外部证书服务器充当IKEv2认证方式

hostname Server!enable password cisco!interface Loopback0 ip address 10.1.1.1 255.255.255.0!interface GigabitEthernet1 ip address 61.128.1.1 255.255.255.0 no shu!ip route 0.0.0.0 0.0.0.0 61.128.1.10!===================================================ip name-server 61.128.1.100ip domain name qytang.comip domain-lookup!crypto key generate rsa label Server.qytang.com modulus 1024!crypto pki trustpoint CA enrollment terminal fqdn Server.qytang.com subject-name cn=Server.qytang.com,ou=qytang revocation-check none rsakeypair Server.qytang.com 1024 eku request server-auth !aaa new-model!aaa authentication login noacs noneaaa authorization network Lxf-Local-Grp-Auth-List local !line con 0 login authentication noacs!ip access-list standard Server-Network permit 10.1.1.0 0.0.0.255!ip local pool Lxf-Address-Pool 192.168.1.100 192.168.1.200!crypto ikev2 authorization policy Lxf-IKEv2-Author-Policy pool Lxf-Address-Pool route set access-list Server-Network===========================================================!crypto pki certificate map Lxf-Cert-Map 10 subject-name co ou = hardwareclient!crypto ikev2 profile Lxf-IKEv2-Profile match certificate Lxf-Cert-Map identity local fqdn Server.qytang.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint CA aaa authorization group cert list Lxf-Local-Grp-Auth-List Lxf-IKEv2-Author-Policy virtual-template 1!crypto ipsec profile Lxf-IPSec-Profile set ikev2-profile Lxf-IKEv2-Profile!interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet1 tunnel mode ipsec ipv4 tunnel protection ipsec profile Lxf-IPSec-Profile------------------------------------------------------------------------------hostname Client!enable password cisco! interface GigabitEthernet1 ip address 202.100.1.1 255.255.255.0 no shu!interface Loopback0 ip address 172.16.1.1 255.255.255.0!ip route 0.0.0.0 0.0.0.0 202.100.1.10!===================================================ip name-server 61.128.1.100ip domain name qytang.comip domain-lookup!crypto key generate rsa label Client.qytang.com modulus 1024!crypto pki trustpoint CA enrollment terminal fqdn Client.qytang.com subject-name cn=Client.qytang.com,ou=HardwareClient revocation-check none rsakeypair Client.qytang.com 1024 eku request client-auth !===========================================================aaa new-model!aaa authentication login noacs noneaaa authorization network Lxf-Local-Grp-Auth-List local !line con 0 login authentication noacs!ip access-list standard Client-Network permit 172.16.1.0 0.0.0.255!crypto ikev2 authorization policy Lxf-IKEv2-Author-Policy route set access-list Client-Network===========================================================crypto pki certificate map Lxf-Cert-Map 10 subject-name co ou = qytang!crypto ikev2 profile Lxf-IKEv2-Profile match certificate Lxf-Cert-Map identity local fqdn CLient.qytang.com authentication remote rsa-sig authentication local rsa-sig aaa authorization group cert list Lxf-Local-Grp-Auth-List Lxf-IKEv2-Author-Policy pki trustpoint CA !crypto ipsec profile Lxf-IPSec-Profile set ikev2-profile Lxf-IKEv2-Profile!!interface Tunnel0 ip address negotiated tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile Lxf-IPSec-Profile!crypto ikev2 client flexvpn Lxf-Flex-Clientpeer 1 61.128.1.1client connect Tunnel0

验证

申请证书

导入证书

根证书