Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

ASA 8.4 ikev2 pre-shared key plus Certificate Authentication and Mutual Certificate

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Topology:

Configuration:

ASA Version 8.4 (2)

!

Hostname ASA1

Enable password 8Ry2YjIyt7RRXU24 encrypted

Passwd 2KFQnbNIdI.2KYOU encrypted

Names

!

Interface GigabitEthernet0

Nameif outside

Security-level 0

Ip address 172.16.1.10 255.255.255.0

!

Interface GigabitEthernet1

Nameif inside

Security-level 100

Ip address 192.168.2.10 255.255.255.0

!

Interface GigabitEthernet2

Nameif dmz

Security-level 50

Ip address 192.168.80.80 255.255.255.0

!

Interface GigabitEthernet3

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet4

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet5

Shutdown

No nameif

No security-level

No ip address

!

Ftp mode passive

Clock timezone UUTC 8

Access-list l2lacl extended permit ip 2.2.2.0 255.255.255.0 3.3.3.0 255.255.255.0

Pager lines 24

Mtu outside 1500

Mtu inside 1500

Mtu dmz 1500

No failover

Icmp unreachable rate-limit 1 burst-size 1

No asdm history enable

Arp timeout 14400

Route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

Route inside 0.0.0.0 0.0.0.0 192.168.2.2 tunneled

Timeout xlate 3:00:00

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Timeout tcp-proxy-reassembly 0:01:00

Timeout floating-conn 0:00:00

Dynamic-access-policy-record DfltAccessPolicy

User-identity default-domain LOCAL

No snmp-server location

No snmp-server contact

Snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Crypto ipsec ikev2 ipsec-proposal l2lipsec

