Site-to-Site ××× 配置实例(RSA-ENCR)
1、路由配置
R1#show running-config
Building configuration...
Current configuration : 1554 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip domain name xuanbo.com
!
!
!
!
crypto key pubkey-chain rsa
addressed-key 99.1.1.2
address 99.1.1.2
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D0190A 044B49FA
88A7E324 E048B769 DC1412DF FBD0BA62 3A47A91C 1B7AE863 D506D9C4 3766AD07
6D1A1C15 4C7A2E03 B61B8737 42EFE7CE 3E675599 68698BC6 F1020301 0001
quit
!
!
!
!
!
crypto isakmp policy 110
encr 3des
authentication rsa-encr
group 5
!
!
crypto ipsec transform-set vpn esp-des esp-md5-hmac
!
crypto map rsavpn 10 ipsec-isakmp
set peer 99.1.1.2
set transform-set vpn
match address 110
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 99.1.1.1 255.255.255.252
duplex half
crypto map rsavpn
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 99.1.1.2
!
no ip http server
no ip http secure-server
!
!
access-list 110 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
R2#show running-config
Building configuration...
Current configuration : 1554 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip domain name xuanbo.com
!
!
!
crypto key pubkey-chain rsa
addressed-key 99.1.1.1
address 99.1.1.1
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E44D7B B694AE99
AF1863B5 E4144B75 05A5DD1B 2CFD95FA 82787618 372BBD92 7D185C00 BA020E56
DD33BEE9 7875B122 F084C84C 0D28D0DF 55CD0BAD C4948B61 CF020301 0001
quit
!
!
!
crypto isakmp policy 110
encr 3des
authentication rsa-encr
group 5
!
!
crypto ipsec transform-set vpn esp-des esp-md5-hmac
!
crypto map rsavpn 10 ipsec-isakmp
set peer 99.1.1.1
set transform-set vpn
match address 110
!
!
!
!
interface Loopback0
ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 99.1.1.2 255.255.255.252
duplex half
crypto map rsavpn
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip classless
ip route 0.0.0.0 0.0.0.0 99.1.1.1
!
no ip http server
no ip http secure-server
!
!
access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
2、验证配置
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on
R1#ping 172.16.2.1 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
*Dec 11 22:25:58.363: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 99.1.1.1, remote= 99.1.1.2,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xCF6D5959(3480050009), conn_id= 0, keysize= 0, flags= 0x400A
*Dec 11 22:25:58.371: ISAKMP: received ke message (1/1)
*Dec 11 22:25:58.371: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Dec 11 22:25:58.375: ISAKMP: Created a peer struct for 99.1.1.2, peer port 500
*Dec 11 22:25:58.375: ISAKMP: New peer created peer = 0x657A94B0 peer_handle = 0x80000002
*Dec 11 22:25:58.375: ISAKMP: Locking peer struct 0x657A94B0, IKE refcount 1 for isakmp_initiator
*Dec 11 22:25:58.379: ISAKMP: local port 500, remote port 500
*Dec 11 22:25:58.379: ISAKMP: set new node 0 to QM_IDLE
*Dec 11 22:25:58.379: insert sa successfully sa = 66228134
*Dec 11 22:25:58.379: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Dec 11 22:25:58.383: ISAKMP:(0:0:N/A:0):Looking for a matching key for 99.1.1.2 in default
*Dec 11 22:25:58.383: ISAKMP:(0:0:N/A:0):No pre-shared key with 99.1.1.2!
*Dec 11 22:25:58.387: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Dec 11 22:25:58.387: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Dec 11 22:25:58.387: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Dec 11 22:25:58.391: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Dec 11 22:25:58.391: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
*Dec 11 22:25:58.391: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Dec 11 22:25:58.395: ISAKMP:(0:0:N/A:0): sending packet to 99.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Dec 11 22:25:58.655: ISAKMP (0:0): received packet from 99.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Dec 11 22:25:58.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 11 22:25:58.667: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Dec 11 22:25:58.671: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Dec 11 22:25:58.675: ISAKMP:(0:0:N/A:0): processing .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/76/216 ms
R1#vendor id payload
*Dec 11 22:25:58.675: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 11 22:25:58.675: ISAKMP (0:0): vendor ID is NAT-T v7
*Dec 11 22:25:58.679: ISAKMP : Scanning profiles for xauth ...
