PKI Configuration Examples

Transcription

1 PKI Configuration Examples Keywords: PKI, CA, RA, IKE, IPsec, SSL Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies. This document provides a certificate-based IKE configuration example and a certificate-based SSL configuration example. Acronyms: Acronym Full spelling CA CRL HTTP HTTPS IIS IKE IPsec LDAP PKC PKI RA S/MIME SCEP SSL VPN Certificate Authority Certificate Revocation List Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Information Service Internet Key Exchange Internet Protocol Security Light-weight Directory Access Protocol Public Key Certificate Public Key Infrastructure Registration Authority Secure/Multipurpose Internet Mail Extensions Simple Certification Enrollment Protocol Secure Sockets Layer Virtual Private Network Hangzhou H3C Technologies Co., Ltd. 1/29

2 Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Certificate-Based IKE Configuration Example 4 Network Requirements 4 Configuration Considerations 4 Configuration Procedures 4 Configuration on the CA Server 5 Configuration on Router A 15 Configuration on Router B 23 Verification 27 Certificate-Based SSL Configuration Example 28 Network Requirements 28 Configuration Considerations 29 Configuration Procedures 29 References 29 Hangzhou H3C Technologies Co., Ltd. 2/29

3 Feature Overview The Pubic Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies and digital certificate mechanism. It contains a set of services and policies for information binding, PKI implementation, and maintenance. In PKI, the digital certificate mechanism is used to bind public keys to their owners; users are allowed to request, retrieve, and delete digital certificates. With digital certificate and services such as certificate issuing and revocation, the PKI system implements authentication of entities involved in the communication, ensuring data non-repudiation, data confidentiality, and data integrity. Application Scenarios The PKI technology satisfies the needs for securing the network data exchange. As a basic infrastructure, PKI is widely used and being further developed. Typically, PKI is used in these scenarios: 1) VPN A virtual private network (VPN) is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality. 2) Secure s require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure protocol that is currently developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signatures without sharing the same key. 3) Web security For Web security, two peers can establish an SSL connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates. Configuration Guidelines When configuring PKI, note that: A certificate contains the certificate validity period. The system time of the device must be synchronous with that of the CA server so that the device can obtain a certificate successfully. If the CA server is running Windows 2003 Server, Internet Information Services (IIS) must be installed and enabled on the CA server to control and manage the CA server. What add-ons are needed on other CA servers depends on the actual configuration environment. To avoid confliction with the current web services, it is recommended not use the default TCP port number of the CA server. Hangzhou H3C Technologies Co., Ltd. 3/29

4 Certificate-Based IKE Configuration Example PKI Configuration Examples As an important protocol of VPN, IPsec guards communication security at the IP layer, and it can use IKE to set up security associations (SAs) automatically. Still in complicated networks, security problems may occur due to the simple identity authentication mechanism of IKE. With IKE and PKI both used, the authentication security is enhanced by the PKI certificate-based identity authentication, and thus improves the security and scalability of the VPN gateways. Network Requirements As shown in Figure 1, two subnets are connected to the Internet through their own gateways. Now it is required that: An IPsec tunnel is established between Router A and Router B to protect the data transmitted between the two subnets. A pair of IPsec SAs is set up through IKE negotiation between Router A and Router B. The IKE negotiation adopts PKI certificate-based authentication. Figure 1 Network diagram for certificate-based IKE configuration Configuration Considerations Configure the CA server. In this example, Windows 2003 Server is used as the CA server. Perform the following configuration on Router A and Router B. Configure PKI, define a PKI entity, and perform PKI domain-related configurations. Configure IKE, setting the authentication method to digital signature. Configure IPsec to protect the data flows between the two subnets. Request a certificate, download the certificate, and save it locally. Configuration Procedures Hangzhou H3C Technologies Co., Ltd. 4/29