Protocol esp encryption 3des

Protocol esp integrity sha-1

Crypto map l2lmap 10 match address l2lacl

Crypto map l2lmap 10 set peer 172.16.2.10

Crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec

Crypto map l2lmap 10 set trustpoint CA

Crypto map l2lmap interface outside

Crypto ca trustpoint CA

Enrollment url http://172.16.1.1:80

Fqdn l2l***.asa.net

Subject-name CN=l2l***.asa.net

Crl configure

Crypto ca certificate chain CA

Certificate 02

30820230 30820199 a0030201 02020102 300d0609 2a864886 f70d0101 04050030

15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330

31323436 32385a17 0d313330 39333031 32343632 385a3038 31173015 06035504

03130e6c 326c7670 6e2e6173 612e6e65 74311d30 1b06092a 864886f7 0d010902

160e6c32 6c76706e 2e617361 2e6e6574 30819f30 0d06092a 864886f7 0d010101

05000381 8d003081 89028181 00b98122 d26bc36d aa686c66 ff997da5 90988b71

37c1ad65 dcb717c1 19b2225a bf74326f 73f97b51 e36d55f4 081590ac 5ae847af

023311a5 1392ded5 d805a398 560e8110 d7b1dd4e 0b32c3cb 13eac878 3f5a1c0a

08f0015c 3ee4ab8d 27c47d32 cd1b9f14 0d6ae7cd efd3b1d1 992d3735 fb95caff

C1f65b07 a397d60a 97dbce0b 07020301 0001a36d 306b3019 0603551d 11041230

10820e6c 326c7670 6e2e6173 612e6e65 74300e06 03551d0f 0101ff04 04030205

A0301f06 03551d23 04183016 80146a76 5c5ccd21 0e438f1f ff87facd 3da58ab6

Bc0f301d 0603551d 0e041604 14dd60d1 9e8d68c6 435c50fe f3b5cf99 d7cb0a69

Bd300d06 092a8648 86f70d01 01040500 03818100 4a35c971 bf139f7e 7e861808

8285d930 dbe167fa 38a94d34 5d10a0e4 194ff222 06de01af f894ee7e e5885b29

35bb57ef f2f212ed efc2035c 49b9fa70 8babcb3a 772833e1 6b634a35 6cced1a0

20d62f5b 0ba6084f d99a4e1d 309b3408 5cd6fd54 bc8f4fdf dde6a59c 17ebdbc1

B06759bb 79cc7cdb d75d64bd 56825e19 80f56e95

Quit

Certificate ca 01

30820203 3082016c a0030201 02020101 300d0609 2a864886 f70d0101 04050030

15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330

31323334 32315a17 0d313530 39333031 32333432 315a3015 31133011 06035504

03130a63 612e6173 612e6e65 7430819f 300d0609 2a864886 f70d0101 01050003

818d0030 81890281 8100b4bf 956af267 3d56a6b5 95b0b03f 02616f6e 75a75af0

08f222c7 a84fb541 bbf7ec4f 914ba045 19a39401 bc1a171d 9a9a06dd 2f3691e7

Ea2f4a25 af91a63a 0ac11f94 3f7c9b59 c1c7660b d1a1924c cb9d71f9 2a66f730

29dd203c dfa22721 563b7b5f 388aef4b c430bfc2 efd58bda 254e3f22 8fd21c11

74d09da7 7d672cf3 61d50203 010001a3 63306130 0f060355 1d130101 ff040530

030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680

146a765c 5ccd210e 438f1fff 87facd3d a58ab6bc 0f301d06 03551d0e 04160414

6a765c5c cd210e43 8f1fff87 facd3da5 8ab6bc0f 300d0609 2a864886 f70d0101

04050003 818100ab d7892a8b 808d6ffe 696f7466 7f8c1166 3732b615 fd0b816c

C7c474bb 6ec8072a b8026df3 01775899 c878398b a3954659 511af9f5 fc0cf260

24cc86da baeab2e2 7244753c da8c1f69 4ce00804 5e11db3f 005502af 1ce1d289

371fc861 8e939e14 2b017679 52d09e72 f89d716f 546bf5c3 2c4c9bbf de0ebb84

A18e112b 93b83e

Quit

Crypto ikev2 policy 10

Encryption 3des

Integrity sha

Group 2

Prf sha

Lifetime seconds 86400

Crypto ikev2 enable outside

Telnet timeout 5

Ssh timeout 5

Console timeout 0

Threat-detection basic-threat

Threat-detection statistics access-list

No threat-detection statistics tcp-intercept

Ntp server 172.16.1.1

Tunnel-group 172.16.2.10 type ipsec-l2l

Tunnel-group 172.16.2.10 ipsec-attributes

Ikev2 remote-authentication pre-shared-key *

Ikev2 local-authentication certificate CA

!

Class-map inspection_default

Match default-inspection-traffic

!

!

Policy-map type inspect dns preset_dns_map

Parameters

Message-length maximum client auto

Message-length maximum 512

Policy-map global_policy

Class inspection_default

Inspect dns preset_dns_map

Inspect ftp

Inspect h423 h325

Inspect h423 ras

Inspect rsh

Inspect rtsp

Inspect esmtp

Inspect sqlnet

Inspect skinny

Inspect sunrpc

Inspect xdmcp

Inspect sip

Inspect netbios

Inspect tftp

Inspect ip-options

!

Service-policy global_policy global

Prompt hostname context

Call-home reporting anonymous prompt 1

Crashinfo save disable

Cryptochecksum:b6b7917f8e8d2807b9121cbaf606bd15

: end

ASA Version 8.4 (2)

!

Hostname ASA2

Enable password 8Ry2YjIyt7RRXU24 encrypted

Passwd 2KFQnbNIdI.2KYOU encrypted

Names

!

Interface GigabitEthernet0

Nameif outside

Security-level 0

Ip address 172.16.2.10 255.255.255.0

!

Interface GigabitEthernet1

Nameif inside

Security-level 100

Ip address 192.168.3.10 255.255.255.0

!

Interface GigabitEthernet2

Nameif dmz

Security-level 50

Ip address 192.168.80.80 255.255.255.0

!

Interface GigabitEthernet3

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet4

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet5

Shutdown

No nameif

No security-level

No ip address

!

