带Windows 7或Android VPN客户端的ASA IKEv2 RA VPN和证书身份验证配置
目录
简介
本文档介绍如何配置思科自适应安全设备(ASA)9.7.1版及更高版本,以允许Windows 7和Android本机(虚拟专用网络)VPN客户端使用互联网密钥交换协议(IKEv2)和证书作为身份验证方法建立(远程访问)RA VPN连接。
作者:David Rivera和Cesar Lopez Zamarripa,思科TAC工程师。
先决条件
要求
Cisco 建议您了解以下主题:
- 证书颁发机构 (CA)
- 公用密钥基础结构 (PKI)
- 在ASA上具有IKEv2的RA VPN
- Windows 7内置VPN客户端
- Android本地VPN客户端
使用的组件
本文档中的信息基于以下软件版本:
- CISCO1921/K9 - 15.5(3)M4a作为IOS CA服务器
- ASA5506X - 9.7(1)作为VPN头端
- Windows 7作为客户端计算机
- Galaxy J5 - Android 6.0.1作为移动客户端
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
配置
概述
以下步骤配置Windows 7和Android本机VPN客户端以连接到ASA头端:
配置证书颁发机构
CA允许在证书中嵌入所需的扩展密钥使用(EKU)。对于ASA头端,需要证书服务器身份验证EKU,而客户端证书需要客户端身份验证EKU。
可以使用多种CA服务器,例如:
- Cisco IOS CA服务器
- OpenSSL CA服务器
- Microsoft CA服务器
- 3第 交易方CA
此配置示例使用IOS CA服务器。
本节概述使CISCO1921/K9(版本15.5(3)M4a作为CA服务器工作的基本配置。
步骤1.确保设备和版本支持eku命令。
IOS-CA# show run | section crypto pki crypto pki server <CA_Server> issuer-name <cn=calo_root,ou=TAC,o=cisco> grant auto eku server-auth client-auth
步骤2.在路由器上启用HTTP服务器。
IOS-CA(config)#ip http server
步骤3.生成可导出的RSA密钥对。
IOS-CA(config)# crypto key generate rsa modulus 2048 label <HeadEnd> exportable The name for the keys will be: HeadEnd % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable... [OK] (elapsed time was 5 seconds)
步骤4.配置信任点。
IOS-CA(config)# crypto pki trustpoint <HeadEnd> IOS-CA(ca-trustpoint)#enrollment url http://10.201.180.230:80 IOS-CA(ca-trustpoint)#subject-name <cn=HeadEnd.david.com> IOS-CA(ca-trustpoint)#revocation-check none IOS-CA(ca-trustpoint)#rsakeypair <HeadEnd>
步骤5.验证信任点(获取CA证书)。
IOS-CA(config)#crypto pki authenticate <HeadEnd>
Certificate has the following attributes:
Fingerprint MD5: DA4502F4 CEFB4F08 AAA3179B 70019185
Fingerprint SHA1: A887F6DB 0656C7E2 857749F3 EA3D7176 8920F52F
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
步骤6.注册信任点(获取身份证书)。
IOS-CA(config)#crypto pki enroll <HeadEnd> % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: cn=HeadEnd.david.com % The subject name in the certificate will include: Connected_2_INET-B % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose HeadEnd' command will show the fingerprint. *Jul 17 15:21:11.343: CRYPTO_PKI: Certificate Request Fingerprint MD5: 0017C310 9F6084E8 63053228 B449794F *Jul 17 15:21:11.343: CRYPTO_PKI: Certificate Request Fingerprint SHA1: CFE22C7A B2855C4D B4B2412B 57FC7106 1C5E7791 *Jul 17 15:21:15.675: %PKI-6-CERTRET: Certificate received from Certificate Authority
步骤7.检验证书。
IOS-CA#show crypto pki certificates verbose <HeadEnd>
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 05
Certificate Usage: General Purpose
Issuer:
cn=calo_root
Subject:
Name: Connected_2_INET-B
hostname=Connected_2_INET-B
cn=HeadEnd.david.com
Validity Date:
start date: 16:56:14 UTC Jul 16 2017
end date: 16:56:14 UTC Jul 16 2018
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 0017C310 9F6084E8 63053228 B449794F
Fingerprint SHA1: CFE22C7A B2855C4D B4B2412B 57FC7106 1C5E7791
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: E9B3A080 779A76E7 8BE44F38 C3E4DEDF 18E75009
X509v3 Authority Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
Authority Info Access:
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: HeadEnd
Key Label: HeadEnd
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=calo_root
Subject:
cn=calo_root
Validity Date:
start date: 13:24:35 UTC Jul 13 2017
end date: 13:24:35 UTC Jul 12 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: DA4502F4 CEFB4F08 AAA3179B 70019185
Fingerprint SHA1: A887F6DB 0656C7E2 857749F3 EA3D7176 8920F52F
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
Authority Info Access:
Associated Trustpoints: test HeadEnd CA_Server
步骤8.以PKCS12格式将HeadEnd信任点导出到终端以获取身份证书。CA证书和私钥将添加到一个文件中。
IOS-CA(config)#crypto pki export
pkcs12 terminal password
<cisco123>
Exported pkcs12 follows:
MIIL3wIBAzCCC5kGCSqGSIb3DQEHAaCCC4oEgguGMIILgjCCC34GCSqGSIb3DQEH
BqCCC28wggtrAgEAMIILZAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIocGz
Fa6tZyACAQGAggs4qNTJi7l/f0IvQr8n1c/SCeaSYRLBvcY9yPgJ2K2/Nmu9+KNB
3dAoYkCrGwDdfpobJE0XqBpIE1uBOtAeF7zdFJt/Pgpie4fcqpCVIbDXG8Ansmhj
v0j6W9Z/IJHe7JrENatbi4nhTnCDP79Z65QSkzrb9DenkCGjoQsWP9zLHTiCDNzV
ajMlWFuCFb0wSW/6L73BLTjS7rwtE74gYMU5NJwtOVsJM2LdwuQ+iOnpsnp6q9fu
niUFEutPe8imOCRApe0tpPqhDp74hKziKT8JEsQ8HMO/lX1y/LIXdLISnz1nkoN3
vxD4AMGRFYACPH8PiGcVSx+vD+wmNaHp1vAOrq4pS7ZQ37ko4mFudnftdOUzaPIz
EzTrOwlRE6il/gF8vb14EfeR09vumJBsajF12hrFGugIJTZnElp5go+oHEEAo4Y+
Yhoj/MIOyhZzo3/ujhjKqtsAJXybYF9YqVkTee9u4Xjkcsg5AmbaqeUUfd7Q8CC2
bi39S1maoWbTYiNcHFs/bWKWJsgZwPzfWtmPch/8MNvXn46AJAwIwRQjHruuFE9F
bhv7SRhYSRQZPf7j1PTmJuMkKA3AzjdbmmJuLidbX3yKbTt4PxPMusbv+ojc6Nam
RCsRf7+gnNZLWs3eU1n84rryZg5Pjw3MRTu2yXDvr799gvx7NIZH5yUZyVl1T70b
eC4KbflcmpM6mJ2UVnaoP2N5u892m41BWuk9rt5isl2f/Z/ZuSbkFaxzU0456zSg
VbYsR+51XfQEH5xu88E5EUPWZ86YdUSlbD8ky6WOn0M1O4K6rNDLkgwXcxw3CaZ8
zhao+dE3qoEYWaKPgCQzPqW0BW3y7WSIELug2uSEsXQjIQcF+42CX6RA3yCmy2T8
C+osKlSSao0nzjrlpTWnPiFss9KRFgJDZhV2ItisiALNw9PqruddcmYtw44LXvdc
+OfnyRvuLS6LE/AMmGk0GaVetAXPezD+5pVZW13UMT/ZdzUjLiXjV9GzF6V8i8qN
Ua0MbDEa8T5Le4dCigaA+t1QxQOPGb+w0ZAQzWN4gZpSEk3ejRixOt14SU5ivj/O
lGXNn8Fvebk42CHohjXG9fq/IfbsVWSkxn2OZ/fhXkZztv4ic1VgprgJURjCtcBw
9Qp/ONda+9aDHiSBrKeHC/urgX6rgWXv9+hpRKIRfj3b8WE+N1sivuQEjlWxbD7h
9fpwxXb+/i7HisjzSkOWUNw4lyulfYSiOv86FPWK0H9Vjbg0G0di1rvGZ8uJHQCC
77RLFXp4jrvCgeo4oWKQbphgPAng7rT794vMwq0rYOb4D3HlHCUvU3JJmScDJQy2
zQxbG2q8Htm44COOuJEUBzx1ImayH2XvDck6VmLTGn8XH5Vq7LOlCeUcVDM8aQfy
HJSPk/VmfQ0lXwPIaxxYlr+jOpcorFkH+OH04hz07grAsGyLRoFICTEvHAzVnF0X
2A1j/z/BFAPG86ssAtInRZVeYUS72NwPEtpKmlHZnl+2iWno5iwTZgtjv7oREZKE
RE6m7O8RiPSD2RjjamCmmmnH5dK5wxF7YlIeK/+ZVrfwLecEPRl+eVw0isM/JN/a
WmkZkCcVMx/ec1P8jp8LzCx17HgVNYbg9lsiffD4xo0G/k0QLUlpliAt7LA2BeGs
yl55wtYUcOBH0/Es39yWnm2Ea//IK6BLw98PvU90vkXWwiD3ajFmcHmssDeU/tZR
4KKNuNor7Le9ycXZFM9ofKZ6AIJ9A1AYvOyhGO88voq8MMGXEe/q+DIjaVE1htYu
k0ELmYAD/XOkEvp3SqOkLQZiCzZ20iMWUTWXlXfgrfLEH0utwHTyr3J2vQk5CD37
ZAfsF6zxEvtU2t41J0e9OjWJw9WtWnnS0gzLeXWtW3H0YAIw3QodKNzbaY4eLP4y
BEdsLmWbM4eza0m9BoZOmMUSkhvFrEz5Q5X5r9vCuAi1rYDqyIjhgdme56tVV0Vg
ZauhbNX59PQQzwOdIZJVVL5tgjf0h7XCm9OBsqd12lHurCCmHy7kM5pqf0MMlhH7
oM/DhXdTU+1sEabt/9c2qs1ihJLS1Zaw2q1AaS5h00+xL8Lxwh2/1/R7Q8FferhR
QZDpix+CmtakRu7uPOMa0zsyOko3P9mf74AWDrThAwMA6G238TC6XI1vrXhvEX1l
BVplQq0Wh/p7ZorSjD5l+z7TkXmJNp7iIxAqp0yobC6vOBwQP7/QAs88q9JNSAte
ErdCXoizvs8YmZMoEap948oplYFaIP+xCnCr8l3v7znwfZwTMQPoPvqEFqUmWYgt
xkJ0qaE645ihTnLgk4eglsBLslwPR1RJU+t6kGGAUmxqhPFxb3/1xNRPVzOGn12w
S9yw+XLC6kS4PmKoxkxax4nnCx7s3e7B5e0qmYtgRTJ0GuW7Uf+T3royTOuYm0d+
ik6bmxcnO0qdcHtt2HTbI+kYpken3YrFOh9Jnm9ZKT63gQSqQWL800ZVd4dAZceg
FciNKs9r26fyy+L3rGCh+U9TLf6mNuWu8RstjjIGPHEPKZ9gnMgMJmikP2ghgOAd
XVhs6ashXx33bZ9dIuhRx6uTNMrppsXyg6SxUyeGDYhpxsPt7uRwBswOpi6iDMZn
ISSzQjrkxoNwwOfn87O5fTCLhHlTZa8HS5HMK3KE7LiZv9pa1z6KTo4z+LCQSLDy
FoRJhSaEsCYJsLDS5nYBoR8hE/eMvQDX1f+RZBrJDcftxx7FQ+8RtvHSJRcJK9N/
Ph/pL62NBlSbvCfn1AbisKrbbgCVLOSj/doufPvpMT2UDL0TY8UnQiyWMH1MF3tZ
jJy6Si2glLwA9hu/c1NsREbA0gxMTjAREb5BjAUmlc3fuv2DWpwnkwyZNyHdm9B9
TPRoByGPvSZXa8MwY/8DUEwUQEsfDJi5jlAD4I6VFFUB72ZS7wn/mVR02fPkfOMp
3yhnGgX29OaDDiDlKw1Xwj1NybOhpZ6unDo5J3stMxlbv5TYL2Tl6egZS0SjsLmn
cj5zkyUU22/93E5vfKD1CMiXx9/e4j2rRh3QCIXqaCjC9acTJ8a/k9/bp8Nz5Cir
pnaCbuQsvna92nxVUqcmLlSbVIvGqlH9qm4DurhcLh59j20tX6K8AMJ90+azaYbX
AJV/MCElhJg6wcN8QnCHMhiuK9+zpsUK2FQgfbcgaaNe3xGaXuoOIGQmlbAGtEkp
kuauRzQ8/pwszaZuPh/5rE77z8zMut3+OE5CslB9npzNi0b0itaaRl13bBBml1xn
r6SBUw7AWapZwRx6pihvptLJaqU1IzaV5SWk0zTABR7BmR84L0+/8v/bedcPSioG
ecside21F6CcWO5ywABBxDYQXM1P9qkC/2bkPkEJ0jBI5P5L1+Yqb8hTlone/InR
B8ktEd8+QW8o60h0seONXumTqBfAuNBkprOA3ssXLeEGB0IpeC5oGW+VSziyS9id
zYq8WaehpAIf3pqwn8gsi0B/wd57T0KK91+v0Ei4z+yIdu8Kh9GTiqGvgNAeakgr
ECDiXoKAwltYAn7cLKNpZaojSs2Jt+60oBA5crT04Mtgpjb9Pd/DLqWQDJTyoRVv
cJRb68aOyZvVBU0yoLbox84QKLHIsA92pplS7VFrAWP65wrhs4XOf4YSFlM89Sn4
GD/yEsGVJzwGrxgCNnOZkLIKsFbIOjp2lMps5jVKoFfpPJCie3F2FB3ecS+xRpHo
5u2KOTmH0rFQ6Vu+JYCo/qWh0ERtL/8gczP7C9ehiaZfemw2bq9xrUo+6y3H9Q+Z
LADwMlAkI+kzbng3R+fj4AYBvf8GTJdpBs8s/t7mZXHiXCtH6qxTMRWJx5Xuxs9F
I8Ii8TA9MCEwCQYFKw4DAhoFAAQUjO/On/REYODupznP9SwYnFX92BYEFESx1MSa
ho3Cv1cZYM0TzZEzlsKdAgIEAA==
---End - This line not part of the pkcs12---
CRYPTO_PKI: Exported PKCS12 file successfully.
*Jul 17 15:46:49.706: %PKI-6-PKCS12EXPORT_SUCCESS: PKCS #12 Successfully Exported.
