安全 : Cisco FlexVPN

从机器人strongSwan的IKEv2到与EAP和RSA验证的Cisco IOS

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述如何配置移动版本strongSwan为了通过互联网密钥交换版本2 (IKEv2)协议访问Cisco IOS软件VPN网关。

提交三示例:

  • 有连接到有可扩展的认证协议的Cisco IOS软件VPN网关-消息摘要5的strongSwan的机器人电话(EAP-MD5)验证。
  • 有连接到有证书验证的strongSwan的机器人电话(RSA) Cisco IOS软件VPN网关
  • 有连接到在网络地址转换(NAT)后的Cisco IOS软件VPN网关的strongSwan的机器人电话。有需求有两x509在VPN网关证书的扩展附属的替代方案名称。

Cisco IOS软件和strongSwan限制也包括。

贡献用米哈拉Garcarz和Salah Gherdaoui, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

  • Openssl配置基础知识
  • Cisco IOS软件命令行界面(CLI)配置基础知识
  • IKEv2基础知识

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 机器人4.0或以上与strongSwan
  • Cisco IOS软件版本15.3T或以上
  • 思科身份服务引擎(ISE)软件,版本1.1.4和以上

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

注意

使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

网络图

116837-config-strongswan-ios-01.jpg

机器人strongSwan设立一个IKEv2通道以Cisco IOS软件网关为了安全地访问内部网络。

证书登记

证书是一个前提对于基于EAP的和基于RSA的验证。

在EAP验证方案中,证书在VPN网关仅必要。客户端连接对Cisco IOS软件,只有当软件提交在机器人委托Certificate Authority (CA)时签字的一证书。EAP会话然后开始为了客户端能验证到Cisco IOS软件。

对于基于RSA的验证,两个终端必须有一正确证书。

当IP地址使用作为a peer-id时,有证书的另外的需求。如果VPN网关的IP地址在x509分机主题替代方案名称,包括机器人strongSwan验证。否则,机器人切连接;这是良好的做法以及RFC 6125的建议。

因为Cisco IOS软件有一个限制, Openssl使用作为CA :它不能生成与包括IP地址的分机的证书。所有证书由Openssl生成并且导入对机器人和Cisco IOS软件。

在Cisco IOS软件里,主题alt NAME命令可以用于为了创建包括IP地址的分机,但是命令仅运作与自签名证书。Cisco Bug ID CSCui44783, “IOS ENH PKI能力生成与主题alt NAME分机的CSR”,是增强请求允许Cisco IOS软件生成登记的所有类型的分机。

这是生成CA:命令的示例

#generate key
openssl genrsa -des3 -out ca.key 2048

#generate CSR
openssl req -new -key ca.key -out ca.csr

#remove protection
cp ca.key ca.key.org
openssl rsa -in ca.key.org -out ca.key

#self sign certificate
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
-extensions v3_req -extfile conf_global.crt

conf_global.crt是配置文件。应该设置CA分机为特鲁:

[ req ]
default_bits              = 1024             # Size of keys
default_md                = md5                      # message digest algorithm
string_mask               = nombstr          # permitted characters
#string_mask              = pkix     # permitted characters
distinguished_name        = req_distinguished_name
req_extensions            = v3_req
 
[ v3_req ]
basicConstraints          = CA:TRUE
subjectKeyIdentifier      = hash

生成证书的命令为Cisco IOS软件和机器人是非常类似的。此示例假设,已经有用于的CA签署证书:

#generate key
openssl genrsa -des3 -out server.key 2048

#generate CSR
openssl req -new -key server.key -out server.csr

#remove protection
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

#sign the cert and add Alternate Subject Name extension from
conf_global_cert.crt file with configuration
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial
-out server.crt -days 365 -extensions v3_req -extfile conf_global_cert.crt

#create pfx file containig CA cert and server cert
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
-certfile ca.crt

conf_global_cert.crt是配置文件。备选主题名称分机是关键设置。在本例中, CA分机设置对错误:

[ req ]
default_bits              = 1024             # Size of keys
default_md                = md5                      # message digest algorithm
string_mask               = nombstr          # permitted characters
#string_mask              = pkix     # permitted characters
distinguished_name        = req_distinguished_name
req_extensions            = v3_req
 
