PKI Configuration Examples

 

Keywords: PKI, CA, RA, IKE, IPsec, SSL

Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies. This document provides a certificate-based IKE configuration example and a certificate-based SSL configuration example.

Acronyms:

Acronym

Full spelling

CA

Certificate Authority

CRL

Certificate Revocation List

HTTP

Hypertext Transfer Protocol

HTTPS

Hypertext Transfer Protocol Secure

IIS

Internet Information Service

IKE

Internet Key Exchange

IPsec

Internet Protocol Security

LDAP

Light-weight Directory Access Protocol

PKC

Public Key Certificate

PKIPublic Key Infrastructure
RARegistration Authority

S/MIME

Secure/Multipurpose Internet Mail Extensions

SCEP

Simple Certification Enrollment Protocol

SSL

Secure Sockets Layer

VPN

Virtual Private Network

 



Feature Overview

The Pubic Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key technologies and digital certificate mechanism. It contains a set of services and policies for information binding, PKI implementation, and maintenance.

In PKI, the digital certificate mechanism is used to bind public keys to their owners; users are allowed to request, retrieve, and delete digital certificates. With digital certificate and services such as certificate issuing and revocation, the PKI system implements authentication of entities involved in the communication, ensuring data non-repudiation, data confidentiality, and data integrity.

Application Scenarios

The PKI technology satisfies the needs for securing the network data exchange. As a basic infrastructure, PKI is widely used and being further developed.

Typically, PKI is used in these scenarios:

1)        VPN

A virtual private network (VPN) is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in conjunction with PKI-based encryption and digital signature technologies for confidentiality.

2)        Secure Email

E-mails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure E-mail protocol that is currently developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signatures without sharing the same key.

3)        Web security

For Web security, two peers can establish an SSL connection first for transparent and secure communications at the application layer. With PKI, SSL enables encrypted communications between a browser and a server. Both the communication parties can verify the identity of each other through digital certificates.

Configuration Guidelines

When configuring PKI, note that:

l          A certificate contains the certificate validity period. The system time of the device must be synchronous with that of the CA server so that the device can obtain a certificate successfully.

l          If the CA server is running Windows 2003 Server, Internet Information Services (IIS) must be installed and enabled on the CA server to control and manage the CA server. What add-ons are needed on other CA servers depends on the actual configuration environment.

l          To avoid confliction with the current web services, it is recommended not use the default TCP port number of the CA server.

Certificate-Based IKE Configuration Example

As an important protocol of VPN, IPsec guards communication security at the IP layer, and it can use IKE to set up security associations (SAs) automatically. Still in complicated networks, security problems may occur due to the simple identity authentication mechanism of IKE. With IKE and PKI both used, the authentication security is enhanced by the PKI certificate-based identity authentication, and thus improves the security and scalability of the VPN gateways.

Network Requirements

As shown in Figure 1, two subnets are connected to the Internet through their own gateways. Now it is required that:

l          An IPsec tunnel is established between Router A and Router B to protect the data transmitted between the two subnets.

l          A pair of IPsec SAs is set up through IKE negotiation between Router A and Router B. The IKE negotiation adopts PKI certificate-based authentication.

Figure 1 Network diagram for certificate-based IKE configuration

 

Configuration Considerations

Configure the CA server. In this example, Windows 2003 Server is used as the CA server.

Perform the following configuration on Router A and Router B.

l          Configure PKI, define a PKI entity, and perform PKI domain-related configurations.

l          Configure IKE, setting the authentication method to digital signature.

l          Configure IPsec to protect the data flows between the two subnets.

l          Request a certificate, download the certificate, and save it locally.

Configuration Procedures

 

l          The following configurations are made on devices that are using default settings and are verified in a lab environment. When using the following configurations on your devices in a live network, make sure that they do not conflict with your current configurations to prevent potential negative impact on your network.

l          Before performing the configuration, make sure that there are routes between the CA server and routers.

 

Configuration on the CA Server

Install the Certificate Services component

From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components. Then in the pop-up dialog box, select Certificate Services and click Next to begin the installation.

Figure 2Install the certificate service component 1)

 

Select the Stand-alone root CA option, and click Next.

Figure 3 Install the certificate service suites 2)

 

Input CA server in the Common name for this CA text box, and click Next.

