• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.
Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Configure a Site-to-Site VPN using Certificates

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure a Site-to-Site VPN using Certificates


    Caserver#sh run
    Building configuration...

    Current configuration : 2541 bytes
    !
    ! Last configuration change at 19:18:56 UTC Mon Mar 3 2008
    ! NVRAM config last updated at 19:18:57 UTC Mon Mar 3 2008
    !
    version 12.3
    !
    hostname CAserver
    !
    !
    crypto pki server vpnca
    issuer-name CN=vpnca.com
    grant auto
    !
    crypto pki trustpoint vpnca
    revocation-check crl
    rsakeypair vpnca
    !
    !
    crypto pki certificate chain vpnca
    certificate ca 01
    30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    14311230 10060355 04031309 76706E63 612E636F 6D301E17 0D303830 33303331
    39313833 335A170D 31313033 30333139 31383333 5A301431 12301006 03550403
    13097670 6E63612E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D
    00308189 02818100 CC053776 D7896EEC 5A69E9AF D8FBC323 7E5F7FB1
    quit
    !
    interface FastEthernet0/0
    ip address 172.30.1.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 172.30.2.1 255.255.255.0
    !
    ip http server
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    login
    !
    ntp master
    end

    R1#show run
    Building configuration...

    Current configuration : 3864 bytes
    !
    version 12.3
    !
    hostname R1
    !
    !
    ip domain name cisco.com
    ip host caserver 172.30.1.1
    no ip ips deny-action ips-interface
    !
    no ftp-server write-enable
    !
    crypto pki trustpoint CA
    enrollment url http://172.30.1.1:80
    revocation-check crl
    !
    crypto pki certificate chain CA
    certificate 02
    308201B2 3082011B A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    14311230 10060355 04031309 76706E63 612E636F 6D301E17 0D303830 33303331
    39323230 385A170D 30393033 30333139 32323038 5A301D31 1B301906 092A8648
    86F70D01 0902160C 52312E63 6973636F 2E636F6D 305C300D 06092A86 4886F70D
    quit
    D7EA61A7 8D
    quit
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    group 2
    lifetime 36000
    no crypto isakmp ccm
    !
    crypto ipsec transform-set VPN esp-des
    !
    crypto map VPN 1 ipsec-isakmp
    set peer 172.30.2.2
    set transform-set VPN
    match address 100
    !
    interface FastEthernet0/0
    ip address 172.30.1.2 255.255.255.0
    duplex auto
    speed auto
    crypto map VPN
    !
    interface FastEthernet0/1
    ip address 10.0.1.1 255.255.255.0
    duplex auto
    speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.1.1
    ip http server
    !
    access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    warm-reboot
    ntp clock-period 17180208
    ntp server 172.30.1.1
    end


    R1#show cry pki cer
    Certificate
    Status: Available
    Certificate Serial Number: 02
    Certificate Usage: General Purpose
    Issuer:
    cn=vpnca.com
    Subject:
    Name: R1.cisco.com
    hostname=R1.cisco.com
    Validity Date:
    start date: 19:22:08 UTC Mar 3 2008
    end date: 19:22:08 UTC Mar 3 2009
    Associated Trustpoints: CA

    CA Certificate
    Status: Available
    Certificate Serial Number: 01
    Certificate Usage: Signature
    Issuer:
    cn=vpnca.com
    Subject:
    cn=vpnca.com
    Validity Date:
    start date: 19:18:33 UTC Mar 3 2008
    end date: 19:18:33 UTC Mar 3 2011
    Associated Trustpoints: CA







    R3#sh run
    Building configuration...

    Current configuration : 4011 bytes
    !
    version 12.3
    !
    hostname R3
    !

    ip domain name cisco1.com
    ip host vpnca 172.30.2.1
    no ip ips deny-action ips-interface
    !
    crypto pki trustpoint vpnca
    enrollment url http://172.30.2.1:80
    revocation-check crl
    !
    !
    crypto pki certificate chain vpnca
    certificate 03
    308201B3 3082011C A0030201 02020103 300D0609 2A864886 F70D0101 04050030
    14311230 10060355 04031309 76706E63 612E636F 6D301E17 0D303830 33303331
    2953891F 85631115 A2D62E16 C87770F0 277F0075 E34DA8BC 84E92C5D 516DAE89
    5747473E 86CE6602 00ABAD19 5431EFD9 D80327FB 1577C2
    quit
    certificate ca 01
    D7EA61A7 8D
    quit
    !
    --More-- !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    group 2
    lifetime 36000
    no crypto isakmp ccm
    !
    crypto ipsec transform-set SNRS esp-des
    !
    crypto map SNRS-MAP 10 ipsec-isakmp
    set peer 172.30.1.2
    set transform-set SNRS
    match address 101
    !
    !
    interface FastEthernet0/0
    ip address 10.0.2.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 172.30.2.2 255.255.255.0
    duplex auto
    speed auto
    crypto map SNRS-MAP
    !
    interface Serial0/1/0
    no ip address
    shutdown
    no fair-queue
    clockrate 2000000
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.2.1
    !
    ip http server
    no ip http secure-server
    !
    access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
    !
    warm-reboot
    ntp clock-period 17179862
    ntp server 172.30.2.1
    end

  • #2
    mình mạn phép up file này lên để các bạn tham khảo, có gì sai sót xin các bạn chỉ cho để mình chỉ lại. Cảm ơn!
    Attached Files
    Nguyễn Vũ Minh

    CCNA
    CCSP in progress
    Cisco Information Security Specialist
    Cisco Firewall Specialist

    Comment

    Working...
    X