[ v3_req ]
basicConstraints          = CA:FALSE
subjectKeyIdentifier      = hash
subjectAltName            = @alt_names

[alt_names]
IP.1                      = 10.48.64.15

应该为Cisco IOS软件和机器人生成证书。

IP地址10.48.64.15属于Cisco IOS软件网关。当您生成Cisco IOS软件的时一证书,请确保subjectAltName设置为10.48.64.15。机器人验证从Cisco IOS软件接收的证书并且设法查找其在subjectAltName的IP地址。

Cisco IOS 软件

Cisco IOS软件需要有为基于RSA的和基于EAP的验证安装的一正确证书。

是pkcs12容器)的pfx文件(Cisco IOS软件的可以导入:

BSAN-2900-1(config)# crypto pki import TP pkcs12 
http://10.10.10.1/server.pfx password 123456

% Importing pkcs12...
Source filename [server.pfx]?
CRYPTO_PKI: Imported PKCS12 file successfully.

请使用verbose命令显示crypto pki的证书为了验证导入成功:

BSAN-2900-1# show crypto pki certificates verbose 
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00A003C5DCDEFA146C
  Certificate Usage: General Purpose
  Issuer:
    cn=Cisco
    ou=Cisco TAC
    o=Cisco
    l=Krakow
    st=Malopolskie
    c=PL
  Subject:
    Name: IOS
    IP Address: 10.48.64.15
    cn=IOS
    ou=TAC
    o=Cisco
    l=Krakow
    st=Malopolska
    c=PL
  Validity Date:
    start date: 18:04:09 UTC Aug 1 2013
    end   date: 18:04:09 UTC Aug 1 2014
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 2C45BF10 0BACB98D 444F5804 1DC27ECF
  Fingerprint SHA1: 26B66A66 DF5E7D6F 498DD653 A2C164D7 4C7A7F8F
  X509v3 extensions:
    X509v3 Subject Key ID: AD598A9B 8AB6893B AB3CB8B9 28B2039C 78441E72
    X509v3 Basic Constraints:
        CA: FALSE
    X509v3 Subject Alternative Name:
         
        10.48.64.15
    Authority Info Access:
  Associated Trustpoints: TP
  Storage: nvram:Cisco#146C.cer
  Key Label: TP
  Key storage device: private config

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00DC8EAD98723DF56A
  Certificate Usage: General Purpose
  Issuer:
    cn=Cisco
    ou=Cisco TAC
    o=Cisco
    l=Krakow
    st=Malopolskie
    c=PL
  Subject:
    cn=Cisco
    ou=Cisco TAC
    o=Cisco
    l=Krakow
    st=Malopolskie
    c=PL
  Validity Date:
    start date: 16:39:55 UTC Jul 23 2013
    end   date: 16:39:55 UTC Jul 23 2014
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 0A2432DC 33F0DC46 AAB23E26 ED474B7E
  Fingerprint SHA1: A50E3892 ED5C4542 FA7FF584 DE07B6E0 654A62D0
  X509v3 extensions:
    X509v3 Subject Key ID: 786F263C 0F5A1963 D6AD18F8 86DCE7C9 0185911E
    X509v3 Basic Constraints:
        CA: TRUE
    Authority Info Access:
  Associated Trustpoints: TP
  Storage: nvram:Cisco#F56ACA.cer

BSAN-2900-1#show ip int brief
Interface                  IP-Address      OK? Method Status          Protocol
GigabitEthernet0/0         10.48.64.15     YES NVRAM  up              up  

机器人

对于基于EAP的验证, Andorid需要有安装的正确CA证书。

对于基于RSA的验证, Andorid需要有安装的CA证书和其自己的证书。

此步骤描述如何安装两证书:

  1. 由电子邮件发送pfx文件,并且打开它。

  2. 提供使用的密码,当pfx文件生成。

    116837-config-strongswan-ios-02.png

  3. 为已导入证书提供名称。

    116837-config-strongswan-ios-03.png

  4. 导航对设置> Security >委托凭证为了验证认证安装。新证书应该在用户存储出现:

    116837-config-strongswan-ios-04.png

这时,用户证书以及CA证书安装。pfx文件是有用户证书和CA证书的一个pkcs12容器。

当证书导入时,机器人有准确的需求。例如,对于将顺利地导入的CA证书,机器人要求x509v3分机基本限制条件CA设置为特鲁。因此,当您生成CA或使用您自己的CA时,验证是重要的它有正确分机:

pluton custom_ca # openssl x509 -in ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dc:8e:ad:98:72:3d:f5:6a
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=PL, ST=Malopolskie, L=Krakow, O=Cisco, OU=Cisco TAC, CN=Cisco
<.....output omitted>

 X509v3 Basic Constraints:
                CA:TRUE

<.....output omitted>

EAP 身份验证

EAP验证的Cisco IOS软件配置

IKEv2允许使用EAP协议栈为了进行用户认证。VPN网关提交自己与证书。一旦客户端委托该证书,客户端响应对从网关的EAP请求标识。Cisco IOS软件用途标识和传送RADIUS请求信息到验证、授权和统计(AAA)服务器,并且EAP-MD5会话建立在请求方(机器人)和认证服务器之间(访问控制服务器[ACS]或ISE)。

在成功的EAP-MD5验证以后,如表示的是由RADIUS接受消息, Cisco IOS软件使用配置模式为了推送IP地址对客户端和继续流量选择器协商。

注意机器人发送IKEID=cisco (如配置)。在Cisco IOS软件匹配'ikev2配置文件接收的此IKEID PROF。

aaa new-model
aaa authentication login eap-list-radius group radius
aaa authorization network IKE2_AUTHOR_LOCAL local

crypto pki trustpoint TP
 revocation-check none

crypto ikev2 authorization policy IKE2_AUTHOR_POLICY
 pool POOL
!
crypto ikev2 proposal ikev2-proposal
 encryption aes-cbc-128
 integrity sha1
 group 14
!
crypto ikev2 policy ikev2-policy
 proposal ikev2-proposal
!
!
crypto ikev2 profile PROF
 match identity remote key-id cisco
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint TP
 aaa authentication eap eap-list-radius
 aaa authorization group eap list IKE2_AUTHOR_LOCAL IKE2_AUTHOR_POLICY
 aaa authorization user eap cached
 virtual-template 1

crypto ipsec transform-set 3DES-MD5 esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile PROF
 set transform-set 3DES-MD5
 set ikev2-profile PROF

interface GigabitEthernet0/0
 ip address 10.48.64.15 255.255.255.128

interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF

ip local pool POOL 192.168.0.1 192.168.0.10

radius-server host 10.48.66.185 key cisco

EAP验证的机器人配置

机器人strongSwan必须有配置的EAP :

  1. 禁用自动证书选择;否则, 100或更多CERT_REQs在第三数据包发送。

  2. 选择在上一步导入的一特定证书(CA);用户名和密码应该是相同的象在AAA服务器。

    116837-config-strongswan-ios-05.png

EAP验证测验

在Cisco IOS软件里,这些是EAP验证的最重要的调试。多数输出为了清晰省略:

debug crypto ikev2 error
debug crypto ikev2 internal
debug radius authentication
debug radius verbose

IKEv2:New ikev2 sa request admitted
IKEv2:(SA ID = 1):Searching policy based on peer's identity 'cisco' of type
'FQDN'

IKEv2:(1): Choosing IKE profile PROF
IKEv2:Sending certificates as X509 certificates

RADIUS(00000025): Send Access-Request to 10.48.66.185:1645 id 1645/4,len 110
RADIUS: Received from id 1645/4 10.48.66.185:1645, Access-Challenge, len 79
RADIUS(00000025): Send Access-Request to 10.48.66.185:1645 id 1645/5,len 141
RADIUS: Received from id 1645/5 10.48.66.185:1645, Access-Challenge, len 100
RADIUS(00000025): Send Access-Request to 10.48.66.185:1645 id 1645/6,len 155
RADIUS: Received from id 1645/6 10.48.66.185:1645, Access-Accept, len 76

IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AABAB198FACAAEDE R_SPI=D61F37C4DC875001
(R) MsgID = 00000004 CurState: R_PROC_EAP_RESP Event: EV_RECV_EAP_SUCCESS

IKEv2:IKEv2 local AAA author request for 'IKE2_AUTHOR_POLICY'
IKEv2:Received group author attributes: ipv4-pool: POOL, route-accept any tag:1
distance:1
IKEv2:Allocated addr 192.168.0.2 from local pool POOL
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AABAB198FACAAEDE R_SPI=D61F37C4DC875001
(R) MsgID = 00000005 CurState: R_VERIFY_AUTH Event:
EV_OK_RECD_VERIFY_IPSEC_POLICY
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state
to up

机器人日志指示:

00[DMN] Starting IKE charon daemon (strongSwan 5.1.0dr2, 
Linux 3.4.0-perf-gf43c3d9, armv7l)        
00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability           
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf
random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default kernel-netlink
00[LIB] unable to load 9 plugin features (9 due to unmet dependencies)      
00[JOB] spawning 16 worker threads             
13[IKE] initiating IKE_SA android[1] to 10.48.64.15            
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 10.147.24.153[45581] to 10.48.64.15[500]
(648 bytes)         
11[NET] received packet: from 10.48.64.15[500] to 10.147.24.153[45581]
(497 bytes)         
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HTTP_CERT_LOOK) ]  
11[ENC] received unknown vendor ID:
43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4f:4e            
11[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44            
11[IKE] faking NAT situation to enforce UDP encapsulation          
11[IKE] cert payload ANY not supported - ignored          
11[IKE] sending cert request for "C=PL, ST=Malopolskie, L=Krakow, O=Cisco,
OU=Cisco TAC, CN=Cisco"
      
11[IKE] establishing CHILD_SA android              
11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP)
11[NET] sending packet: from 10.147.24.153[35564] to 10.48.64.15[4500]
(508 bytes)         
10[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[35564]
(1292 bytes)         
10[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH EAP/REQ/ID ]      
10[IKE] received end entity cert "C=PL, ST=Malopolska, L=Krakow, O=Cisco,
OU=TAC, CN=IOS"   
    
10[CFG] using certificate "C=PL, ST=Malopolska, L=Krakow, O=Cisco, OU=TAC,
CN=IOS"         
10[CFG] using trusted ca certificate "C=PL, ST=Malopolskie, L=Krakow, O=Cisco,
OU=Cisco TAC, CN=Cisco"      
10[CFG] reached self-signed root ca with a path length of 0       
10[IKE] authentication of '10.48.64.15' with RSA signature successful          
10[IKE] server requested EAP_IDENTITY (id 0x3B), sending 'cisco'          
10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]          
10[NET] sending packet: from 10.147.24.153[35564] to 10.48.64.15[4500]
(76 bytes)         
09[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[35564]
(76 bytes)         
09[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/TLS ]          
09[IKE] server requested EAP_TLS authentication (id 0x59)           
09[IKE] EAP method not supported, sending EAP_NAK           
09[ENC] generating IKE_AUTH request 3 [ EAP/RES/NAK ]          
09[NET] sending packet: from 10.147.24.153[35564] to 10.48.64.15[4500]
(76 bytes)         
08[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[35564]
(92 bytes)         
08[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MD5 ]          
08[IKE] server requested EAP_MD5 authentication (id 0x5A)           
08[ENC] generating IKE_AUTH request 4 [ EAP/RES/MD5 ]          
08[NET] sending packet: from 10.147.24.153[35564] to 10.48.64.15[4500]
(92 bytes)         
07[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[35564]
(76 bytes)         
07[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]          
07[IKE] EAP method EAP_MD5 succeeded, no MSK established          
07[IKE] authentication of 'cisco' (myself) with EAP           
07[ENC] generating IKE_AUTH request 5 [ AUTH ]          
07[NET] sending packet: from 10.147.24.153[35564] to 10.48.64.15[4500]
(92 bytes)         
06[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[35564]
(236 bytes)         
06[ENC] parsed IKE_AUTH response 5 [ AUTH CP(ADDR) SA TSi TSr N(SET_WINSIZE)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]   
06[IKE] authentication of '10.48.64.15' with EAP successful           
06[IKE] IKE_SA android[1] established between
10.147.24.153[cisco]...10.48.64.15[10.48.64.15] 
           
06[IKE] scheduling rekeying in 35421s             
06[IKE] maximum IKE_SA lifetime 36021s             
06[IKE] installing new virtual IP 192.168.0.1            
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] CHILD_SA android{1} established with SPIs c776cb4f_i ea27f072_o and
TS 192.168.0.1/32 === 0.0.0.0/0     
06[DMN] setting up TUN device for CHILD_SA android{1}          
06[DMN] successfully created TUN device

此示例显示如何验证在Cisco IOS软件的状态:

BSAN-2900-1#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access1
Uptime: 00:02:12
Session status: UP-ACTIVE     
Peer: 10.147.24.153 port 60511 fvrf: (none) ivrf: (none)
      Phase1_id: cisco
      Desc: (none)
  IKEv2 SA: local 10.48.64.15/4500 remote 10.147.24.153/60511 Active
          Capabilities:NX connid:1 lifetime:23:57:48
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 40 drop 0 life (KB/Sec) 4351537/3468
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4351542/3468

BSAN-2900-1#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf         Status
1         10.48.64.15/4500      10.147.24.153/60511   none/none         READY  
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:14, Auth sign: RSA,
Auth verify: EAP

      Life/Active Time: 86400/137 sec
      CE id: 1002, Session-id: 2
      Status Description: Negotiation done
      Local spi: D61F37C4DC875001       Remote spi: AABAB198FACAAEDE
      Local id: 10.48.64.15
      Remote id: cisco
      Remote EAP id: cisco
      Local req msg id:  0              Remote req msg id:  6         
      Local next msg id: 0              Remote next msg id: 6         
      Local req queued:  0              Remote req queued:  6         
      Local window:      5              Remote window:      1         
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 192.168.0.2
      Initiator of SA : No

这些图显示如何验证在机器人的状态:

116837-config-strongswan-ios-06.png

116837-config-strongswan-ios-07.png

RSA验证

RSA验证的Cisco IOS软件配置

在Rivest Shamir Adelman (RSA)验证,机器人发送证书为了验证到Cisco IOS软件。所以绑定该流量对特定IKEv2配置文件的证书地图是需要的。用户EAP验证没有要求。

这是示例远端对等体的RSA验证如何设置:

crypto pki certificate map CERT_MAP 10
 subject-name co android

crypto ikev2 profile PROF
 match certificate CERT_MAP
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint TP
 aaa authorization group cert list IKE2_AUTHOR_LOCAL IKE2_AUTHOR_POLICY
 virtual-template 1

RSA验证的机器人配置

用户凭证由用户证书替换了:

116837-config-strongswan-ios-08.png

RSA验证测验

在Cisco IOS软件里,这些是RSA验证的最重要的调试。多数输出为了清晰省略:

debug crypto ikev2 error
debug crypto ikev2 internal
debug crypto pki transactions
debug crypto pki validation
debug crypto pki messages

IKEv2:New ikev2 sa request admitted
IKEv2:(SA ID = 1):Searching policy based on peer's identity 'cn=android,ou=TAC,
o=Cisco,l=Krakow,st=Malopolska,c=PL' of type 'DER ASN1 DN'

IKEv2:(1): Choosing IKE profile PROF
IKEv2:Sending certificates as X509 certificates
IKEv2:(SA ID = 1):Peer's authentication method is 'RSA'
IKEv2:Peer has sent X509 certificates
CRYPTO_PKI: Found a issuer match
CRYPTO_PKI: (9000B) Certificate is verified
CRYPTO_PKI: (9000B) Certificate validation succeeded
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed
authentication data PASSED

IKEv2:IKEv2 local AAA author request for 'IKE2_AUTHOR_POLICY'
IKEv2:Received group author attributes: ipv4-pool: POOL, route-accept any tag:1
distance:1
IKEv2:Allocated addr 192.168.0.3 from local pool POOL
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=E53A57E359A8437C R_SPI=A03D273FC75EEBD9
(R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event:
EV_OK_RECD_VERIFY_IPSEC_POLICY

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state
to up

机器人日志指示:

00[DMN] Starting IKE charon daemon (strongSwan 5.1.0dr2, 
Linux 3.4.0-perf-gf43c3d9, armv7l)       
00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN capability          
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf
random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default
00[LIB] unable to load 9 plugin features (9 due to unmet dependencies)     
00[JOB] spawning 16 worker threads            
05[CFG] loaded user certificate 'C=PL, ST=Malopolska, L=Krakow, O=Cisco,
OU=TAC, CN=android' and private key    
05[CFG] loaded CA certificate 'C=PL, ST=Malopolskie, L=Krakow, O=Cisco,
OU=Cisco TAC, CN=Cisco'      

05[IKE] initiating IKE_SA android[4] to 10.48.64.15           
05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
05[NET] sending packet: from 10.147.24.153[34697] to 10.48.64.15[500]
(648 bytes)        
10[NET] received packet: from 10.48.64.15[500] to 10.147.24.153[34697]
(497 bytes)        
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HTTP_CERT_LOOK) ]
10[ENC] received unknown vendor ID:
43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4f:4e           
10[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44           
10[IKE] faking NAT situation to enforce UDP encapsulation         
10[IKE] cert payload ANY not supported - ignored         
10[IKE] sending cert request for "C=PL, ST=Malopolskie, L=Krakow, O=Cisco,
OU=Cisco TAC, CN=Cisco"     

10[IKE] authentication of 'C=PL, ST=Malopolska, L=Krakow, O=Cisco, OU=TAC,
CN=android' (myself) with RSA signature successful   
10[IKE] sending end entity cert "C=PL, ST=Malopolska, L=Krakow, O=Cisco,
OU=TAC, CN=android"      
10[IKE] establishing CHILD_SA android             
10[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ
AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA
10[NET] sending packet: from 10.147.24.153[44527] to 10.48.64.15[4500]
(1788 bytes)        
12[NET] received packet: from 10.48.64.15[4500] to 10.147.24.153[44527]
(1420 bytes)        
12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH CP(ADDR) SA TSi TSr
N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG)
12[IKE] received end entity cert "C=PL, ST=Malopolska, L=Krakow, O=Cisco,
OU=TAC, CN=IOS" 
     
12[CFG] using certificate "C=PL, ST=Malopolska, L=Krakow, O=Cisco, OU=TAC,
CN=IOS"        
12[CFG] using trusted ca certificate "C=PL, ST=Malopolskie, L=Krakow, O=Cisco,
OU=Cisco TAC, CN=Cisco"     
12[CFG] reached self-signed root ca with a path length of 0      
12[IKE] authentication of '10.48.64.15' with RSA signature successful         
12[IKE] IKE_SA android[4] established between 10.147.24.153[C=PL,
ST=Malopolska, L=Krakow, O=Cisco, OU=TAC,
CN=android]...10.48.64.15[10.48.64.15]  
    
12[IKE] scheduling rekeying in 35413s            
12[IKE] maximum IKE_SA lifetime 36013s            
12[IKE] installing new virtual IP 192.168.0.3           
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12[IKE] CHILD_SA android{4} established with SPIs ecb3af87_i b2279175_o and
TS 192.168.0.3/32 === 0.0.0.0/0    
12[DMN] setting up TUN device for CHILD_SA android{4}         
12[DMN] successfully created TUN device

在Cisco IOS软件里, RSA使用签字和验证;在前一场景, EAP使用了验证:

BSAN-2900-1#show crypto ikev2 sa detailed 
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf          Status
1         10.48.64.15/4500      10.147.24.153/44527   none/none          READY  
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:14, Auth sign: RSA,
Auth verify: RSA

      Life/Active Time: 86400/16 sec
      CE id: 1010, Session-id: 3
      Status Description: Negotiation done
      Local spi: A03D273FC75EEBD9       Remote spi: E53A57E359A8437C
      Local id: 10.48.64.15
      Remote id: cn=android,ou=TAC,o=Cisco,l=Krakow,st=Malopolska,c=PL
      Local req msg id:  0              Remote req msg id:  2         
      Local next msg id: 0              Remote next msg id: 2         
      Local req queued:  0              Remote req queued:  2         
      Local window:      5              Remote window:      1         
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 192.168.0.3
      Initiator of SA : No

在机器人的状态验证类似于那在前一场景。

在strongSwan的NAT -和Cisco IOS软件限制后的VPN网关

此示例解释strongSwan证书验证的限制。

假设, Cisco IOS软件VPN网关IP地址从172.16.1.1静态翻译到10.147.25.80。使用EAP验证。

116837-config-strongswan-ios-09.jpg

也假设Cisco IOS软件证书有一附属的替代方案名称对于172.16.1.1和10.147.25.80。

在成功的EAP验证以后,机器人进行验证并且设法查找在机器人配置对等体的IP地址(10.147.25.80)方面使用在附属的替代方案名称分机。验证发生故障:

116837-config-strongswan-ios-10.png

日志指示:

constraint check failed: identity '10.147.25.80' required

失败发生了,因为机器人能只读第一附属的替代方案名称分机(172.16.1.1)。

现在,假设, Cisco IOS软件证书有两个地址在附属的替代方案名称,但是在反向顺序:10.147.25.80和172.16.1.1。机器人在第三数据包执行验证,当接收IKEID时,是VPN网关(172.16.1.1)的IP地址, :

116837-config-strongswan-ios-11.png

现在日志显示:

no trusted RSA public key found for '172.16.1.1'

因此,当机器人接收IKEID时,它需要查找在附属的替代方案名称的IKEID,并且能使用仅第一个IP地址。

注意:默认情况下在EAP验证, Cisco IOS软件发送的IKEID是IP地址。默认情况下在RSA验证, IKEID是证书DN。请使用标识命令在ikev2配置文件下为了手工更改这些值。

验证

验证和测试程序在配置示例内是可用的。

故障排除

本部分提供的信息可用于对配置进行故障排除。

strongSwan CA多个CERT_REQ

当在strongSwan的证书设置是自动选择(默认),机器人在第三数据包的本地存储发送所有信任证书的CERT_REQ。因为认可很大数量的证书请求作为拒绝服务攻击, Cisco IOS软件也许下降请求:

*Jul 15 07:54:13: IKEv2:number of cert req exceeds the reasonable limit (100)

在DVTI的隧道源

虽然它是相当普遍的设置在一个虚拟隧道接口(VTI)的隧道源,不必要的在这里。假设tunnel source命令在一动态VTI (DVTI)下:

interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROF

在验证以后,如果Cisco IOS软件设法创建从虚拟模板被克隆的虚拟访问接口,它返回错误:

*Aug  1 13:34:22 IKEv2:Allocated addr 192.168.0.9 from local pool POOL
*Aug  1 13:34:22 IKEv2:(SA ID = 1):Set received config mode data
*Aug  1 13:34:22 IKEv2:% DVTI create request sent for profile PROF with PSH
index 1
*Aug  1 13:34:22 IKEv2:Failed to process KMI delete SA message with error 4
*Aug  1 13:34:24 IKEv2:Got a packet from dispatcher
*Aug  1 13:34:24 IKEv2:Processing an item off the pak queue
*Aug  1 13:34:24 IKEv2:Negotiation context locked currently in use

在失败以后的两秒, Cisco IOS软件接收从机器人的被重新传输的IKE_AUTH。该数据包丢弃。

Cisco IOS软件Bug和增强请求

  • Cisco Bug ID CSCui46418, “IOS Ikev2 IP地址发送作为RSA验证的标识”。
    此bug不是问题,只要strongSwan能看到一正确附属的替代方案名称(IP地址),当寻找在证书的IKEID为了进行验证时。
  • Cisco Bug ID CSCui44976, “IOS PKI不正确地显示X509v3分机主题替代方案名称”。
    只有当有在附属的替代方案名称时的多个IP地址此bug发生。仅最后IP地址显示,但是那不影响证书使用情况。全部的证书正确地发送并且处理。
  • Cisco Bug ID CSCui44783, “IOS ENH PKI能力生成与主题alt NAME分机的CSR”。
  • Cisco Bug ID CSCui44335, “ASA ENH证书x509扩展显示”。

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 116837