Figure 4 Install the certificate service suites 3)

 

Specify the directories for the certificate database, certificate database log, and shared folder, and then click Next. In this example, the default settings are used.

Figure 5 Install the certificate service suites 4)

 

After the certificate service suites are installed successfully, click Finish. The Windows Components Wizard dialog box is closed.

Install the SCEP add-on

Double-click the SCEP installation file. On the pop-up dialog box, click Next.

 

The SCEP installation program can be downloaded free from the Microsoft website.

 

Figure 6 Install the SCEP add-on 1)

 

Select the Use the local system account option and click Next.

Figure 7 Install the SCEP add-on 2)

 

Leaving the Require SCEP Challenge Phrase to Enroll check box unselected, click Next.

Figure 8 Install the SCEP add-on 3)

 

Specify the RA information for the enrollment for the RA certificates and click Next. An RA implements functions as identity authentication, CRL management, key pair generation and key pair backup. As an extended part of a CA, the RA is also considered as part of the CA's implementation.

 

The RA name cannot be identical with the CA name; otherwise, related functions may fail.

 

Figure 9 Install the SCEP add-on 4)

 

After completing the configuration, click Finish. A dialog box appears, as shown in Figure 10. Record the URL and click OK.

Figure 10 Install the SCEP add-on 5)

 

Modify the certificate service properties

From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to the RA.

Right-click CA server and select Properties from the short-cut menu.

Figure 11 Modify the CA server properties

 

Select the Policy Module tab in the CA server Properties dialog box. Then click the Properties button.

Figure 12 CA server properties

 

Select the option of Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate. Then click OK.

Figure 13 Policy module properties

 

Click the stop icon  in Figure 14 and then the start icon  in Figure 15 to restart the CA service.

Figure 14 Stop the CA service

 

Figure 15 Start CA service

 

Modify the IIS attributes

From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager and then select Web Sites from the navigation tree. Right-click Default Web Site and select Properties.

Figure 16 IIS Manager

 

Then select the Home Directory tab. Specify the path for certificate service in the Local path text box.

Figure 17 Modify the home directory of the default website

 

Select the Web Site tab, and change the TCP port number to 8080.

 

Make sure that the TCP port of the default website is not used by any other services. The default port number 80 is not recommended.

 

Figure 18 Change the TCP port number of the default website

 

Configuration on Router A

Configuration steps

1)        Configure PKI

# Create a PKI entity and enter its view. Configure the common name for the entity as routera.

<RouterA> system-view

[RouterA] pki entity entityA

[RouterA-pki-entity-entityA] common-name routera

[RouterA-pki-entity-entityA] ip 2.2.2.1

[RouterA-pki-entity-entityA] quit

# Create a PKI domain and enter its view.

[RouterA] pki domain domain1

# Specify the trusted CA as ca server.

[RouterA-pki-domain-domain1] ca identifier ca server

# Configure the URL of the registration server in the format of http://host:port/certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server.

[RouterA-pki-domain-domain1] certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll

# Specify that the entity requests a certificate from RA.

[RouterA-pki-domain-domain1] certificate request from ra

# Specify the entity for certificate request as entityA.

[RouterA-pki-domain-domain1] certificate request entity entityA

[RouterA-pki-domain-domain1] quit

2)        Configure IKE

# Create an IKE proposal and configure the proposal to use the RSA digital signature authentication method.

[RouterA] ike proposal 1

[RouterA-ike-proposal-1] authentication-method rsa-signature

[RouterA-ike-proposal-1] quit

# Create an IKE peer.

[RouterA] ike peer peer1

# Assign an IP address of the IPsec remote gateway.

[RouterA-ike-peer-peer1] remote-address 3.3.3.1

# Configure the PKI domain as domain1.

[RouterA-ike-peer-peer1] certificate domain domain1

[RouterA-ike-peer-peer1] quit

3)        Configure IPsec

# Create an ACL to permit packets to be protected.

[RouterA] acl number 3000

[RouterA-acl-adv-3000] rule 0 permit ip source 10.1.1.0 0.0.0.255

[RouterA-acl-adv-3000] quit

# Create an IPsec proposal.

[RouterA] ipsec proposal ipsprop1

# Configure IPsec proposal ipsprop1 to use ESP.

[RouterA-ipsec-proposal-ipsprop1] transform esp

# Configure IPsec proposal ipsprop1 to encapsulate IP packets in tunnel mode.

[RouterA-ipsec-proposal-ipsprop1] encapsulation-mode tunnel

# Configure IPsec proposal ipsprop1 to use the encryption algorithm of DES.

[RouterA-ipsec-proposal-ipsprop1] esp encryption-algorithm des

# Configure IPsec proposal ipsprop1 to use the encryption algorithm of MD5 for ESP.

[RouterA-ipsec-proposal-ipsprop1] esp authentication-algorithm md5

[RouterA-ipsec-proposal-ipsprop1] quit

# Create an IPsec policy and enter its view.

[RouterA] ipsec policy policy1 1 isakmp

# Specify an ACL for the IPsec policy to reference.

[RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000

# Specify the IKE peer.

[RouterA-ipsec-policy-isakmp-policy1-1] ike-peer peer1

# Specify the IPsec proposal for the IPsec policy to reference.

[RouterA-ipsec-policy-isakmp-policy1-1] proposal ipsporp1

[RouterA-ipsec-policy-isakmp-policy1-1] quit

# Apply the IPsec policy to an interface.

[RouterA] interface serial 2/0

[RouterA-Serial2/0] ipsec policy policy1

[RouterA-Serial2/0] quit

4)        Request a certificate

# Generate a local RSA key pair.

[RouterA] public-key local create rsa

Warning: The local key pair already exist.

Confirm to replace them? [Y/N]:y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

......++++++

....++++++

......++++++++

...++++++++

A certificate request can be submitted in two ways, inband and out-of-band. Choose one as needed.

l          Inband  mode

# Retrieve the CA certificate in online mode.

[RouterA] pki retrieval-certificate ca domain domain1

Retrieving CA/RA certificates. Please wait a while......

The trusted CA's finger print is:

    MD5  fingerprint:4F10 9CB0 4D51 6EB2 21D4 12C4 5881 EE2F

    SHA1 fingerprint:1A56 5741 219F 8E98 6438 B556 2C5A 2275 F097 2536

 

Is the finger print correct?(Y/N):y

 

Saving CA/RA certificates chain, please wait a moment......

CA certificates retrieval success.

# Request a local certificate from a CA through SCEP.

[RouterA] pki request-certificate domain domain1

Certificate is being requested, please wait......

[RouterA]

Enrolling the local certificate,please wait a while......

Certificate request Successfully!

Saving the local certificate to device......

Done!

l          Out-of-band mode

If SCEP fails, you can use the pki request-certificate domain command with the pkcs10 keyword to save the local certificate request and send it to the CA by an out-of-band means like phone, disk, or e-mail.

# Display the local certificate request in BASE64 format.

[RouterA] pki request-certificate domain domain1 pkcs10

-----BEGIN CERTIFICATE REQUEST-----

MIIBTTCBtwIBADAOMQwwCgYDVQQDEwMxMjMwgZ8wDQYJKoZIhvcNAQEBBQADgY0A

MIGJAoGBAOEvjYboMDX0akLSOqSSCQm7dE7nmJz0N2BsuPh7I4mlkxLHZIwp5vAo

PT1Q2i85uLqQDtmxjuYd9fZU4qM9Ps9It2lKG4DCFyFXkKTI9U4jPK42/grPMFmq

V8BED9H+O6c9N/sWwA85C2um7UgIOj6TGi6LDBrp9ZZ3xFSO54bdAgMBAAGgADAN

BgkqhkiG9w0BAQQFAAOBgQBnjx0Qyme4Pu29BOjvjVYe8qhf9SizXpl6ty4jPS8Y

+XkVV30WCs1ITfnUrD5IbhiDr50tDdqqv8y9B7kB+7/DBWcFv4Hrek5XBJveGolT

qZ8+M7To8BXxCV4NRLTCsMREYonirVnlKR94KV3TCTGOI1E9KXKgg7DLHZFe75IP

lQ==

-----END CERTIFICATE REQUEST-----

[RouterA]

Send the certificate request in out-of-band mode to the CA server. Enter the URL http://1.1.1.101:8080/certsrv in the address bar to enter the page for requesting a certificate. On the page, click Request a certificate.

Figure 19 Certificate request page

 

The page as shown in Figure 20 appears. Click advanced certificated request.