5 The following configurations are made on devices that are using default settings and are verified in a lab environment. When using the following configurations on your devices in a live network, make sure that they do not conflict with your current configurations to prevent potential negative impact on your network. Before performing the configuration, make sure that there are routes between the CA server and routers. Configuration on the CA Server Install the Certificate Services component From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components. Then in the pop-up dialog box, select Certificate Services and click Next to begin the installation. Figure 2 Install the certificate service component 1) Select the Stand-alone root CA option, and click Next. Hangzhou H3C Technologies Co., Ltd. 5/29

6 Figure 3 Install the certificate service suites 2) Input CA server in the Common name for this CA text box, and click Next. Figure 4 Install the certificate service suites 3) Specify the directories for the certificate database, certificate database log, and shared folder, and then click Next. In this example, the default settings are used. Hangzhou H3C Technologies Co., Ltd. 6/29

7 Figure 5 Install the certificate service suites 4) After the certificate service suites are installed successfully, click Finish. The Windows Components Wizard dialog box is closed. Install the SCEP add-on Double-click the SCEP installation file. On the pop-up dialog box, click Next. The SCEP installation program can be downloaded free from the Microsoft website. Hangzhou H3C Technologies Co., Ltd. 7/29

8 Figure 6 Install the SCEP add-on 1) Select the Use the local system account option and click Next. Figure 7 Install the SCEP add-on 2) Leaving the Require SCEP Challenge Phrase to Enroll check box unselected, click Next. Hangzhou H3C Technologies Co., Ltd. 8/29

9 Figure 8 Install the SCEP add-on 3) Specify the RA information for the enrollment for the RA certificates and click Next. An RA implements functions as identity authentication, CRL management, key pair generation and key pair backup. As an extended part of a CA, the RA is also considered as part of the CA's implementation. The RA name cannot be identical with the CA name; otherwise, related functions may fail. Hangzhou H3C Technologies Co., Ltd. 9/29

10 Figure 9 Install the SCEP add-on 4) After completing the configuration, click Finish. A dialog box appears, as shown in Figure 10. Record the URL and click OK. Figure 10 Install the SCEP add-on 5) Modify the certificate service properties From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click CA server and select Properties from the short-cut menu. Hangzhou H3C Technologies Co., Ltd. 10/29

11 Figure 11 Modify the CA server properties Select the Policy Module tab in the CA server Properties dialog box. Then click the Properties button. Figure 12 CA server properties Select the option of Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate. Then click OK. Hangzhou H3C Technologies Co., Ltd. 11/29

12 Figure 13 Policy module properties Click the stop icon in Figure 14 and then the start icon in Figure 15 to restart the CA service. Figure 14 Stop the CA service Hangzhou H3C Technologies Co., Ltd. 12/29

13 Figure 15 Start CA service Modify the IIS attributes From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager and then select Web Sites from the navigation tree. Right-click Default Web Site and select Properties. Figure 16 IIS Manager Then select the Home Directory tab. Specify the path for certificate service in the Local path text box. Hangzhou H3C Technologies Co., Ltd. 13/29

14 Figure 17 Modify the home directory of the default website Select the Web Site tab, and change the TCP port number to Make sure that the TCP port of the default website is not used by any other services. The default port number 80 is not recommended. Hangzhou H3C Technologies Co., Ltd. 14/29

15 Figure 18 Change the TCP port number of the default website Configuration on Router A Configuration steps 1) Configure PKI Create a PKI entity and enter its view. Configure the common name for the entity as routera. <RouterA> system-view [RouterA] pki entity entitya [RouterA-pki-entity-entityA] common-name routera [RouterA-pki-entity-entityA] ip [RouterA-pki-entity-entityA] quit Create a PKI domain and enter its view. [RouterA] pki domain domain1 Specify the trusted CA as ca server. [RouterA-pki-domain-domain1] ca identifier ca server Configure the URL of the registration server in the format of where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server. [RouterA-pki-domain-domain1] certificate request url Hangzhou H3C Technologies Co., Ltd. 15/29

