PKI Configuration Examples

Similar documents
Network Security 2. Module 5 Configure Site-to-Site VPNs Using Digital Certificates

Configuring PKI CHAPTER

Configuring Certificate Authorities and Digital Certificates

Mavenir Systems Inc. SSX-3000 Security Gateway

Send documentation comments to

Service Managed Gateway TM. Configuring IPSec VPN

Table of Contents 1 IKE 1-1

SecBlade Firewall Cards NAT Configuration Examples

Case 1: VPN direction from Vigor2130 to Vigor2820

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Managing Certificates

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

L2TP Over IPsec Between Windows 2000 and VPN 3000 Concentrator Using Digital Certificates Configuration Example

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

How to Set Up External CA VPN Certificates

Configuring Certification Authority Interoperability

SSH Communications Tectia SSH

vcloud Director Tenant Portal Guide vcloud Director 8.20

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

HP FlexFabric 5700 Switch Series

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Configuring the SSL Services Module

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Managing Site-to-Site VPNs: The Basics

H3C SR6600 Routers DVPN Configuration Example

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

AirWatch Mobile Device Management

Using the Terminal Services Gateway Lesson 10

Secure IIS Web Server with SSL

How to Set Up VPN Certificates

CCNA Security PT Practice SBA

How to Install Enterprise Certificate Authority on a Windows 2008 Server

How to Configure SSL Interception in the Firewall

User module. SCEP Client APPLICATION NOTE

HP 5920 & 5900 Switch Series

Module 9. Configuring IPsec. Contents:

crypto ca authenticate through crypto ca trustpoint

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Managing Site-to-Site VPNs

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Virtual Tunnel Interface

HP Instant Support Enterprise Edition (ISEE) Security overview

H3C SecPoint User Manual

Implementing Security in Windows 2003 Network (70-299)

Managing Site-to-Site VPNs: The Basics

Digital Certificates. About Digital Certificates

Check Point Mobile VPN for ios

Administrator's Guide

Configuring the Cisco VPN 3000 Concentrator 4.7.x to Get a Digital Certificate and a SSL Certificate

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Configure HTTPS Support for ISE SCEP Integration

Data Sheet NCP Secure Enterprise Management

Using Microsoft Certificates with HP-UX IPSec A.03.00

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

FAQ about Communication

HTTPS--HTTP Server and Client with SSL 3.0

Network Security CSN11111

Configuring Certificate Enrollment for a PKI

Managing AON Security

Configuring Certificate Enrollment for a PKI

Configuring SSL CHAPTER

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

SecBlade Firewall Cards Attack Protection Configuration Example

Stateful Failover Technology White Paper

CCNA Security 1.0 Student Packet Tracer Manual

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 2

Zenprise Zenprise RSA Adapter

Certificate Enrollment for the Atlas Platform

VPN Tracker for Mac OS X

Copyright

Index. Numerics 3DES (triple data encryption standard), 21

Configuring SSL. SSL Overview CHAPTER

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Access to RTE s Information System by software certificates under Microsoft Windows 7

HTTPS--HTTP Server and Client with SSL 3.0

Public Key Infrastructure Configuration Guide, Cisco IOS Release 15SY

Manage Certificates. Certificates Overview

Cisco Passguide Exam Questions & Answers

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

CertAgent. Certificate Authority Guide

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Contents. Configuring SSH 1

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring SSL. SSL Overview CHAPTER

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

SSL Certificates Certificate Policy (CP)

Configuring the VPN Client

IBM i Version 7.2. Security Digital Certificate Manager IBM

But where'd that extra "s" come from, and what does it mean?