Figure 20 Select advanced certificate request

 

The page as shown in Figure 21 appears. Click the link of Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.

Figure 21 Advanced certificate request

 

On the new page as shown in Figure 22, paste the saved request information in the Saved Request text box, and click Submit.

Figure 22 Paste the certificate request information

 

If a certificate is issued, the following figure appears.

Figure 23 Select certificate encoding method

 

Select DER encoded and then click Download certificate.

 

When importing the certificate later, be sure to select the same encoding method.

 

A dialog box appears. Choose to save the local certificate locally with the file name being local_cert.cer.

Go back to the page for requesting a certificate at http://1.1.1.101:8080/certsrv, and then select Download a CA certificate, certificate chain, or CRL.

Figure 24 Certificate request page

 

Select DER as the encoding method, and click Download CA certificate.

Figure 25 Download the CA certificate

 

A dialog box appears. Choose to save the CA certificate locally with the file name being ca_cert.cer.

After completing the operation, the certificate is achieved in out-of-band mode.

Send the CA certificate and local certificate in out-of-band mode to Router A. Then use the following commands to import the files to Router A.

# Import the CA certificate for the PKI domain in the encoding method of DER.

[RouterA] pki import-certificate ca domain domain1 der filename ca_cert.cer

Importing certificates. Please wait a while......

The trusted CA's finger print is:

    MD5  fingerprint:5A9C E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D

    SHA1 fingerprint:B58C B59D 2242 7244 7B83 F2E8 0C16 13EB E0BF 6526

 

Is the finger print correct?(Y/N):y

 

%Mar 13 20:32:56:158 2008 RouterA PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain1 is trusted.

Import CA certificate successfully.

[RouterA]

%Mar 13 20:32:56:186 2008 RouterA PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain1 successfully.

%Mar 13 20:32:56:187 2008 RouterA PKI/4/Import_CA_Cert:Import CA certificates of the domain domain1 successfully.

[RouterA]

# Import the local certificate for the PKI domain in the encoding method of DER.

[RouterA] pki import-certificate local domain domain1 der filename local_cert.cer

Importing certificates. Please wait a while......

%Mar 13 20:35:54:364 2008 RouterA PKI/4/Verify_Cert:Verify certificate CN=routera of the domain domain1 successfully.

Import local certificate successfully.

[RouterA]

%Mar 13 20:35:54:376 2008 RouterA PKI/4/Import_Local_Cert:Import local certificate of the domain domain1 successfully.

[RouterA]

Configuration file

[RouterA] display current-configuration

#

 version 5.20, Beta 1505L01, Standard

#

 sysname RouterA

#

pki entity entityA

  common-name routera

  ip 2.2.2.1

#

pki domain domain1

  ca identifier ca server

  certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll

  certificate request from ra

  certificate request entity entityA

#

ike proposal 1

 authentication-method rsa-signature

#

ike peer peer1

 remote-address 3.3.3.1

 certificate domain domain1

#

ipsec proposal ipsprop1

#

ipsec policy policy1 1 isakmp

 security acl 3000

 ike-peer peer1

 proposal ipsprop1

#

acl number 3000

 rule 0 permit ip source 10.1.1.0 0.0.0.255

#

interface Serial2/0

 link-protocol ppp

 ip address 2.2.2.1 255.255.255.0

 ipsec policy policy1

#

return

Configuration on Router B

Configuration steps

1)        Configure PKI

# Create a PKI entity and enter its view. Configure the common name for the entity as routerb.

<RouterB> system-view

[RouterB] pki entity entityB

[RouterB-pki-entity-entityB] common-name routerb

[RouterB-pki-entity-entityB] ip 3.3.3.1

[RouterB-pki-entity-entityB] quit

# Create a PKI domain and enter its view.

[RouterB] pki domain domain2

# Specify the trusted CA as ca server.

[RouterB-pki-domain-domain2] ca identifier ca server

# Configure the URL of the registration server in the format of http://host:port/certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. As the TCP port number of the default Web site on the CA server has been changed to 8080, you need to specify the port number as 8080 when configuring the URL of the RA server.