16 Specify that the entity requests a certificate from RA. [RouterA-pki-domain-domain1] certificate request from ra Specify the entity for certificate request as entitya. [RouterA-pki-domain-domain1] certificate request entity entitya [RouterA-pki-domain-domain1] quit 2) Configure IKE Create an IKE proposal and configure the proposal to use the RSA digital signature authentication method. [RouterA] ike proposal 1 [RouterA-ike-proposal-1] authentication-method rsa-signature [RouterA-ike-proposal-1] quit Create an IKE peer. [RouterA] ike peer peer1 Assign an IP address of the IPsec remote gateway. [RouterA-ike-peer-peer1] remote-address Configure the PKI domain as domain1. [RouterA-ike-peer-peer1] certificate domain domain1 [RouterA-ike-peer-peer1] quit 3) Configure IPsec Create an ACL to permit packets to be protected. [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule 0 permit ip source [RouterA-acl-adv-3000] quit Create an IPsec proposal. [RouterA] ipsec proposal ipsprop1 Configure IPsec proposal ipsprop1 to use ESP. [RouterA-ipsec-proposal-ipsprop1] transform esp Configure IPsec proposal ipsprop1 to encapsulate IP packets in tunnel mode. [RouterA-ipsec-proposal-ipsprop1] encapsulation-mode tunnel Configure IPsec proposal ipsprop1 to use the encryption algorithm of DES. [RouterA-ipsec-proposal-ipsprop1] esp encryption-algorithm des Configure IPsec proposal ipsprop1 to use the encryption algorithm of MD5 for ESP. [RouterA-ipsec-proposal-ipsprop1] esp authentication-algorithm md5 [RouterA-ipsec-proposal-ipsprop1] quit Create an IPsec policy and enter its view. [RouterA] ipsec policy policy1 1 isakmp Specify an ACL for the IPsec policy to reference. [RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000 Hangzhou H3C Technologies Co., Ltd. 16/29

17 Specify the IKE peer. [RouterA-ipsec-policy-isakmp-policy1-1] ike-peer peer1 Specify the IPsec proposal for the IPsec policy to reference. [RouterA-ipsec-policy-isakmp-policy1-1] proposal ipsporp1 [RouterA-ipsec-policy-isakmp-policy1-1] quit Apply the IPsec policy to an interface. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipsec policy policy1 [RouterA-Serial2/0] quit 4) Request a certificate Generate a local RSA key pair. [RouterA] public-key local create rsa Warning: The local key pair already exist. Confirm to replace them? [Y/N]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys A certificate request can be submitted in two ways, inband and out-of-band. Choose one as needed. Inband mode Retrieve the CA certificate in online mode. [RouterA] pki retrieval-certificate ca domain domain1 Retrieving CA/RA certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint:4f10 9CB0 4D51 6EB2 21D4 12C EE2F SHA1 fingerprint:1a F 8E B556 2C5A 2275 F Is the finger print correct?(y/n):y Saving CA/RA certificates chain, please wait a moment... CA certificates retrieval success. Request a local certificate from a CA through SCEP. [RouterA] pki request-certificate domain domain1 Certificate is being requested, please wait... [RouterA] Enrolling the local certificate,please wait a while... Hangzhou H3C Technologies Co., Ltd. 17/29

18 Certificate request Successfully! Saving the local certificate to device... Done! Out-of-band mode If SCEP fails, you can use the pki request-certificate domain command with the pkcs10 keyword to save the local certificate request and send it to the CA by an out-of-band means like phone, disk, or e- mail. Display the local certificate request in BASE64 format. [RouterA] pki request-certificate domain domain1 pkcs BEGIN CERTIFICATE REQUEST----- MIIBTTCBtwIBADAOMQwwCgYDVQQDEwMxMjMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOEvjYboMDX0akLSOqSSCQm7dE7nmJz0N2BsuPh7I4mlkxLHZIwp5vAo PT1Q2i85uLqQDtmxjuYd9fZU4qM9Ps9It2lKG4DCFyFXkKTI9U4jPK42/grPMFmq V8BED9H+O6c9N/sWwA85C2um7UgIOj6TGi6LDBrp9ZZ3xFSO54bdAgMBAAGgADAN BgkqhkiG9w0BAQQFAAOBgQBnjx0Qyme4Pu29BOjvjVYe8qhf9SizXpl6ty4jPS8Y +XkVV30WCs1ITfnUrD5IbhiDr50tDdqqv8y9B7kB+7/DBWcFv4Hrek5XBJveGolT qz8+m7to8bxxcv4nrltcsmreyonirvnlkr94kv3tctgoi1e9kxkgg7dlhzfe75ip lq== -----END CERTIFICATE REQUEST----- [RouterA] Send the certificate request in out-of-band mode to the CA server. Enter the URL in the address bar to enter the page for requesting a certificate. On the page, click Request a certificate. Figure 19 Certificate request page The page as shown in Figure 20 appears. Click advanced certificated request. Hangzhou H3C Technologies Co., Ltd. 18/29