Blue Coat Security First Steps Solution for Controlling HTTPS

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

How to Configure IPSec Tunneling in Windows 2000

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

20411D D Enayat Meer

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

IPv6 ND Configuration Example

Transcription:

PKI Configuration Examples Keywords: PKI, CA, RA, IKE, IPsec, SSL Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies. This document provides a certificate-based IKE configuration example and a certificate-based SSL configuration example. Acronyms: Acronym Full spelling CA CRL HTTP HTTPS IIS IKE IPsec LDAP PKC PKI RA S/MIME SCEP SSL VPN Certificate Authority Certificate Revocation List Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Internet Information Service Internet Key Exchange Internet Protocol Security Light-weight Directory Access Protocol Public Key Certificate Public Key Infrastructure Registration Authority Secure/Multipurpose Internet Mail Extensions Simple Certification Enrollment Protocol Secure Sockets Layer Virtual Private Network Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/29

Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Certificate-Based IKE Configuration Example 4 Network Requirements 4 Configuration Considerations 4 Configuration Procedures 4 Configuration on the CA Server 5 Configuration on Router A 15 Configuration on Router B 23 Verification 27 Certificate-Based SSL Configuration Example 28 Network Requirements 28 Configuration Considerations 29 Configuration Procedures 29 References 29 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/29

Feature Overview The Pubic Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies and digital certificate mechanism. It contains a set of services and policies for information binding, PKI implementation, and maintenance. In PKI, the digital certificate mechanism is used to bind public keys to their owners; users are allowed to request, retrieve, and delete digital certificates. With digital certificate and services such as certificate issuing and revocation, the PKI system implements authentication of entities involved in the communication, ensuring data non-repudiation, data confidentiality, and data integrity. Application Scenarios The PKI technology satisfies the needs for securing the network data exchange. As a basic infrastructure, PKI is widely used and being further developed. Typically, PKI is used in these scenarios: 1) VPN A virtual private network (VPN) is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality. 2) Secure Email E-mails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signatures without sharing the same key. 3) Web security For Web security, two peers can establish an SSL connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates. Configuration Guidelines When configuring PKI, note that: A certificate contains the certificate validity period. The system time of the device must be synchronous with that of the CA server so that the device can obtain a certificate successfully. If the CA server is running Windows 2003 Server, Internet Information Services (IIS) must be installed and enabled on the CA server to control and manage the CA server. What add-ons are needed on other CA servers depends on the actual configuration environment. To avoid confliction with the current web services, it is recommended not use the default TCP port number of the CA server. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/29

Certificate-Based IKE Configuration Example PKI Configuration Examples As an important protocol of VPN, IPsec guards communication security at the IP layer, and it can use IKE to set up security associations (SAs) automatically. Still in complicated networks, security problems may occur due to the simple identity authentication mechanism of IKE. With IKE and PKI both used, the authentication security is enhanced by the PKI certificate-based identity authentication, and thus improves the security and scalability of the VPN gateways. Network Requirements As shown in Figure 1, two subnets are connected to the Internet through their own gateways. Now it is required that: An IPsec tunnel is established between Router A and Router B to protect the data transmitted between the two subnets. A pair of IPsec SAs is set up through IKE negotiation between Router A and Router B. The IKE negotiation adopts PKI certificate-based authentication. Figure 1 Network diagram for certificate-based IKE configuration Configuration Considerations Configure the CA server. In this example, Windows 2003 Server is used as the CA server. Perform the following configuration on Router A and Router B. Configure PKI, define a PKI entity, and perform PKI domain-related configurations. Configure IKE, setting the authentication method to digital signature. Configure IPsec to protect the data flows between the two subnets. Request a certificate, download the certificate, and save it locally. Configuration Procedures Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/29

The following configurations are made on devices that are using default settings and are verified in a lab environment. When using the following configurations on your devices in a live network, make sure that they do not conflict with your current configurations to prevent potential negative impact on your network. Before performing the configuration, make sure that there are routes between the CA server and routers. Configuration on the CA Server Install the Certificate Services component From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components. Then in the pop-up dialog box, select Certificate Services and click Next to begin the installation. Figure 2 Install the certificate service component 1) Select the Stand-alone root CA option, and click Next. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/29

Figure 3 Install the certificate service suites 2) Input CA server in the Common name for this CA text box, and click Next. Figure 4 Install the certificate service suites 3) Specify the directories for the certificate database, certificate database log, and shared folder, and then click Next. In this example, the default settings are used. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/29