[RouterB-pki-domain-domain2] certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll

# Specify that the entity requests a certificate from RA.

[RouterB-pki-domain-domain2] certificate request from ra

# Specify the entity for certificate request as entityB

[RouterB-pki-domain-domain2] certificate request entity entityB

[RouterB-pki-domain-domain2] quit

2)        Configure IKE

# Create an IKE proposal and specify the RSA digital signature method to be used by the IKE proposal.

[RouterB] ike proposal 2

[RouterB-ike-proposal-2] authentication-method rsa-signature

[RouterB-ike-proposal-2] quit

# Create an IKE entity.

[RouterB] ike peer peer2

# Assign an IP address of the IPsec tunnel.

[RouterB-ike-peer-peer2] remote-address 2.2.2.1

# Configure the PKI domain as domain2 for IKE negotiation.

[RouterB-ike-peer-peer2] certificate domain domain2

[RouterB-ike-peer-peer2] quit

3)        Configure IPsec

# Create an ACL to permit packets going to the IP address of 10.1.1.0 0.0.0.255.

[RouterB] acl number 3000

[RouterB-acl-adv-3000] rule 0 permit ip destination 10.1.1.0 0.0.0.255

[RouterB-acl-adv-3000] quit

# Create an IPsec proposal.

[RouterB] ipsec proposal ipsprop2

# Configure IPsec proposal ipsprop2 to use ESP

[RouterB-ipsec-proposal-ipsprop2] transform esp

# Configure IPsec proposal ipsprop2 to encapsulate IP packets in tunnel mode.

[RouterB-ipsec-proposal-ipsprop2] encapsulation-mode tunnel

# Configure IPsec proposal ipsprop2 to use DES.

[RouterB-ipsec-proposal-ipsprop2] esp encryption-algorithm des

# Configure IPsec proposal ipsprop2 to use MD5 for ESP.

[RouterB-ipsec-proposal-ipsprop2] esp authentication-algorithm md5

[RouterB-ipsec-proposal-ipsprop2] quit

# Create an IPsec policy.

[RouterB] ipsec policy policy2 1 isakmp

# Specify an ACL for the IPsec policy to reference.

[RouterB-ipsec-policy-isakmp-policy2-1] security acl 3000

# Reference an IKE peer in the IPSec policy.

[RouterB-ipsec-policy-isakmp-policy2-1] ike-peer peer2

# Specify the IPsec proposal for the IPsec policy to reference.

[RouterB-ipsec-policy-isakmp-policy2-1] proposal ipsprop2

[RouterB-ipsec-policy-isakmp-policy2-1] quit

# Apply the IPsec policy to an interface.

[RouterB] interface serial 2/0

[RouterB-Serial2/0] ipsec policy policy2

[RouterB-Serial2/0] quit

4)        Submit a certificate request

# Generate a local RSA key pair.

[RouterB] public-key local create rsa

Warning: The local key pair already exist.

Confirm to replace them? [Y/N]:y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

......++++++

....++++++

......++++++++

...++++++++

A certificate request can be submitted in two ways, inband and out-of-band. Choose either as needed.

l          Inband mode

# Retrieve a certificate from the server for certificate distribution.

[RouterB] pki retrieval-certificate ca domain domain2

Retrieving CA/RA certificates. Please wait a while......

The trusted CA's finger print is:

    MD5  fingerprint:8210 000F 4D51 48B2 21D4 12C4 9883 EE2F

    SHA1 fingerprint:1A56 A74F 219F 8E98 EE38 B556 2B5A 2275 F097 2536

 

Is the finger print correct?(Y/N):y

 

Saving CA/RA certificates chain, please wait a moment......

CA certificates retrieval success.

# Request a local certificate from a CA through SCEP.

[RouterB] pki request-certificate domain domain2

Certificate is being requested, please wait......

[RouterB]

Enrolling the local certificate,please wait a while......

Certificate request Successfully!

Saving the local certificate to device......

Done!

l          Out-of-band mode

The operation procedure is the same to that on Router A and thus is omitted. After completing the operation, use the following commands to import the files to Router B.

[RouterB] pki import-certificate ca domain domain2 der filename ca_cert.cer

Importing certificates. Please wait a while......

The trusted CA's finger print is:

    MD5  fingerprint:5A9C E2EA 7363 CDA2 3B4F 0C15 B3F7 6E7D

    SHA1 fingerprint:B58C B59D 2242 7244 7B83 F2E8 0C16 13EB E0BF 6526

 

Is the finger print correct?(Y/N):y

 

%Mar 14 09:06:54:504 2008 RouterB PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain domain2 is trusted.

