F AA8D3096 69E4CDDF
08C7F842 286CA14A 74CFF711 49F9C87E 220D905A DBE58B37 3BEF1438 21B8449B
93FF937D 4ED5AB65 0B2C6D9B 82C46A68 2B5757
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto isakmp profile ISA-P
match certificate Cert-1
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set TS
set isakmp-profile ISA-P
match address VPN-ACL
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
duplex half
crypto map CMAP
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
ntp server 10.1.1.3
!
end
R2配置
R2#sh run
Building configuration...
Apr 9 14:08:19.217: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 4380 bytes
!
! Last configuration change at 14:08:19 UTC Mon Apr 9 2018
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
ip domain name cisco.com
!
!
!
!
!
crypto pki trustpoint CA-Client2
enrollment terminal
revocation-check crl
!
crypto pki trustpoint CA-Clien2
subject-name CN=R2.cisco.com,ou=yyy
revocation-check crl
!
!
!
crypto pki certificate map Cert-2 10
subject-name co ou = yyy
!
crypto pki certificate chain CA-Client2
certificate 03
308201CC 30820135 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
2B311230 10060355 04071309 4775616E 677A686F 75311530 13060355 0403130C
52332E63 6973636F 2E636F6D 301E170D 31383034 30393133 33393339 5A170D31
38313030 36313333 3933395A 301D311B 30190609 2A864886 F70D0109 02160C52
322E6369 73636F2E 636F6D30 5C300D06 092A8648 86F70D01 01010500 034B0030
48024100 D4AA1DA4 6B20B458 7FAF4EDF AAC0723B 40E95259 6B826B5C 5755F81A
15A8F5EF D7DC2B55 916DE207 0BC87E62 B1F663C7 AD3FB7EE 77401EFF D0E77D74
368E7699 02030100 01A35230 50300E06 03551D0F 0101FF04 04030205 A0301F06
03551D23 04183016 80143336 5D55290F 4088E825 611851A0 E9F06BD7 1454301D
0603551D 0E041604 143BE75B D989CED3 99E5C69E 8C1792FC 8CE7DD70 BD300D06
092A8648 86F70D01 01040500 03818100 449C4963 B5235BEC 86A97E47 797180DD
AD295826 7BECDBEE 2F329F99 2DD0BCA8 CF189752 67E16156 56E6B9B7 55E9021F
7639838A 233768F2 26B3C7E8 66782C62 7DE17EB5 CBBCAB6E 8A48C5EA F8532C7C
4BA9FB79 AFFD2F65 B96C72E9 C5650B49 F6CFAC4F F36AE1B1 7726732B 820D8A48
D9DB1DAE 1D915785 4C5B1EAB BF629BE8
quit
certificate ca 01
3082022F 30820198 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2B311230 10060355 04071309 4775616E 677A686F 75311530 13060355 0403130C
52332E63 6973636F 2E636F6D 301E170D 31383034 30393133 32323131 5A170D31
39303430 39313332 3231315A 302B3112 30100603 55040713 09477561 6E677A68
6F753115 30130603 55040313 0C52332E 63697363 6F2E636F 6D30819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 8100F3AA A43F9F79 18222C6F
DE71D6EB 49F38E46 F542E7A9 0FECD1D4 9A1C265D C4116E9A 2D28EA45 50586A66
D6B7F048 0A4378AA 133CA51A E86F5B4B 267C57C2 DE6F50BC B16765CD 87BA6484
C3146C74 F1B0F563 CFFA97E2 0C049945 043B99F9 FCA8C579 6630A557 1E74C7A8
3F361D3A B9B182E3 C02CF999 AEFBE3F8 8A7D110D DBAB0203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1433365D 55290F40 88E82561 1851A0E9 F06BD714
54301D06 03551D0E 04160414 33365D55 290F4088 E8256118 51A0E9F0 6BD71454
300D0609 2A864886 F70D0101 04050003 818100A4 0FE17D6D 161B50F3 8D4F4731
C6A3B70A 76208741 5E93FF92 E1CC2518 B1245661 A4A92A39 4A0DD1A9 8AB0E812
033C0D98 2324DC9B 19C51AC1 F524BDF2 CF6DCC14 73287F4F AA8D3096 69E4CDDF
08C7F842 286CA14A 74CFF711 49F9C87E 220D905A DBE58B37 3BEF1438 21B8449B
93FF937D 4ED5AB65 0B2C6D9B 82C46A68 2B5757
quit
crypto pki certificate chain CA-Clien2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto isakmp profile ISA-P
match certificate Cert-2
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set TS
set isakmp-profile ISA-P
match address VPN-ACL
!
!
!
!
interface Loopback0
ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 10.1.1.2 255.255.255.0
duplex half
crypto map CMAP
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN-ACL
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
ntp clock-period 17179871
ntp server 10.1.1.3
!
end
R3配置
R3#sh run
Building configuration...
Current configuration : 2651 bytes
!
! Last configuration change at 13:39:24 UTC Mon Apr 9 2018
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip tcp synwait-time 5
ip cef
no ip domain lookup
!
!
!
!
!
crypto pki server CA
database level complete
issuer-name CN=R3.cisco.com,l=Guangzhou
lifetime crl 24
lifetime certificate 180
lifetime ca-certificate 365
!
crypto pki trustpoint CA
revocation-check crl
rsakeypair CA
!
!
crypto pki certificate chain CA
certificate ca 01
3082022F 30820198 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2B311230 10060355 04071309 4775616E 677A686F 75311530 13060355 0403130C
52332E63 6973636F 2E636F6D 301E170D 31383034 30393133 32323131 5A170D31
39303430 39313332 3231315A 302B3112 30100603 55040713 09477561 6E677A68
6F753115 30130603 55040313 0C52332E 63697363 6F2E636F 6D30819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 8100F3AA A43F9F79 18222C6F
DE71D6EB 49F38E46 F542E7A9 0FECD1D4 9A1C265D C4116E9A 2D28EA45 50586A66
D6B7F048 0A4378AA 133CA51A E86F5B4B 267C57C2 DE6F50BC B16765CD 87BA6484
C3146C74 F1B0F563 CFFA97E2 0C049945 043B99F9 FCA8C579 6630A557 1E74C7A8
3F361D3A B9B182E3 C02CF999 AEFBE3F8 8A7D110D DBAB0203 010001A3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F0603 551D2304 18301680 1433365D 55290F40 88E82561 1851A0E9 F06BD714
54301D06 03551D0E 04160414 33365D55 290F4088 E8256118 51A0E9F0 6BD71454
300D0609 2A864886 F70D0101 04050003 818100A4 0FE17D6D 161B50F3 8D4F4731
C6A3B70A 76208741 5E93FF92 E1CC2518 B1245661 A4A92A39 4A0DD1A9 8AB0E812
033C0D98 2324DC9B 19C51AC1 F524BDF2 CF6DCC14 73287F4F AA8D3096 69E4CDDF
08C7F842 286CA14A 74CFF711 49F9C87E 220D905A DBE58B37 3BEF1438 21B8449B
93FF937D 4ED5AB65 0B2C6D9B 82C46A68 2B5757
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 10.1.1.3 255.255.255.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
!
ip http server
no ip http secure-server
!
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
ntp master
!
end
|
板凳
2018-4-9 14:20:13
回复(0)
收起回复
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2018-4-9 14:09:23
上网查询过说是如下错误,但是我配置中R1、R2的subject-name与domain name关系都吻合呀。
置顶卡
喧嚣卡
变色卡
千斤顶