Figure 5 Install the certificate service suites 4) After the certificate service suites are installed successfully, click Finish. The Windows Components Wizard dialog box is closed. Install the SCEP add-on Double-click the SCEP installation file. On the pop-up dialog box, click Next. The SCEP installation program can be downloaded free from the Microsoft website. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/29

Figure 6 Install the SCEP add-on 1) Select the Use the local system account option and click Next. Figure 7 Install the SCEP add-on 2) Leaving the Require SCEP Challenge Phrase to Enroll check box unselected, click Next. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/29

Figure 8 Install the SCEP add-on 3) Specify the RA information for the enrollment for the RA certificates and click Next. An RA implements functions as identity authentication, CRL management, key pair generation and key pair backup. As an extended part of a CA, the RA is also considered as part of the CA's implementation. The RA name cannot be identical with the CA name; otherwise, related functions may fail. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/29

Figure 9 Install the SCEP add-on 4) After completing the configuration, click Finish. A dialog box appears, as shown in Figure 10. Record the URL and click OK. Figure 10 Install the SCEP add-on 5) Modify the certificate service properties From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA. Right-click CA server and select Properties from the short-cut menu. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/29

Figure 11 Modify the CA server properties Select the Policy Module tab in the CA server Properties dialog box. Then click the Properties button. Figure 12 CA server properties Select the option of Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate. Then click OK. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/29

Figure 13 Policy module properties Click the stop icon in Figure 14 and then the start icon in Figure 15 to restart the CA service. Figure 14 Stop the CA service Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/29

Figure 15 Start CA service Modify the IIS attributes From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager and then select Web Sites from the navigation tree. Right-click Default Web Site and select Properties. Figure 16 IIS Manager Then select the Home Directory tab. Specify the path for certificate service in the Local path text box. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 13/29

Figure 17 Modify the home directory of the default website Select the Web Site tab, and change the TCP port number to 8080. Make sure that the TCP port of the default website is not used by any other services. The default port number 80 is not recommended. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 14/29

Figure 18 Change the TCP port number of the default website Configuration on Router A Configuration steps 1) Configure PKI Create a PKI entity and enter its view. Configure the common name for the entity as routera. <RouterA> system-view [RouterA] pki entity entitya [RouterA-pki-entity-entityA] common-name routera [RouterA-pki-entity-entityA] ip 2.2.2.1 [RouterA-pki-entity-entityA] quit Create a PKI domain and enter its view. [RouterA] pki domain domain1 Specify the trusted CA as ca server. [RouterA-pki-domain-domain1] ca identifier ca server Configure the URL of the registration server in the format of http://host:port/certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server. [RouterA-pki-domain-domain1] certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll Hangzhou H3C Technologies Co., Ltd. www.h3c.com 15/29

Specify that the entity requests a certificate from RA. [RouterA-pki-domain-domain1] certificate request from ra Specify the entity for certificate request as entitya. [RouterA-pki-domain-domain1] certificate request entity entitya [RouterA-pki-domain-domain1] quit 2) Configure IKE Create an IKE proposal and configure the proposal to use the RSA digital signature authentication method. [RouterA] ike proposal 1 [RouterA-ike-proposal-1] authentication-method rsa-signature [RouterA-ike-proposal-1] quit Create an IKE peer. [RouterA] ike peer peer1 Assign an IP address of the IPsec remote gateway. [RouterA-ike-peer-peer1] remote-address 3.3.3.1 Configure the PKI domain as domain1. [RouterA-ike-peer-peer1] certificate domain domain1 [RouterA-ike-peer-peer1] quit 3) Configure IPsec Create an ACL to permit packets to be protected. [RouterA] acl number 3000 [RouterA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255 [RouterA-acl-adv-3000] quit Create an IPsec proposal. [RouterA] ipsec proposal ipsprop1 Configure IPsec proposal ipsprop1 to use ESP. [RouterA-ipsec-proposal-ipsprop1] transform esp Configure IPsec proposal ipsprop1 to encapsulate IP packets in tunnel mode. [RouterA-ipsec-proposal-ipsprop1] encapsulation-mode tunnel Configure IPsec proposal ipsprop1 to use the encryption algorithm of DES. [RouterA-ipsec-proposal-ipsprop1] esp encryption-algorithm des Configure IPsec proposal ipsprop1 to use the encryption algorithm of MD5 for ESP. [RouterA-ipsec-proposal-ipsprop1] esp authentication-algorithm md5 [RouterA-ipsec-proposal-ipsprop1] quit Create an IPsec policy and enter its view. [RouterA] ipsec policy policy1 1 isakmp Specify an ACL for the IPsec policy to reference. [RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 16/29