Import CA certificate successfully.

[RouterB]

%Mar 14 09:06:54:575 2008 RouterB PKI/4/Update_CA_Cert:Update CA certificates of the Domain domain2 successfully.

%Mar 14 09:06:54:575 2008 RouterB PKI/4/Import_CA_Cert:Import CA certificates of the domain domain2 successfully.

[RouterB]

[RouterB] pki import-certificate local domain domain2 der filename local_cert.cer

Importing certificates. Please wait a while......

%Mar 14 09:07:11:494 2008 RouterB PKI/4/Verify_Cert:Verify certificate CN= routerb of the domain domain2 successfully.

Import local certificate successfully.

[RouterB]

%Mar 14 09:07:11:506 2008 RouterB PKI/4/Import_Local_Cert:Import local certificate of the domain domain2 successfully.

[RouterB]

Configuration file

[RouterB] display current-configuration

#

 version 5.20, Beta 1505L01, Standard

#

 sysname RouterB

#

pki entity entityB

  common-name routerb

  ip 3.3.3.1

#

pki domain domain2

  ca identifier ca server

  certificate request url http://1.1.1.101:8080/certsrv/mscep/mscep.dll

  certificate request from ra

  certificate request entity entityB

#

ike proposal 2

 authentication-method rsa-signature

#

ike peer peer2

 remote-address 2.2.2.1

 certificate domain domain2

#

ipsec proposal ipsprop2

#

ipsec policy ipsprop2 1 isakmp

 security acl 3000

 ike-peer peer2

 proposal ipsprop2

#

acl number 3000

 rule 0 permit ip destination 10.1.1.0 0.0.0.255

#

interface Serial2/0

 link-protocol ppp

 ip address 3.3.3.1 255.255.255.0

 ipsec policy policy2

#

return

Verification

After configuration, display IKE SA information on Router A and Router B. the information shows that no IKE SA has been set up.

# Display IKE SA information on Router A.

[RouterA] display ike sa

    total phase-1 SAs:  0

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

[RouterA]

# Display IKE SA information on Router B.

[RouterB] display ike sa

    total phase-1 SAs:  0

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

[RouterB]

Ping the host in Group 2 from Group 1. IKE negotiation will be triggered. Then display IKE SA information again on Router A and Router B. The information shows that an IKE SA has been set up and the ping operation succeeded.

 

If Router A and Router B have not obtained the CA and local certificates when IKE negotiation is triggered, the IKE negotiation fails and a temporary SA is set up. The following output is displayed when both routers have obtained the CA and local certificates and an IKE SA has been set up successfully.

 

[RouterA] display ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     182          3.3.3.1         RD|ST         2     IPSEC 

     181          3.3.3.1         RD|ST         1     IPSEC

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT

 

[RouterB] display ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

      434          2.2.2.1         RD|ST         2     IPSEC 

      433          2.2.2.1         RD|ST         1     IPSEC

 

  flag meaning

  RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO—TIMEOUT

Certificate-Based SSL Configuration Example

Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol. It is widely used in E-business and online bank fields to secure data transmission over the Internet.

With PKI, SSL allows encrypted data to be transmitted between the client and the server, and supports certificate-based authentication of the server and client.

Network Requirements

As shown in Figure 26, the network administrator is not in the same city as the corporate network and needs to log in to and manage the gateway of the intranet securely. The requirements include:

l          The administrator uses host Admin to establish an HTTPS connection with Gateway.

l          The security mechanism of SSL is used for the HTTPS server (Gateway) and the HTTPS client (Admin) to authenticate each other.

Figure 26 Network diagram for certificate-based SSL configuration

 

Configuration Considerations

l          As SSL supports certificated-based authentication of the server and the client, you need to configure the CA server to issue certificates to the gateway device and the host.

l          Configure the gateway device as an SSL server and enable HTTPS service.

l          The host connects with the gateway using HTTPS. Identity authentication of the client is optional. If the authentication is configured, you need to request a certificate for the host.

Configuration Procedures

For detailed configuration steps of certificate-based SSL, refer to HTTPS configuration Example.

References

HTTPS Configuration Example

 

 

 

 

 

 

 

 

Copyright © 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.