19 Figure 20 Select advanced certificate request The page as shown in Figure 21 appears. Click the link of Submit a certificate request by using a base-64-encoded CMC or PKCS10 file, or submit a renewal request by using a base-64- encoded PKCS7 file. Figure 21 Advanced certificate request On the new page as shown in Figure 22, paste the saved request information in the Saved Request text box, and click Submit. Hangzhou H3C Technologies Co., Ltd. 19/29

20 Figure 22 Paste the certificate request information If a certificate is issued, the following figure appears. Figure 23 Select certificate encoding method Select DER encoded and then click Download certificate. When importing the certificate later, be sure to select the same encoding method. A dialog box appears. Choose to save the local certificate locally with the file name being local_cert.cer. Hangzhou H3C Technologies Co., Ltd. 20/29

21 Go back to the page for requesting a certificate at and then select Download a CA certificate, certificate chain, or CRL. Figure 24 Certificate request page Select DER as the encoding method, and click Download CA certificate. Figure 25 Download the CA certificate A dialog box appears. Choose to save the CA certificate locally with the file name being ca_cert.cer. After completing the operation, the certificate is achieved in out-of-band mode. Send the CA certificate and local certificate in out-of-band mode to Router A. Then use the following commands to import the files to Router A. Import the CA certificate for the PKI domain in the encoding method of DER. [RouterA] pki import-certificate ca domain domain1 der filename ca_cert.cer Importing certificates. Please wait a while... The trusted CA's finger print is: Hangzhou H3C Technologies Co., Ltd. 21/29

22 MD5 fingerprint:5a9c E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D SHA1 fingerprint:b58c B59D B83 F2E8 0C16 13EB E0BF 6526 PKI Configuration Examples Is the finger print correct?(y/n):y %Mar 13 20:32:56: RouterA PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain1 is trusted. Import CA certificate successfully. [RouterA] %Mar 13 20:32:56: RouterA PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain1 successfully. %Mar 13 20:32:56: RouterA PKI/4/Import_CA_Cert:Import CA certificates of the domain domain1 successfully. [RouterA] Import the local certificate for the PKI domain in the encoding method of DER. [RouterA] pki import-certificate local domain domain1 der filename local_cert.cer Importing certificates. Please wait a while... %Mar 13 20:35:54: RouterA PKI/4/Verify_Cert:Verify certificate CN=routera of the domain domain1 successfully. Import local certificate successfully. [RouterA] %Mar 13 20:35:54: RouterA PKI/4/Import_Local_Cert:Import local certificate of the domain domain1 successfully. [RouterA] Configuration file [RouterA] display current-configuration version 5.20, Beta 1505L01, Standard sysname RouterA pki entity entitya common-name routera ip pki domain domain1 ca identifier ca server certificate request url certificate request from ra certificate request entity entitya ike proposal 1 authentication-method rsa-signature Hangzhou H3C Technologies Co., Ltd. 22/29