Specify the IKE peer. [RouterA-ipsec-policy-isakmp-policy1-1] ike-peer peer1 Specify the IPsec proposal for the IPsec policy to reference. [RouterA-ipsec-policy-isakmp-policy1-1] proposal ipsporp1 [RouterA-ipsec-policy-isakmp-policy1-1] quit Apply the IPsec policy to an interface. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipsec policy policy1 [RouterA-Serial2/0] quit 4) Request a certificate Generate a local RSA key pair. [RouterA] public-key local create rsa Warning: The local key pair already exist. Confirm to replace them? [Y/N]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys......++++++...++++++...++++++++...++++++++ A certificate request can be submitted in two ways, inband and out-of-band. Choose one as needed. Inband mode Retrieve the CA certificate in online mode. [RouterA] pki retrieval-certificate ca domain domain1 Retrieving CA/RA certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint:4f10 9CB0 4D51 6EB2 21D4 12C4 5881 EE2F SHA1 fingerprint:1a56 5741 219F 8E98 6438 B556 2C5A 2275 F097 2536 Is the finger print correct?(y/n):y Saving CA/RA certificates chain, please wait a moment... CA certificates retrieval success. Request a local certificate from a CA through SCEP. [RouterA] pki request-certificate domain domain1 Certificate is being requested, please wait... [RouterA] Enrolling the local certificate,please wait a while... Hangzhou H3C Technologies Co., Ltd. www.h3c.com 17/29

Certificate request Successfully! Saving the local certificate to device... Done! Out-of-band mode If SCEP fails, you can use the pki request-certificate domain command with the pkcs10 keyword to save the local certificate request and send it to the CA by an out-of-band means like phone, disk, or e- mail. Display the local certificate request in BASE64 format. [RouterA] pki request-certificate domain domain1 pkcs10 -----BEGIN CERTIFICATE REQUEST----- MIIBTTCBtwIBADAOMQwwCgYDVQQDEwMxMjMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOEvjYboMDX0akLSOqSSCQm7dE7nmJz0N2BsuPh7I4mlkxLHZIwp5vAo PT1Q2i85uLqQDtmxjuYd9fZU4qM9Ps9It2lKG4DCFyFXkKTI9U4jPK42/grPMFmq V8BED9H+O6c9N/sWwA85C2um7UgIOj6TGi6LDBrp9ZZ3xFSO54bdAgMBAAGgADAN BgkqhkiG9w0BAQQFAAOBgQBnjx0Qyme4Pu29BOjvjVYe8qhf9SizXpl6ty4jPS8Y +XkVV30WCs1ITfnUrD5IbhiDr50tDdqqv8y9B7kB+7/DBWcFv4Hrek5XBJveGolT qz8+m7to8bxxcv4nrltcsmreyonirvnlkr94kv3tctgoi1e9kxkgg7dlhzfe75ip lq== -----END CERTIFICATE REQUEST----- [RouterA] Send the certificate request in out-of-band mode to the CA server. Enter the URL http://1.1.1.101:8080/certsrv in the address bar to enter the page for requesting a certificate. On the page, click Request a certificate. Figure 19 Certificate request page The page as shown in Figure 20 appears. Click advanced certificated request. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 18/29

Figure 20 Select advanced certificate request The page as shown in Figure 21 appears. Click the link of Submit a certificate request by using a base-64-encoded CMC or PKCS10 file, or submit a renewal request by using a base-64- encoded PKCS7 file. Figure 21 Advanced certificate request On the new page as shown in Figure 22, paste the saved request information in the Saved Request text box, and click Submit. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 19/29