*Dec 11 22:25:58.679: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 110 policy
*Dec 11 22:25:58.679: ISAKMP: encryption 3DES-CBC
*Dec 11 22:25:58.679: ISAKMP: hash SHA
*Dec 11 22:25:58.679: ISAKMP: default group 5
*Dec 11 22:25:58.679: ISAKMP: auth RSA encr
*Dec 11 22:25:58.683: ISAKMP: life type in seconds
*Dec 11 22:25:58.683: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Dec 11 22:25:58.687: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Dec 11 22:25:58.823: ISAKMP:(0:1:SW:1): processing vendor id payload
*Dec 11 22:25:58.823: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Dec 11 22:25:58.827: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Dec 11 22:25:58.827: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 11 22:25:58.831: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Dec 11 22:25:58.895: ISAKMP:(0:1:SW:1):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*Dec 11 22:25:58.895: ISAKMP:(0:1:SW:1):SA is doing RSA encryption authentication using id type ID_IPV4_ADDR
*Dec 11 22:25:58.899: ISAKMP (0:134217729): ID payload
next-payload : 10
type : 1
address : 99.1.1.1
protocol : 17
port : 500
length : 12
*Dec 11 22:25:58.919: ISAKMP:(0:1:SW:1):length after encryption 64
*Dec 11 22:25:58.919: ISAKMP:(0:1:SW:1):Total payload length: 68
*Dec 11 22:25:58.927: ISAKMP:(0:1:SW:1): sending packet to 99.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Dec 11 22:25:58.931: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 11 22:25:58.931: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Dec 11 22:25:59.315: ISAKMP (0:134217729): received packet from 99.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Dec 11 22:25:59.315: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 11 22:25:59.319: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Dec 11 22:25:59.323: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Dec 11 22:25:59.479: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Dec 11 22:25:59.619: ISAKMP (0:134217729): ID payload
next-payload : 10
type : 1
address : 99.1.1.2
protocol : 17
port : 500
length : 68
*Dec 11 22:25:59.623: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Dec 11 22:25:59.623: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Dec 11 22:25:59.687: ISAKMP:(0:1:SW:1):SKEYID state generated
*Dec 11 22:25:59.687: ISAKMP:(0:1:SW:1): processing vendor id payload
*Dec 11 22:25:59.691: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Dec 11 22:25:59.691: ISAKMP:(0:1:SW:1): processing vendor id payload
*Dec 11 22:25:59.691: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Dec 11 22:25:59.691: ISAKMP:(0:1:SW:1): processing vendor id payload
*Dec 11 22:25:59.691: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Dec 11 22:25:59.695: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 11 22:25:59.695: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Dec 11 22:25:59.699: ISAKMP:(0:1:SW:1):Send initial contact
*Dec 11 22:25:59.703: ISAKMP:(0:1:SW:1): sending packet to 99.1.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Dec 11 22:25:59.707: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 11 22:25:59.707: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Dec 11 22:25:59.875: ISAKMP (0:134217729): received packet from 99.1.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Dec 11 22:25:59.879: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Dec 11 22:25:59.879: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Dec 11 22:25:59.883: ISAKMP:(0:1:SW:1):SA has been authenticated with 99.1.1.2
*Dec 11 22:25:59.883: ISAKMP: Trying to insert a peer 99.1.1.1/99.1.1.2/500/, and inserted successfully 657A94B0.
*Dec 11 22:25:59.883: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Dec 11 22:25:59.887: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Dec 11 22:25:59.891: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Dec 11 22:25:59.891: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Dec 11 22:25:59.939: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Dec 11 22:25:59.939: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Dec 11 22:25:59.943: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -2007771356
*Dec 11 22:25:59.955: ISAKMP:(0:1:SW:1): sending packet to 99.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 11 22:25:59.955: ISAKMP:(0:1:SW:1):Node -2007771356, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Dec 11 22:25:59.959: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Dec 11 22:25:59.959: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Dec 11 22:25:59.959: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Dec 11 22:26:00.211: ISAKMP (0:134217729): received packet from 99.1.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Dec 11 22:26:00.215: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -2007771356
*Dec 11 22:26:00.215: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -2007771356
*Dec 11 22:26:00.219: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Dec 11 22:26:00.219: ISAKMP: transform 1, ESP_DES
*Dec 11 22:26:00.219: ISAKMP: attributes in transform:
*Dec 11 22:26:00.219: ISAKMP: encaps is 1 (Tunnel)
*Dec 11 22:26:00.219: ISAKMP: SA life type in seconds
*Dec 11 22:26:00.223: ISAKMP: SA life duration (basic) of 3600
*Dec 11 22:26:00.223: ISAKMP: SA life type in kilobytes
*Dec 11 22:26:00.223: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Dec 11 22:26:00.223: ISAKMP: authenticator is HMAC-MD5
*Dec 11 22:26:00.227: ISAKMP:(0:1:SW:1):atts are acceptable.
*Dec 11 22:26:00.231: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 99.1.1.1, remote= 99.1.1.2,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 22:26:00.235: Crypto mapdb : proxy_match
src addr : 172.16.1.0
dst addr : 172.16.2.0
protocol : 0
src port : 0
dst port : 0
*Dec 11 22:26:00.239: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = -2007771356
*Dec 11 22:26:00.243: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -2007771356
*Dec 11 22:26:00.243: ISAKMP:(0:1:SW:1): processing ID payload. message ID = -2007771356
*Dec 11 22:26:00.251: ISAKMP: Locking peer struct 0x657A94B0, IPSEC refcount 1 for for stuff_ke
*Dec 11 22:26:00.255: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Dec 11 22:26:00.255: inbound SA from 99.1.1.2 to 99.1.1.1 (f/i) 0/ 0
(proxy 172.16.2.0 to 172.16.1.0)
*Dec 11 22:26:00.259: has spi 0xCF6D5959 and conn_id 0 and flags 2
*Dec 11 22:26:00.259: lifetime of 3600 seconds
*Dec 11 22:26:00.263: lifetime of 4608000 kilobytes
*Dec 11 22:26:00.263: has client flags 0x0
*Dec 11 22:26:00.263: outbound SA from 99.1.1.1 to 99.1.1.2 (f/i) 0/0
(proxy 172.16.1.0 to 172.16.2.0)
*Dec 11 22:26:00.263: has spi 941550661 and conn_id 0 and flags A
*Dec 11 22:26:00.267: lifetime of 3600 seconds
*Dec 11 22:26:00.267: lifetime of 4608000 kilobytes
*Dec 11 22:26:00.267: has client flags 0x0
*Dec 11 22:26:00.271: ISAKMP:(0:1:SW:1): sending packet to 99.1.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Dec 11 22:26:00.275: ISAKMP:(0:1:SW:1):deleting node -2007771356 error FALSE reason "No Error"
*Dec 11 22:26:00.279: ISAKMP:(0:1:SW:1):Node -2007771356, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Dec 11 22:26:00.279: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
*Dec 11 22:26:00.283: IPSEC(key_engine): got a queue event with 2 kei messages
*Dec 11 22:26:00.287: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 99.1.1.1, remote= 99.1.1.2,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xCF6D5959(3480050009), conn_id= 0, keysize= 0, flags= 0x2
*Dec 11 22:26:00.291: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 99.1.1.1, remote= 99.1.1.2,
local_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x381EEC45(941550661), conn_id= 0, keysize= 0, flags= 0xA
*Dec 11 22:26:00.295: Crypto mapdb : proxy_match
src addr : 172.16.1.0
dst addr : 172.16.2.0
protocol : 0
src port : 0
dst port : 0
*Dec 11 22:26:00.295: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 99.1.1.2
*Dec 11 22:26:00.299: IPSec: Flow_switching Allocated flow for sibling 80000002
*Dec 11 22:26:00.299: IPSEC(policy_db_add_ident): src 172.16.1.0, dest 172.16.2.0, dest_port 0
*Dec 11 22:26:00.299: ISAKMP: Locking peer struct 0x657A94B0, IPSEC refcount 2 for from create_transforms
*Dec 11 22:26:00.303: IPSEC(create_sa): sa created,
(sa) sa_dest= 99.1.1.1, sa_proto= 50,
sa_spi= 0xCF6D5959(3480050009),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001
*Dec 11 22:26:00.303: IPSEC(create_sa): sa created,
(sa) sa_dest= 99.1.1.2, sa_proto= 50,
sa_spi= 0x381EEC45(941550661),
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
*Dec 11 22:26:00.307: ISAKMP: Unlocking IPSEC struct 0x657A94B0 from create_transforms, count 1
R1#show crypto isakmp sa
dst src state conn-id slot status
99.1.1.2 99.1.1.1 QM_IDLE 1 0 ACTIVE
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: rsavpn, local addr 99.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
current_peer 99.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 99.1.1.1, remote crypto endpt.: 99.1.1.2
path mtu 1500, ip mtu 1500
current outbound spi: 0x381EEC45(941550661)
inbound esp sas:
spi: 0xCF6D5959(3480050009)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: rsavpn
sa timing: remaining key lifetime (k/sec): (4516625/3551)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x381EEC45(941550661)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: rsavpn
sa timing: remaining key lifetime (k/sec): (4516625/3550)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
注意:密钥的产生
1、手动生成RSA密钥
R2(config)#crypto key generate rsa
The name for the keys will be: R2.xuanbo.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
2、查看手动生成RSA密钥
R2#sh crypto key mypubkey rsa
% Key pair was generated at: 22:16:13 UTC Dec 11 2008
Key name: R2.xuanbo.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D0190A 044B49FA
88A7E324 E048B769 DC1412DF FBD0BA62 3A47A91C 1B7AE863 D506D9C4 3766AD07
6D1A1C15 4C7A2E03 B61B8737 42EFE7CE 3E675599 68698BC6 F1020301 0001
% Key pair was generated at: 22:16:14 UTC Dec 11 2008
Key name: R2.xuanbo.com.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BC4A7B 0CF5F420
94C61B3A 1E85B80D 6050859B FC855CBA EFB8F95D E898EFE2 AE6A0FC9 1CA0BC77
AF2FA6A3 8B3B3E7B 83A6F619 1B0594CF BA945806 FB9AAE25 EA37465F C9EE6CA8
500E4C5C 420D63EE A322FD20 39815618 17C75EF7 86A5C834 DD020301 0001
3、配置R1的公钥
R2(config)#crypto key pubkey-chain rsa
R2(config-pubkey-chain)#addressed-key 99.1.1.1
R2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
R2(config-pubkey)#$6F70D 01010105 00034B00 30480241 00E44D7B B694AE99
R2(config-pubkey)#$5DD1B 2CFD95FA 82787618 372BBD92 7D185C00 BA020E56
R2(config-pubkey)#$75B122 F084C84C 0D28D0DF 55CD0BAD C4948B61 CF020301 0001
4、查看公钥
R2#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage IP-Address/VRF Keyring Name
M General 99.1.1.1 default
R2#sh crypto key pubkey-chain rsa address 99.1.1.1
Key address: 99.1.1.1
Usage: General Purpose Key
Source: Manually entered
Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E44D7B B694AE99
AF1863B5 E4144B75 05A5DD1B 2CFD95FA 82787618 372BBD92 7D185C00 BA020E56
DD33BEE9 7875B122 F084C84C 0D28D0DF 55CD0BAD C4948B61 CF020301 0001