23 ike peer peer1 remote-address certificate domain domain1 ipsec proposal ipsprop1 ipsec policy policy1 1 isakmp security acl 3000 ike-peer peer1 proposal ipsprop1 acl number 3000 rule 0 permit ip source interface Serial2/0 link-protocol ppp ip address ipsec policy policy1 return Configuration on Router B Configuration steps 1) Configure PKI Create a PKI entity and enter its view. Configure the common name for the entity as routerb. <RouterB> system-view [RouterB] pki entity entityb [RouterB-pki-entity-entityB] common-name routerb [RouterB-pki-entity-entityB] ip [RouterB-pki-entity-entityB] quit Create a PKI domain and enter its view. [RouterB] pki domain domain2 Specify the trusted CA as ca server. [RouterB-pki-domain-domain2] ca identifier ca server Configure the URL of the registration server in the format of where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server. [RouterB-pki-domain-domain2] certificate request url /mscep.dll Specify that the entity requests a certificate from RA. [RouterB-pki-domain-domain2] certificate request from ra Hangzhou H3C Technologies Co., Ltd. 23/29

24 Specify the entity for certificate request as entityb [RouterB-pki-domain-domain2] certificate request entity entityb [RouterB-pki-domain-domain2] quit 2) Configure IKE Create an IKE proposal and specify the RSA digital signature method to be used by the IKE proposal. [RouterB] ike proposal 2 [RouterB-ike-proposal-2] authentication-method rsa-signature [RouterB-ike-proposal-2] quit Create an IKE entity. [RouterB] ike peer peer2 Assign an IP address of the IPsec tunnel. [RouterB-ike-peer-peer2] remote-address Configure the PKI domain as domain2 for IKE negotiation. [RouterB-ike-peer-peer2] certificate domain domain2 [RouterB-ike-peer-peer2] quit 3) Configure IPsec Create an ACL to permit packets going to the IP address of [RouterB] acl number 3000 [RouterB-acl-adv-3000] rule 0 permit ip destination [RouterB-acl-adv-3000] quit Create an IPsec proposal. [RouterB] ipsec proposal ipsprop2 Configure IPsec proposal ipsprop2 to use ESP [RouterB-ipsec-proposal-ipsprop2] transform esp Configure IPsec proposal ipsprop2 to encapsulate IP packets in tunnel mode. [RouterB-ipsec-proposal-ipsprop2] encapsulation-mode tunnel Configure IPsec proposal ipsprop2 to use DES. [RouterB-ipsec-proposal-ipsprop2] esp encryption-algorithm des Configure IPsec proposal ipsprop2 to use MD5 for ESP. [RouterB-ipsec-proposal-ipsprop2] esp authentication-algorithm md5 [RouterB-ipsec-proposal-ipsprop2] quit Create an IPsec policy. [RouterB] ipsec policy policy2 1 isakmp Specify an ACL for the IPsec policy to reference. [RouterB-ipsec-policy-isakmp-policy2-1] security acl 3000 Reference an IKE peer in the IPSec policy. [RouterB-ipsec-policy-isakmp-policy2-1] ike-peer peer2 Hangzhou H3C Technologies Co., Ltd. 24/29

25 Specify the IPsec proposal for the IPsec policy to reference. [RouterB-ipsec-policy-isakmp-policy2-1] proposal ipsprop2 [RouterB-ipsec-policy-isakmp-policy2-1] quit Apply the IPsec policy to an interface. [RouterB] interface serial 2/0 [RouterB-Serial2/0] ipsec policy policy2 [RouterB-Serial2/0] quit 4) Submit a certificate request Generate a local RSA key pair. [RouterB] public-key local create rsa Warning: The local key pair already exist. Confirm to replace them? [Y/N]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys A certificate request can be submitted in two ways, inband and out-of-band. Choose either as needed. Inband mode Retrieve a certificate from the server for certificate distribution. [RouterB] pki retrieval-certificate ca domain domain2 Retrieving CA/RA certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint: F 4D51 48B2 21D4 12C EE2F SHA1 fingerprint:1a56 A74F 219F 8E98 EE38 B556 2B5A 2275 F Is the finger print correct?(y/n):y Saving CA/RA certificates chain, please wait a moment... CA certificates retrieval success. Request a local certificate from a CA through SCEP. [RouterB] pki request-certificate domain domain2 Certificate is being requested, please wait... [RouterB] Enrolling the local certificate,please wait a while... Certificate request Successfully! Saving the local certificate to device... Done! Hangzhou H3C Technologies Co., Ltd. 25/29