Figure 22 Paste the certificate request information If a certificate is issued, the following figure appears. Figure 23 Select certificate encoding method Select DER encoded and then click Download certificate. When importing the certificate later, be sure to select the same encoding method. A dialog box appears. Choose to save the local certificate locally with the file name being local_cert.cer. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 20/29

Go back to the page for requesting a certificate at http://1.1.1.101:8080/certsrv, and then select Download a CA certificate, certificate chain, or CRL. Figure 24 Certificate request page Select DER as the encoding method, and click Download CA certificate. Figure 25 Download the CA certificate A dialog box appears. Choose to save the CA certificate locally with the file name being ca_cert.cer. After completing the operation, the certificate is achieved in out-of-band mode. Send the CA certificate and local certificate in out-of-band mode to Router A. Then use the following commands to import the files to Router A. Import the CA certificate for the PKI domain in the encoding method of DER. [RouterA] pki import-certificate ca domain domain1 der filename ca_cert.cer Importing certificates. Please wait a while... The trusted CA's finger print is: Hangzhou H3C Technologies Co., Ltd. www.h3c.com 21/29

MD5 fingerprint:5a9c E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D SHA1 fingerprint:b58c B59D 2242 7244 7B83 F2E8 0C16 13EB E0BF 6526 PKI Configuration Examples Is the finger print correct?(y/n):y %Mar 13 20:32:56:158 2008 RouterA PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain1 is trusted. Import CA certificate successfully. [RouterA] %Mar 13 20:32:56:186 2008 RouterA PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain1 successfully. %Mar 13 20:32:56:187 2008 RouterA PKI/4/Import_CA_Cert:Import CA certificates of the domain domain1 successfully. [RouterA] Import the local certificate for the PKI domain in the encoding method of DER. [RouterA] pki import-certificate local domain domain1 der filename local_cert.cer Importing certificates. Please wait a while... %Mar 13 20:35:54:364 2008 RouterA PKI/4/Verify_Cert:Verify certificate CN=routera of the domain domain1 successfully. Import local certificate successfully. [RouterA] %Mar 13 20:35:54:376 2008 RouterA PKI/4/Import_Local_Cert:Import local certificate of the domain domain1 successfully. [RouterA] Configuration file [RouterA] display current-configuration version 5.20, Beta 1505L01, Standard sysname RouterA pki entity entitya common-name routera ip 2.2.2.1 pki domain domain1 ca identifier ca server certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll certificate request from ra certificate request entity entitya ike proposal 1 authentication-method rsa-signature Hangzhou H3C Technologies Co., Ltd. www.h3c.com 22/29

ike peer peer1 remote-address 3.3.3.1 certificate domain domain1 ipsec proposal ipsprop1 ipsec policy policy1 1 isakmp security acl 3000 ike-peer peer1 proposal ipsprop1 acl number 3000 rule 0 permit ip source 10.1.1.0 0.0.0.255 interface Serial2/0 link-protocol ppp ip address 2.2.2.1 255.255.255.0 ipsec policy policy1 return Configuration on Router B Configuration steps 1) Configure PKI Create a PKI entity and enter its view. Configure the common name for the entity as routerb. <RouterB> system-view [RouterB] pki entity entityb [RouterB-pki-entity-entityB] common-name routerb [RouterB-pki-entity-entityB] ip 3.3.3.1 [RouterB-pki-entity-entityB] quit Create a PKI domain and enter its view. [RouterB] pki domain domain2 Specify the trusted CA as ca server. [RouterB-pki-domain-domain2] ca identifier ca server Configure the URL of the registration server in the format of http://host:port/certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server. [RouterB-pki-domain-domain2] certificate request url http://1.1.1.101:8080/certsrv/mscep /mscep.dll Specify that the entity requests a certificate from RA. [RouterB-pki-domain-domain2] certificate request from ra Hangzhou H3C Technologies Co., Ltd. www.h3c.com 23/29