Ftp mode passive

Clock timezone UTC 8

Access-list l2lacl extended permit ip 3.3.3.0 255.255.255.0 2.2.2.0 255.255.255.0

Pager lines 24

Mtu outside 1500

Mtu inside 1500

Mtu dmz 1500

No failover

Icmp unreachable rate-limit 1 burst-size 1

No asdm history enable

Arp timeout 14400

Route outside 0.0.0.0 0.0.0.0 172.16.2.1 1

Route inside 0.0.0.0 0.0.0.0 192.168.3.3 tunneled

Timeout xlate 3:00:00

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Timeout tcp-proxy-reassembly 0:01:00

Timeout floating-conn 0:00:00

Dynamic-access-policy-record DfltAccessPolicy

User-identity default-domain LOCAL

No snmp-server location

No snmp-server contact

Snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Crypto ipsec ikev2 ipsec-proposal l2lipsec

Protocol esp encryption 3des

Protocol esp integrity sha-1

Crypto map l2lmap 10 match address l2lacl

Crypto map l2lmap 10 set peer 172.16.1.10

Crypto map l2lmap 10 set ikev2 ipsec-proposal l2lipsec

Crypto map l2lmap interface outside

Crypto ca trustpoint CA

Enrollment url http://172.16.2.1:80

Fqdn l2l***.asa.net

Subject-name CN=l2l***.asa.net

Crl configure

Crypto ca certificate chain CA

Certificate 03

30820230 30820199 a0030201 02020103 300d0609 2a864886 f70d0101 04050030

15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330

31333032 35315a17 0d313330 39333031 33303235 315a3038 31173015 06035504

03130e6c 326c7670 6e2e6173 612e6e65 74311d30 1b06092a 864886f7 0d010902

160e6c32 6c76706e 2e617361 2e6e6574 30819f30 0d06092a 864886f7 0d010101

05000381 8d003081 89028181 008eed31 ae94b917 c871abd2 8fa6ba0b 4adef132

Bc75f56a 0ffb7ad7 fa3f5926 24f8f744 a56aac9c 0da60b06 dde5f6c0 6b196b87

B17a3270 91be7155 a3652eca 9f9916e5 3dc27bd8 ffdc355b 968876fa b8f3d0ee

5193c4e7 5b75d942 83575aa4 887192e9 3ac0b3af 59651128 97079ec3 a4152812

E3170718 37e7caa2 a61d066b af020301 0001a36d 306b3019 0603551d 11041230

10820e6c 326c7670 6e2e6173 612e6e65 74300e06 03551d0f 0101ff04 04030205

A0301f06 03551d23 04183016 80146a76 5c5ccd21 0e438f1f ff87facd 3da58ab6

Bc0f301d 0603551d 0e041604 149244b2 f609ba79 5767f332 e95d879b 937e4f2c

1d300d06 092a8648 86f70d01 01040500 03818100 625707a0 e9d10a8a 5d40d696

1190e7de aa5b1298 67bd2bb7 088b6b9e b46958a3 a960e13f b175208b 0a6350a6

649d989a 1cd7034c 65ba0135 6f150e25 4d4ebf1d 17360375 f8b979a0 7cbfacac

8d4853c9 7c054ce9 f122ae58 4eae5685 cb708c2e f56a4ba3 18e778f6 cca5fcf1

A505a77b 99d70558 b8e0bb9b d749ff99 19a6ef10

Quit

Certificate ca 01

30820203 3082016c a0030201 02020101 300d0609 2a864886 f70d0101 04050030

15311330 11060355 0403130a 63612e61 73612e6e 6574301e 170d3132 30393330

31323334 32315a17 0d313530 39333031 32333432 315a3015 31133011 06035504

03130a63 612e6173 612e6e65 7430819f 300d0609 2a864886 f70d0101 01050003

818d0030 81890281 8100b4bf 956af267 3d56a6b5 95b0b03f 02616f6e 75a75af0

08f222c7 a84fb541 bbf7ec4f 914ba045 19a39401 bc1a171d 9a9a06dd 2f3691e7

Ea2f4a25 af91a63a 0ac11f94 3f7c9b59 c1c7660b d1a1924c cb9d71f9 2a66f730

29dd203c dfa22721 563b7b5f 388aef4b c430bfc2 efd58bda 254e3f22 8fd21c11

74d09da7 7d672cf3 61d50203 010001a3 63306130 0f060355 1d130101 ff040530

030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680

146a765c 5ccd210e 438f1fff 87facd3d a58ab6bc 0f301d06 03551d0e 04160414

6a765c5c cd210e43 8f1fff87 facd3da5 8ab6bc0f 300d0609 2a864886 f70d0101

04050003 818100ab d7892a8b 808d6ffe 696f7466 7f8c1166 3732b615 fd0b816c

C7c474bb 6ec8072a b8026df3 01775899 c878398b a3954659 511af9f5 fc0cf260

24cc86da baeab2e2 7244753c da8c1f69 4ce00804 5e11db3f 005502af 1ce1d289

371fc861 8e939e14 2b017679 52d09e72 f89d716f 546bf5c3 2c4c9bbf de0ebb84

A18e112b 93b83e

Quit

Crypto ikev2 policy 10

Encryption 3des

Integrity sha

Group 2

Prf sha

Lifetime seconds 86400

Crypto ikev2 enable outside

Telnet timeout 5

Ssh timeout 5

Console timeout 0

Threat-detection basic-threat

Threat-detection statistics access-list

No threat-detection statistics tcp-intercept

Ntp server 172.16.2.1

Tunnel-group 172.16.1.10 type ipsec-l2l

Tunnel-group 172.16.1.10 ipsec-attributes

Ikev2 remote-authentication certificate

Ikev2 local-authentication pre-shared-key *

!

Class-map inspection_default

Match default-inspection-traffic

!

!

Policy-map type inspect dns preset_dns_map

Parameters

Message-length maximum client auto

Message-length maximum 512

Policy-map global_policy

Class inspection_default

Inspect dns preset_dns_map

Inspect ftp

Inspect h423 h325

Inspect h423 ras

Inspect rsh

Inspect rtsp

Inspect esmtp

Inspect sqlnet

Inspect skinny

Inspect sunrpc

Inspect xdmcp

Inspect sip

Inspect netbios

Inspect tftp

Inspect ip-options

!

Service-policy global_policy global

Prompt hostname context

Call-home reporting anonymous prompt 1

Crashinfo save disable

Cryptochecksum:590bda2136c39227c8bf0c0d3636e27f

: end

Building configuration...

Current configuration: 2399 bytes

!

! Last configuration change at 20:41:54 UTC Sun Sep 30 2012

! NVRAM config last updated at 20:29:33 UTC Sun Sep 30 2012

!

Version 12.4

Service timestamps debug datetime msec

Service timestamps log datetime msec

No service password-encryption

!

Hostname R1

!

Boot-start-marker

Boot-end-marker

!

!

No aaa new-model

Memory-size iomem 5

Clock timezone UTC 8

Ip cef

!

!

!

!

No ip domain lookup

Ip domain name cisco.com

!

Multilink bundle-name authenticated

!

Crypto pki server CA

Issuer-name CN=ca.asa.net

Grant auto

!

Crypto pki trustpoint CA

Revocation-check crl

Rsakeypair CA

!

!