26 Out-of-band mode The operation procedure is the same to that on Router A and thus is omitted. After completing the operation, use the following commands to import the files to Router B. [RouterB] pki import-certificate ca domain domain2 der filename ca_cert.cer Importing certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint:5a9c E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D SHA1 fingerprint:b58c B59D B83 F2E8 0C16 13EB E0BF 6526 Is the finger print correct?(y/n):y %Mar 14 09:06:54: RouterB PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain2 is trusted. Import CA certificate successfully. [RouterB] %Mar 14 09:06:54: RouterB PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain2 successfully. %Mar 14 09:06:54: RouterB PKI/4/Import_CA_Cert:Import CA certificates of the domain domain2 successfully. [RouterB] [RouterB] pki import-certificate local domain domain2 der filename local_cert.cer Importing certificates. Please wait a while... %Mar 14 09:07:11: RouterB PKI/4/Verify_Cert:Verify certificate CN= routerb of the domain domain2 successfully. Import local certificate successfully. [RouterB] %Mar 14 09:07:11: RouterB PKI/4/Import_Local_Cert:Import local certificate of the domain domain2 successfully. [RouterB] Configuration file [RouterB] display current-configuration version 5.20, Beta 1505L01, Standard sysname RouterB pki entity entityb common-name routerb ip pki domain domain2 ca identifier ca server certificate request url certificate request from ra Hangzhou H3C Technologies Co., Ltd. 26/29

27 certificate request entity entityb ike proposal 2 authentication-method rsa-signature ike peer peer2 remote-address certificate domain domain2 ipsec proposal ipsprop2 ipsec policy ipsprop2 1 isakmp security acl 3000 ike-peer peer2 proposal ipsprop2 acl number 3000 rule 0 permit ip destination interface Serial2/0 link-protocol ppp ip address ipsec policy policy2 return Verification After configuration, display IKE SA information on Router A and Router B. the information shows that no IKE SA has been set up. Display IKE SA information on Router A. [RouterA] display ike sa total phase-1 SAs: 0 connection-id peer flag phase doi [RouterA] Display IKE SA information on Router B. [RouterB] display ike sa total phase-1 SAs: 0 connection-id peer flag phase doi [RouterB] Ping the host in Group 2 from Group 1. IKE negotiation will be triggered. Then display IKE SA information again on Router A and Router B. The information shows that an IKE SA has been set up and the ping operation succeeded. Hangzhou H3C Technologies Co., Ltd. 27/29

28 If Router A and Router B have not obtained the CA and local certificates when IKE negotiation is triggered, the IKE negotiation fails and a temporary SA is set up. The following output is displayed when both routers have obtained the CA and local certificates and an IKE SA has been set up successfully. [RouterA] display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi RD ST 2 IPSEC RD ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT [RouterB] display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi RD ST 2 IPSEC RD ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT Certificate-Based SSL Configuration Example Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to secure data transmission over the Internet. With PKI, SSL allows encrypted data to be transmitted between the client and the server, and supports certificate-based authentication of the server and client. Network Requirements As shown in Figure 26, the network administrator is not in the same city as the corporate network and needs to log in to and manage the gateway of the intranet securely. The requirements include: The administrator uses host Admin to establish an HTTPS connection with Gateway. The security mechanism of SSL is used for the HTTPS server (Gateway) and the HTTPS client (Admin) to authenticate each other. Hangzhou H3C Technologies Co., Ltd. 28/29

29 Figure 26 Network diagram for certificate-based SSL configuration Configuration Considerations As SSL supports certificated-based authentication of the server and the client, you need to configure the CA server to issue certificates to the gateway device and the host. Configure the gateway device as an SSL server and enable HTTPS service. The host connects with the gateway using HTTPS. Identity authentication of the client is optional. If the authentication is configured, you need to request a certificate for the host. Configuration Procedures For detailed configuration steps of certificate-based SSL, refer to HTTPS configuration Example. References HTTPS Configuration Example Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 29/29