Specify the entity for certificate request as entityb [RouterB-pki-domain-domain2] certificate request entity entityb [RouterB-pki-domain-domain2] quit 2) Configure IKE Create an IKE proposal and specify the RSA digital signature method to be used by the IKE proposal. [RouterB] ike proposal 2 [RouterB-ike-proposal-2] authentication-method rsa-signature [RouterB-ike-proposal-2] quit Create an IKE entity. [RouterB] ike peer peer2 Assign an IP address of the IPsec tunnel. [RouterB-ike-peer-peer2] remote-address 2.2.2.1 Configure the PKI domain as domain2 for IKE negotiation. [RouterB-ike-peer-peer2] certificate domain domain2 [RouterB-ike-peer-peer2] quit 3) Configure IPsec Create an ACL to permit packets going to the IP address of 10.1.1.0 0.0.0.255. [RouterB] acl number 3000 [RouterB-acl-adv-3000] rule 0 permit ip destination 10.1.1.0 0.0.0.255 [RouterB-acl-adv-3000] quit Create an IPsec proposal. [RouterB] ipsec proposal ipsprop2 Configure IPsec proposal ipsprop2 to use ESP [RouterB-ipsec-proposal-ipsprop2] transform esp Configure IPsec proposal ipsprop2 to encapsulate IP packets in tunnel mode. [RouterB-ipsec-proposal-ipsprop2] encapsulation-mode tunnel Configure IPsec proposal ipsprop2 to use DES. [RouterB-ipsec-proposal-ipsprop2] esp encryption-algorithm des Configure IPsec proposal ipsprop2 to use MD5 for ESP. [RouterB-ipsec-proposal-ipsprop2] esp authentication-algorithm md5 [RouterB-ipsec-proposal-ipsprop2] quit Create an IPsec policy. [RouterB] ipsec policy policy2 1 isakmp Specify an ACL for the IPsec policy to reference. [RouterB-ipsec-policy-isakmp-policy2-1] security acl 3000 Reference an IKE peer in the IPSec policy. [RouterB-ipsec-policy-isakmp-policy2-1] ike-peer peer2 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 24/29

Specify the IPsec proposal for the IPsec policy to reference. [RouterB-ipsec-policy-isakmp-policy2-1] proposal ipsprop2 [RouterB-ipsec-policy-isakmp-policy2-1] quit Apply the IPsec policy to an interface. [RouterB] interface serial 2/0 [RouterB-Serial2/0] ipsec policy policy2 [RouterB-Serial2/0] quit 4) Submit a certificate request Generate a local RSA key pair. [RouterB] public-key local create rsa Warning: The local key pair already exist. Confirm to replace them? [Y/N]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys......++++++...++++++...++++++++...++++++++ A certificate request can be submitted in two ways, inband and out-of-band. Choose either as needed. Inband mode Retrieve a certificate from the server for certificate distribution. [RouterB] pki retrieval-certificate ca domain domain2 Retrieving CA/RA certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint:8210 000F 4D51 48B2 21D4 12C4 9883 EE2F SHA1 fingerprint:1a56 A74F 219F 8E98 EE38 B556 2B5A 2275 F097 2536 Is the finger print correct?(y/n):y Saving CA/RA certificates chain, please wait a moment... CA certificates retrieval success. Request a local certificate from a CA through SCEP. [RouterB] pki request-certificate domain domain2 Certificate is being requested, please wait... [RouterB] Enrolling the local certificate,please wait a while... Certificate request Successfully! Saving the local certificate to device... Done! Hangzhou H3C Technologies Co., Ltd. www.h3c.com 25/29