Crypto pki certificate chain CA

Certificate ca 01

30820203 3082016C A0030201 02020101 300D0609 2A864886 F70D0101 04050030

15311330 11060355 0403130A 63612E61 73612E6E 6574301E 170D3132 30393330

31323334 32315A17 0D313530 39333031 32333432 315A3015 31133011 06035504

03130A63 612E6173 612E6E65 7430819F 300D0609 2A864886 F70D0101 01050003

818D0030 81890281 8100B4BF 956AF267 3D56A6B5 95B0B03F 02616F6E 75A75AF0

08F222C7 A84FB541 BBF7EC4F 914BA045 19A39401 BC1A171D 9A9A06DD 2F3691E7

EA2F4A25 AF91A63A 0AC11F94 3F7C9B59 C1C7660B D1A1924C CB9D71F9 2A66F730

29DD203C DFA22721 563B7B5F 388AEF4B C430BFC2 EFD58BDA 254E3F22 8FD21C11

74D09DA7 7D672CF3 61D50203 010001A3 63306130 0F060355 1D130101 FF040530

030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680

146A765C 5CCD210E 438F1FFF 87FACD3D A58AB6BC 0F301D06 03551D0E 04160414

6A765C5C CD210E43 8F1FFF87 FACD3DA5 8AB6BC0F 300D0609 2A864886 F70D0101

04050003 818100AB D7892A8B 808D6FFE 696F7466 7F8C1166 3732B615 FD0B816C

C7C474BB 6EC8072A B8026DF3 01775899 C878398B A3954659 511AF9F5 FC0CF260

24CC86DA BAEAB2E2 7244753C DA8C1F69 4CE00804 5E11DB3F 005502AF 1CE1D289

371FC861 8E939E14 2B017679 52D09E72 F89D716F 546BF5C3 2C4C9BBF DE0EBB84

A18E112B 93B83E

Quit

!

!

!

!

Archive

Log config

Hidekeys

!

Interface FastEthernet0/0

Ip address 172.16.1.1 255.255.255.0

Duplex auto

Speed auto

!

Interface FastEthernet0/1

Ip address 172.16.2.1 255.255.255.0

Duplex auto

Speed auto

!

!

!

Ip http server

No ip http secure-server

! control-plane

!

Line con 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line aux 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line vty 0 4

Login

!

Ntp master

!

End

-

R2#show run

Building configuration...

Current configuration: 928 bytes

!

Version 12.4

Service timestamps debug datetime msec

Service timestamps log datetime msec

No service password-encryption

!

Hostname R2

!

Boot-start-marker

Boot-end-marker

!

!

No aaa new-model

Memory-size iomem 5

Ip cef

! no ip domain lookup

Ip domain name lab.local

!

Multilink bundle-name authenticated

!

Archive

Log config

Hidekeys

!

Interface Loopback0

Ip address 2.2.2.2 255.255.255.0

!

Interface FastEthernet0/0

Ip address 192.168.2.2 255.255.255.0

Duplex auto

Speed auto

!

Interface FastEthernet0/1

No ip address

Shutdown

Duplex auto

Speed auto

!

Ip route 0.0.0.0 0.0.0.0 192.168.2.10

!

!

No ip http server

No ip http secure-server

!

Control-plane

!

Line con 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line aux 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line vty 0 4

Login

!

!

End

-

R3#show run

Building configuration...

Current configuration: 928 bytes

!

Version 12.4

Service timestamps debug datetime msec

Service timestamps log datetime msec

No service password-encryption

!

Hostname R3

!

Boot-start-marker

Boot-end-marker

!

!

No aaa new-model

Memory-size iomem 5

Ip cef

!

!

!

!

No ip domain lookup

Ip domain name lab.local

!

Multilink bundle-name authenticated

!

Archive

Log config

Hidekeys

!

Interface Loopback3

Ip address 3.3.3.3 255.255.255.0

!

Interface FastEthernet0/0

Ip address 192.168.3.3 255.255.255.0

Duplex auto

Speed auto

!

Interface FastEthernet0/1

No ip address

Shutdown

Duplex auto

Speed auto

!

Ip route 0.0.0.0 0.0.0.0 192.168.3.10

!

!

No ip http server

No ip http secure-server

!

Control-plane

!

Line con 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line aux 0

Exec-timeout 0 0

Privilege level 15

Logging synchronous

Line vty 0 4

Login

!

!

End

Verify:

Expand:

Imitating the above example, both parties use certificates to authenticate.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report