步骤9.在ASA上创建空信任点。
ASA(config)# crypto ca trustpoint <HeadEnd> DRIVERAP(config-ca-trustpoint)# exit
步骤 10导入PKCS12文件。
ASA(config)#crypto ca import <HeadEnd> pkcs12 <cisco123> Enter the base 64 encoded pkcs12. End with the word "quit" on a line by itself: MIIL3wIBAzCCC5kGCSqGSIb3DQEHAaCCC4oEgguGMIILgjCCC34GCSqGSIb3DQEH BqCCC28wggtrAgEAMIILZAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIocGz Fa6tZyACAQGAggs4qNTJi7l/f0IvQr8n1c/SCeaSYRLBvcY9yPgJ2K2/Nmu9+KNB 3dAoYkCrGwDdfpobJE0XqBpIE1uBOtAeF7zdFJt/Pgpie4fcqpCVIbDXG8Ansmhj v0j6W9Z/IJHe7JrENatbi4nhTnCDP79Z65QSkzrb9DenkCGjoQsWP9zLHTiCDNzV ajMlWFuCFb0wSW/6L73BLTjS7rwtE74gYMU5NJwtOVsJM2LdwuQ+iOnpsnp6q9fu niUFEutPe8imOCRApe0tpPqhDp74hKziKT8JEsQ8HMO/lX1y/LIXdLISnz1nkoN3 vxD4AMGRFYACPH8PiGcVSx+vD+wmNaHp1vAOrq4pS7ZQ37ko4mFudnftdOUzaPIz EzTrOwlRE6il/gF8vb14EfeR09vumJBsajF12hrFGugIJTZnElp5go+oHEEAo4Y+ Yhoj/MIOyhZzo3/ujhjKqtsAJXybYF9YqVkTee9u4Xjkcsg5AmbaqeUUfd7Q8CC2 bi39S1maoWbTYiNcHFs/bWKWJsgZwPzfWtmPch/8MNvXn46AJAwIwRQjHruuFE9F bhv7SRhYSRQZPf7j1PTmJuMkKA3AzjdbmmJuLidbX3yKbTt4PxPMusbv+ojc6Nam RCsRf7+gnNZLWs3eU1n84rryZg5Pjw3MRTu2yXDvr799gvx7NIZH5yUZyVl1T70b eC4KbflcmpM6mJ2UVnaoP2N5u892m41BWuk9rt5isl2f/Z/ZuSbkFaxzU0456zSg VbYsR+51XfQEH5xu88E5EUPWZ86YdUSlbD8ky6WOn0M1O4K6rNDLkgwXcxw3CaZ8 zhao+dE3qoEYWaKPgCQzPqW0BW3y7WSIELug2uSEsXQjIQcF+42CX6RA3yCmy2T8 C+osKlSSao0nzjrlpTWnPiFss9KRFgJDZhV2ItisiALNw9PqruddcmYtw44LXvdc +OfnyRvuLS6LE/AMmGk0GaVetAXPezD+5pVZW13UMT/ZdzUjLiXjV9GzF6V8i8qN Ua0MbDEa8T5Le4dCigaA+t1QxQOPGb+w0ZAQzWN4gZpSEk3ejRixOt14SU5ivj/O lGXNn8Fvebk42CHohjXG9fq/IfbsVWSkxn2OZ/fhXkZztv4ic1VgprgJURjCtcBw 9Qp/ONda+9aDHiSBrKeHC/urgX6rgWXv9+hpRKIRfj3b8WE+N1sivuQEjlWxbD7h 9fpwxXb+/i7HisjzSkOWUNw4lyulfYSiOv86FPWK0H9Vjbg0G0di1rvGZ8uJHQCC 77RLFXp4jrvCgeo4oWKQbphgPAng7rT794vMwq0rYOb4D3HlHCUvU3JJmScDJQy2 zQxbG2q8Htm44COOuJEUBzx1ImayH2XvDck6VmLTGn8XH5Vq7LOlCeUcVDM8aQfy HJSPk/VmfQ0lXwPIaxxYlr+jOpcorFkH+OH04hz07grAsGyLRoFICTEvHAzVnF0X 2A1j/z/BFAPG86ssAtInRZVeYUS72NwPEtpKmlHZnl+2iWno5iwTZgtjv7oREZKE RE6m7O8RiPSD2RjjamCmmmnH5dK5wxF7YlIeK/+ZVrfwLecEPRl+eVw0isM/JN/a WmkZkCcVMx/ec1P8jp8LzCx17HgVNYbg9lsiffD4xo0G/k0QLUlpliAt7LA2BeGs yl55wtYUcOBH0/Es39yWnm2Ea//IK6BLw98PvU90vkXWwiD3ajFmcHmssDeU/tZR 4KKNuNor7Le9ycXZFM9ofKZ6AIJ9A1AYvOyhGO88voq8MMGXEe/q+DIjaVE1htYu k0ELmYAD/XOkEvp3SqOkLQZiCzZ20iMWUTWXlXfgrfLEH0utwHTyr3J2vQk5CD37 ZAfsF6zxEvtU2t41J0e9OjWJw9WtWnnS0gzLeXWtW3H0YAIw3QodKNzbaY4eLP4y BEdsLmWbM4eza0m9BoZOmMUSkhvFrEz5Q5X5r9vCuAi1rYDqyIjhgdme56tVV0Vg ZauhbNX59PQQzwOdIZJVVL5tgjf0h7XCm9OBsqd12lHurCCmHy7kM5pqf0MMlhH7 oM/DhXdTU+1sEabt/9c2qs1ihJLS1Zaw2q1AaS5h00+xL8Lxwh2/1/R7Q8FferhR QZDpix+CmtakRu7uPOMa0zsyOko3P9mf74AWDrThAwMA6G238TC6XI1vrXhvEX1l BVplQq0Wh/p7ZorSjD5l+z7TkXmJNp7iIxAqp0yobC6vOBwQP7/QAs88q9JNSAte ErdCXoizvs8YmZMoEap948oplYFaIP+xCnCr8l3v7znwfZwTMQPoPvqEFqUmWYgt xkJ0qaE645ihTnLgk4eglsBLslwPR1RJU+t6kGGAUmxqhPFxb3/1xNRPVzOGn12w S9yw+XLC6kS4PmKoxkxax4nnCx7s3e7B5e0qmYtgRTJ0GuW7Uf+T3royTOuYm0d+ ik6bmxcnO0qdcHtt2HTbI+kYpken3YrFOh9Jnm9ZKT63gQSqQWL800ZVd4dAZceg FciNKs9r26fyy+L3rGCh+U9TLf6mNuWu8RstjjIGPHEPKZ9gnMgMJmikP2ghgOAd XVhs6ashXx33bZ9dIuhRx6uTNMrppsXyg6SxUyeGDYhpxsPt7uRwBswOpi6iDMZn ISSzQjrkxoNwwOfn87O5fTCLhHlTZa8HS5HMK3KE7LiZv9pa1z6KTo4z+LCQSLDy FoRJhSaEsCYJsLDS5nYBoR8hE/eMvQDX1f+RZBrJDcftxx7FQ+8RtvHSJRcJK9N/ Ph/pL62NBlSbvCfn1AbisKrbbgCVLOSj/doufPvpMT2UDL0TY8UnQiyWMH1MF3tZ jJy6Si2glLwA9hu/c1NsREbA0gxMTjAREb5BjAUmlc3fuv2DWpwnkwyZNyHdm9B9 TPRoByGPvSZXa8MwY/8DUEwUQEsfDJi5jlAD4I6VFFUB72ZS7wn/mVR02fPkfOMp 3yhnGgX29OaDDiDlKw1Xwj1NybOhpZ6unDo5J3stMxlbv5TYL2Tl6egZS0SjsLmn cj5zkyUU22/93E5vfKD1CMiXx9/e4j2rRh3QCIXqaCjC9acTJ8a/k9/bp8Nz5Cir pnaCbuQsvna92nxVUqcmLlSbVIvGqlH9qm4DurhcLh59j20tX6K8AMJ90+azaYbX AJV/MCElhJg6wcN8QnCHMhiuK9+zpsUK2FQgfbcgaaNe3xGaXuoOIGQmlbAGtEkp kuauRzQ8/pwszaZuPh/5rE77z8zMut3+OE5CslB9npzNi0b0itaaRl13bBBml1xn r6SBUw7AWapZwRx6pihvptLJaqU1IzaV5SWk0zTABR7BmR84L0+/8v/bedcPSioG ecside21F6CcWO5ywABBxDYQXM1P9qkC/2bkPkEJ0jBI5P5L1+Yqb8hTlone/InR B8ktEd8+QW8o60h0seONXumTqBfAuNBkprOA3ssXLeEGB0IpeC5oGW+VSziyS9id zYq8WaehpAIf3pqwn8gsi0B/wd57T0KK91+v0Ei4z+yIdu8Kh9GTiqGvgNAeakgr ECDiXoKAwltYAn7cLKNpZaojSs2Jt+60oBA5crT04Mtgpjb9Pd/DLqWQDJTyoRVv cJRb68aOyZvVBU0yoLbox84QKLHIsA92pplS7VFrAWP65wrhs4XOf4YSFlM89Sn4 GD/yEsGVJzwGrxgCNnOZkLIKsFbIOjp2lMps5jVKoFfpPJCie3F2FB3ecS+xRpHo 5u2KOTmH0rFQ6Vu+JYCo/qWh0ERtL/8gczP7C9ehiaZfemw2bq9xrUo+6y3H9Q+Z LADwMlAkI+kzbng3R+fj4AYBvf8GTJdpBs8s/t7mZXHiXCtH6qxTMRWJx5Xuxs9F I8Ii8TA9MCEwCQYFKw4DAhoFAAQUjO/On/REYODupznP9SwYnFX92BYEFESx1MSa ho3Cv1cZYM0TzZEzlsKdAgIEAA== quit INFO: Import PKCS12 operation completed successfully
步骤11.检验证书信息。
ASA(config)#show crypto ca certificates <HeadEnd>
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Signature Algorithm: MD5 with RSA Encryption
Issuer Name:
cn=calo_root
Subject Name:
cn=calo_root
Validity Date:
start date: 13:24:35 UTC Jul 13 2017
end date: 13:24:35 UTC Jul 12 2020
Storage: config
Associated Trustpoints: test HeadEnd
Certificate
Status: Available
Certificate Serial Number: 05
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=calo_root
Subject Name:
hostname=Connected_2_INET-B
cn=HeadEnd.david.com
Validity Date:
start date: 16:56:14 UTC Jul 16 2017
end date: 16:56:14 UTC Jul 16 2018
Storage: config
Associated Trustpoints: HeadEnd
生成客户端证书
步骤1.生成可导出的RSA密钥对。
IOS-CA(config)# crypto key generate rsa modulus 2048 label <Win7_PC> exportable The name for the keys will be: Win7_PC % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable... [OK] (elapsed time was 5 seconds
步骤2.配置信任点。
IOS-CA(config)# crypto pki trustpoint <Win7_PC> IOS-CA(ca-trustpoint)#enrollment url http://10.201.180.230:80 IOS-CA(ca-trustpoint)#subject-name <cn=Win7_PC.david.com> IOS-CA(ca-trustpoint)#revocation-check none IOS-CA(ca-trustpoint)#rsakeypair <Win7_PC>
步骤3.对配置的信任点进行身份验证(获取CA证书)。
IOS-CA(config)#crypto pki authenticate <Win7_PC>
Certificate has the following attributes:
Fingerprint MD5: DA4502F4 CEFB4F08 AAA3179B 70019185
Fingerprint SHA1: A887F6DB 0656C7E2 857749F3 EA3D7176 8920F52F
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
步骤4.注册经过身份验证的信任点(获取身份证书)。
IOS-CA(config)#crypto pki enroll <Win7_PC> % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: cisco123 Re-enter password: cisco123 % The subject name in the certificate will include: cn=Win7_PC.david.com % The subject name in the certificate will include: Connected_2_INET-B % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate verbose Win7_PC' command will show the fingerprint. *Jul 17 15:21:11.343: CRYPTO_PKI: Certificate Request Fingerprint MD5: 9153E537 11C16FAE B03F7A38 775DBB92 *Jul 17 15:21:11.343: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 3BC4AC98 91067707 BB6BBBFB ABD97796 F7FB3DD1 *Jul 17 15:21:15.675: %PKI-6-CERTRET: Certificate received from Certificate Authority
步骤5.检验证书信息。
IOS-CA#show crypto pki certificates verbose <Win7_PC>
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=calo_root
Subject:
Name: Connected_2_INET-B
hostname=Connected_2_INET-B
cn=Win7_PC.david.com
Validity Date:
start date: 13:29:51 UTC Jul 13 2017
end date: 13:29:51 UTC Jul 13 2018
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 9153E537 11C16FAE B03F7A38 775DBB92
Fingerprint SHA1: 3BC4AC98 91067707 BB6BBBFB ABD97796 F7FB3DD1
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: F37266AE 61F64BD9 3E9FA80C 77455F21 5BEB870D
X509v3 Authority Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
Authority Info Access:
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: Win7_PC
Key Label: Win7_PC
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=calo_root
Subject:
cn=calo_root
Validity Date:
start date: 13:24:35 UTC Jul 13 2017
end date: 13:24:35 UTC Jul 12 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: MD5 with RSA Encryption
Fingerprint MD5: DA4502F4 CEFB4F08 AAA3179B 70019185
Fingerprint SHA1: A887F6DB 0656C7E2 857749F3 EA3D7176 8920F52F
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: B5EEEEB9 31B9A06C CBD9893C 0E318810 5CA657E6
Authority Info Access:
Associated Trustpoints: test HeadEnd Win7_PC CA_Server
在Windows 7客户端计算机上安装身份证书
步骤1.以PKCS12格式(.p12)将命名的Win7_PC信任点导出到FTP/TFTP服务器(安装在Windows 7计算机上),以在单个文件中获取身份证书、CA证书和私钥。
IOS-CA(config)#crypto pki export <Win7_PC> pkcs12 <tftp://10.152.206.175/ Win7_PC.p12> password <cisco123> Address or name of remote host [10.152.206.175]? Destination filename [Win7_PC.p12]? !Writing pkcs12 file to tftp://10.152.206.175/Win7_PC.p12 ! CRYPTO_PKI: Exported PKCS12 file successfully. *Jul 17 16:29:20.310: %PKI-6-PKCS12EXPORT_SUCCESS: PKCS #12 Successfully Exported.
这是导出文件在客户端计算机上的显示方式。
步骤2.按Ctrl + R并键入mmc以打开Microsoft管理控制台(MMC)。
步骤3.选择OK。
步骤4.导航至“文件”>“添加/删除管理单元”。
步骤5.选择“证书”>“添加”>“计算机帐户”。
步骤6.选择“下一步”,
步骤7.完成。
步骤8.选择OK。
步骤9.转到Certificates(Local Computer)>Personal>Certificates,右键单击该文件夹,然后导航到All Tasks>Import:
步骤10.单击“下一步”。指示PKCS12文件的存储路径。
步骤11.再次选择Next,并键入crypto pki export <Win7_PC> pkcs12 <tftp://10.152.206.175/ Win7_PC.p12> password <cisco123>命令中输入的密码
步骤12.选择“下一步”。
步骤13.再选择Next。
步骤14.选择“完成”。
步骤15.选择OK。现在,您将看到安装的证书(CA证书和身份证书)。
步骤16.将CA Certificate从Certificates(Local Computer)>Personal>Certificates拖放到Certificates(Local Computer)> Trusted Root Certification Authority>Certificates。
如何在Android移动设备上安装身份证书
步骤1.以PKCS12(.p12)格式从IOS CA服务器导出客户端证书后,通过电子邮件将文件发送到Android设备。一旦您在其中,轻触文件名称即可开始自动安装。(不下载文件)
步骤2.输入用于导出证书的密码,在本例中,密码为cisco123。
步骤3.选择“确定”并输入证书名称。它可以是任意字,在本例中名称为Android ID Cert。
步骤4.选择OK,并显示消息“Android ID Cert installed”。
步骤5.要安装CA证书,请以base64格式从IOS CA服务器中解压并用.crt扩展名保存。通过电子邮件将文件发送到您的android设备。这次,您需要通过在文件名称旁边的箭头上录音来下载文件。
步骤6.导航至“设置”和“锁定”屏幕和安全性。
步骤7.选择“其他安全设置”。
步骤8.导航至“从设备存储安装”。
步骤9.选择.crt文件,然后轻触“完成”。
步骤10.输入证书名称。它可以是任意字,在本例中,名称为calo_root-1。
步骤10.选择OK,您将看到消息“calo_root-1 installed”。
步骤11.要验证身份证书是否已安装,请导航至设置/锁定屏幕和安全/其他>安全设置/用户证书/系统选项卡。
步骤12.要验证CA证书是否已安装,请导航至Settings/Lock屏幕和安全/其他安全设置/查看安全证书/User选项卡。
使用IKEv2为RA VPN配置ASA头端
步骤1.在ASDM上,导航至Configuration>Remote Access VPN > Network(client)Access> Anyconnect Connection Profiles。选中面向VPN客户端的接口上的IPSec(IKEv2)访问、允许访问框(不必要选择启用客户端服务选项)。
步骤2.选择Device Certificate(设备证书)并从Use the same device certificate for SSL and IPSec IKEv2(对SSL和IPSec IKEv2使用同一设备证书)中删除检查标记。
步骤3.为IPSec连接选择头端证书,并为SSL连接选择 — None —。
此选项将加密ikev2、加密IPSec、加密动态映射和加密映射配置置于适当位置。
这是配置在命令行界面(CLI)上的显示方式。
crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev2 remote-access trustpoint HeadEnd crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto dynamic-map Anyconnect 65535 set ikev2 ipsec-proposal AES256 crypto map outside_map 65535 ipsec-isakmp dynamic Anyconnect crypto map outside_map interface outside
步骤4.导航至Configuration > Remote Access VPN > Network(Client)Access > Group Policies以创建组策略
在CLI上。
group-policy GP_David internal group-policy GP_David attributes vpn-tunnel-protocol ikev2
步骤5.导航至Configuration > Remote Access VPN > Network(Client)Access > Address Pools,然后选择Add以创建IPv4池。
在CLI上。
ip local pool ACPool 192.168.50.1-192.168.50.100 mask 255.255.255.0
步骤6.导航至Configuration > Remote Access VPN > Network(Client)Access > IPSec(IKEv2)Connection Profiles,然后选择Add以创建新隧道组。
在CLI上。
tunnel-group David type remote-access tunnel-group David general-attributes address-pool ACPool default-group-policy GP_David authentication-server-group LOCAL tunnel-group David webvpn-attributes authentication certificate tunnel-group David ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate HeadEnd
步骤7.导航至Configuration > Remote Access VPN > Network(Client)Access > Advanced > IPsec > Certificate to Connection Profile maps > Policy,并选中Used the configured rules to math a certificate to a Connection Profile框。
在CLI上。
tunnel-group-map enable rules
步骤8.导航至Configuration > Remote Access VPN > Network(Client)Access > Advanced > IPsec > Certificate to Connection Profile maps > Rules并创建新的证书映射。选择Add并将其关联到隧道组。在本示例中,隧道组命名为David。
在CLI上。
tunnel-group-map CERT_MAP 10 David
步骤9.在“映射标准”部分选择添加并输入这些值。
字段:颁发者
操作员:包含
值:calo_root
在CLI上。
crypto ca certificate map CERT_MAP 10 issuer-name co calo_root
步骤10.在Configuration > Firewall > Objects > Network Objects/Groups> Add下创建一个包含IP池网络的对象,以便添加(网络地址转换)NAT免除规则。
在CLI上。
object network NETWORK_OBJ_192.168.50.0_24 subnet 192.168.50.0 255.255.255.0
步骤11.导航至Configuration > Firewall > NAT Rules,并选择Add为RA VPN流量创建NAT免除规则。
在CLI上。
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
这是本示例使用的完整ASA配置。
interface GigabitEthernet1/1 nameif outside security-level 0 ip address 10.88.243.108 255.255.255.128 object network NETWORK_OBJ_192.168.50.0_24 subnet 192.168.50.0 255.255.255.0 nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 ip local pool ACPool 192.168.50.1-192.168.50.100 mask 255.255.255.0 crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev2 remote-access trustpoint HeadEnd group-policy GP_David internal group-policy GP_David attributes vpn-tunnel-protocol ikev2 tunnel-group David type remote-access tunnel-group David general-attributes address-pool ACPool default-group-policy GP_David authentication-server-group LOCAL tunnel-group David webvpn-attributes authentication certificate tunnel-group David ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate HeadEnd tunnel-group-map enable rules crypto ca certificate map CERT_MAP 10 issuer-name co calo_root tunnel-group-map CERT_MAP 10 David crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto dynamic-map Anyconnect 65535 set ikev2 ipsec-proposal AES256 crypto map outside_map 65535 ipsec-isakmp dynamic Anyconnect crypto map outside_map interface outside
配置Windows 7内置客户端
步骤1.导航至“控制面板”>“网络和Internet”>“网络和共享中心”。
步骤2.选择Set up a new connection or network。
步骤3.选择“连接到工作区”和“下一步”。
步骤4.选择“否”,创建新连接,然后选择“下一步”。
步骤5.选择使用我的Internet连接(VPN),并在Internet地址字段中添加HeadEnd证书公用名(CN)字符串。在“目标名称”字段中,键入连接的名称。它可以是任何字符串。请确保选中“立即不连接;只需设置它,以便我稍后连接。
步骤6.选择“下一步”。
步骤7.选择“创建”。
步骤8.选择“关闭”并导航至“控制面板”>“网络和Internet”>“网络连接”。选择创建的网络连接,然后右键点击它。选择属性。
步骤9.在“常规”选项卡中,您可以验证头端的适当主机名是否正确。您的计算机会将此名称解析为用于连接RA VPN用户的ASA IP地址。
步骤10.导航至“安全”选项卡,并选择IKEv2作为VPN的类型。在“身份验证”部分中,选择“使用计算机证书”。
步骤11.选择OK并导航至C:\Windows\System32\drivers\etc。使用文本编辑器打开hosts文件。配置条目,将网络连接中配置的(完全限定域名)FQDN解析为ASA头端的IP地址(在本例中为外部接口)。
步骤12.返回“控制面板”>“网络和Internet”>“网络连接”。选择您创建的网络连接。右键单击它并选择“连接”。
步骤13.网络连接状态从“已断开”(Disconnected)转变为“连接”(Connecting),然后转变为“已连接”(Connected)。最后,显示您为网络连接指定的名称。
此时计算机已连接到VPN头端。
配置Android本地VPN客户端
步骤1.导航至“设置”>“更多连接设置”
步骤2.选择VPN
步骤3.选择Add VPN。如果连接已如本示例中所示创建,请轻触引擎图标进行编辑。在“类型”字段中指定IPSec IKEv2 RSA。服务器地址是启用IKEv2的ASA接口IP地址。对于IPSec用户证书和IPSec CA证书,请通过轻触下拉菜单选择安装的证书。将IPSec服务器证书保留为默认选项“从服务器接收”。
步骤4.选择Save,然后轻触新VPN连接的名称。
步骤5.选择Connect。
步骤6.再键入一次VPN连接以验证状态。它现在显示为“已连接”。
验证
ASA头端上的验证命令:
ASA#show vpn-sessiondb detail ra-ikev2-ipsec
Session Type: Generic Remote-Access IKEv2 IPsec Detailed
Username : Win7_PC.david.com Index : 24
Assigned IP : 192.168.50.1 Public IP : 10.152.206.175
Protocol : IKEv2 IPsec
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsec: (1)AES256
Hashing : IKEv2: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 16770
Pkts Tx : 0 Pkts Rx : 241
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP_David Tunnel Group : David
Login Time : 08:00:01 UTC Tue Jul 18 2017
Duration : 0h:00m:21s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a0a0a0100018000596dc001
Security Grp : none
IKEv2 Tunnels: 1
IPsec Tunnels: 1
IKEv2:
Tunnel ID : 24.1
UDP Src Port : 4500 UDP Dst Port : 4500
Rem Auth Mode: rsaCertificate
Loc Auth Mode: rsaCertificate
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86379 Seconds
PRF : SHA1 D/H Group : 2
Filter Name :
IPsec:
Tunnel ID : 24.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 192.168.50.1/255.255.255.255/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28778 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Conn Time Out: 518729 Minutes Conn TO Left : 518728 Minutes
Bytes Tx : 0 Bytes Rx : 16947
Pkts Tx : 0 Pkts Rx : 244
ASA# show crypto ikev2 sa
IKEv2 SAs:
Session-id:24, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
2119549341 10.88.243.108/4500 10.152.206.175/4500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/28 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 192.168.50.1/0 - 192.168.50.1/65535
ESP spi in/out: 0xbfff64d7/0x76131476
ASA# show crypto ipsec sa
interface: outside
Crypto map tag: Anyconnect, seq num: 65535, local addr: 10.88.243.108
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.1/255.255.255.255/0/0)
current_peer: 10.152.206.175, username: Win7_PC.david.com
dynamic allocated peer ip: 192.168.50.1
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 339, #pkts decrypt: 339, #pkts verify: 339
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.88.243.108/4500, remote crypto endpt.: 10.152.206.175/4500
path mtu 1496, ipsec overhead 58(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 76131476
current inbound spi : BFFF64D7
inbound esp sas:
spi: 0xBFFF64D7 (3221185751)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv2, }
slot: 0, conn_id: 98304, crypto-map: Anyconnect
sa timing: remaining key lifetime (sec): 28767
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x76131476 (1980961910)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv2, }
slot: 0, conn_id: 98304, crypto-map: Anyconnect
sa timing: remaining key lifetime (sec): 28767
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA#show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
Status : Capacity : Installed : Limit
-----------------------------------------
AnyConnect Premium : ENABLED : 50 : 50 : NONE
AnyConnect Essentials : DISABLED : 50 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 10 : 10 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : ENABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------
---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
Local : Shared : All : Peak : Eff. :
In Use : In Use : In Use : In Use : Limit : Usage
----------------------------------------------------
AnyConnect Premium : 1 : 0 : 1 : 1 : 50 : 2%
AnyConnect Client : : 0 : 1 : 0%
AnyConnect Mobile : : 0 : 0 : 0%
Clientless VPN : : 0 : 0 : 0%
Generic IKEv2 Client : : 1 : 1 : 2%
Other VPN : : 0 : 0 : 10 : 0%
Cisco VPN Client : : 0 : 0 : 0%
L2TP Clients
Site-to-Site VPN : : 0 : 0 : 0%
---------------------------------------------------------------------------
ASA# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 0 : 11 : 1 : 0
SSL/TLS/DTLS : 0 : 1 : 1 : 0
IKEv2 IPsec : 0 : 10 : 1 : 0
Generic IKEv2 Remote Access : 1 : 14 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 25
Device Total VPN Capacity : 50
Device Load : 2%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv2 : 1 : 25 : 1
IPsec : 1 : 14 : 1
IPsecOverNatT : 0 : 11 : 1
AnyConnect-Parent : 0 : 11 : 1
SSL-Tunnel : 0 : 1 : 1
DTLS-Tunnel : 0 : 1 : 1
---------------------------------------------------------------------------
Totals : 2 : 63
故障排除
本节提供可用于排除配置故障的信息。
- 调试crypto ikev2协议15
- 调试crypto ikev2平台15
- Debug crypto ca 255
反馈