Out-of-band mode The operation procedure is the same to that on Router A and thus is omitted. After completing the operation, use the following commands to import the files to Router B. [RouterB] pki import-certificate ca domain domain2 der filename ca_cert.cer Importing certificates. Please wait a while... The trusted CA's finger print is: MD5 fingerprint:5a9c E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D SHA1 fingerprint:b58c B59D 2242 7244 7B83 F2E8 0C16 13EB E0BF 6526 Is the finger print correct?(y/n):y %Mar 14 09:06:54:504 2008 RouterB PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain2 is trusted. Import CA certificate successfully. [RouterB] %Mar 14 09:06:54:575 2008 RouterB PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain2 successfully. %Mar 14 09:06:54:575 2008 RouterB PKI/4/Import_CA_Cert:Import CA certificates of the domain domain2 successfully. [RouterB] [RouterB] pki import-certificate local domain domain2 der filename local_cert.cer Importing certificates. Please wait a while... %Mar 14 09:07:11:494 2008 RouterB PKI/4/Verify_Cert:Verify certificate CN= routerb of the domain domain2 successfully. Import local certificate successfully. [RouterB] %Mar 14 09:07:11:506 2008 RouterB PKI/4/Import_Local_Cert:Import local certificate of the domain domain2 successfully. [RouterB] Configuration file [RouterB] display current-configuration version 5.20, Beta 1505L01, Standard sysname RouterB pki entity entityb common-name routerb ip 3.3.3.1 pki domain domain2 ca identifier ca server certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll certificate request from ra Hangzhou H3C Technologies Co., Ltd. www.h3c.com 26/29

certificate request entity entityb ike proposal 2 authentication-method rsa-signature ike peer peer2 remote-address 2.2.2.1 certificate domain domain2 ipsec proposal ipsprop2 ipsec policy ipsprop2 1 isakmp security acl 3000 ike-peer peer2 proposal ipsprop2 acl number 3000 rule 0 permit ip destination 10.1.1.0 0.0.0.255 interface Serial2/0 link-protocol ppp ip address 3.3.3.1 255.255.255.0 ipsec policy policy2 return Verification After configuration, display IKE SA information on Router A and Router B. the information shows that no IKE SA has been set up. Display IKE SA information on Router A. [RouterA] display ike sa total phase-1 SAs: 0 connection-id peer flag phase doi ---------------------------------------------------------- [RouterA] Display IKE SA information on Router B. [RouterB] display ike sa total phase-1 SAs: 0 connection-id peer flag phase doi ---------------------------------------------------------- [RouterB] Ping the host in Group 2 from Group 1. IKE negotiation will be triggered. Then display IKE SA information again on Router A and Router B. The information shows that an IKE SA has been set up and the ping operation succeeded. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 27/29

If Router A and Router B have not obtained the CA and local certificates when IKE negotiation is triggered, the IKE negotiation fails and a temporary SA is set up. The following output is displayed when both routers have obtained the CA and local certificates and an IKE SA has been set up successfully. [RouterA] display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi ---------------------------------------------------------- 182 3.3.3.1 RD ST 2 IPSEC 181 3.3.3.1 RD ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT [RouterB] display ike sa total phase-1 SAs: 1 connection-id peer flag phase doi ---------------------------------------------------------- 434 2.2.2.1 RD ST 2 IPSEC 433 2.2.2.1 RD ST 1 IPSEC flag meaning RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO TIMEOUT Certificate-Based SSL Configuration Example Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to secure data transmission over the Internet. With PKI, SSL allows encrypted data to be transmitted between the client and the server, and supports certificate-based authentication of the server and client. Network Requirements As shown in Figure 26, the network administrator is not in the same city as the corporate network and needs to log in to and manage the gateway of the intranet securely. The requirements include: The administrator uses host Admin to establish an HTTPS connection with Gateway. The security mechanism of SSL is used for the HTTPS server (Gateway) and the HTTPS client (Admin) to authenticate each other. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 28/29

Figure 26 Network diagram for certificate-based SSL configuration Configuration Considerations As SSL supports certificated-based authentication of the server and the client, you need to configure the CA server to issue certificates to the gateway device and the host. Configure the gateway device as an SSL server and enable HTTPS service. The host connects with the gateway using HTTPS. Identity authentication of the client is optional. If the authentication is configured, you need to request a certificate for the host. Configuration Procedures For detailed configuration steps of certificate-based SSL, refer to HTTPS configuration Example. References HTTPS Configuration Example Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 29/29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback