Доброго времени суток!
Прошу подсказать, куда копать. Возникла непонятная ситуация с построением туннелей на сертификатах. Схема следующая.
1.Головной офис имеет 2 точки подключения к интернету на 2 разных маршрутизаторах: 2911 (1) и 2811 (2).
2. Удалённые офисы (Cisco 851 или 857) подключаются к обоим маршрутизаторам через Tunnel 1 и Tunnel 2 соответственно.
3. Для динамической маршрутизации используется протокол RIP (другого на них нет) с приоритетом. Tunnel 1 основной, Tunnel 2 - если отвалится Tunnel 1.
4. На PRESHARED-KEY всё работает. Без каких либо проблем.
Возникло желание вместо preshared-key использовать сертификаты. Каждый маршрутизатор имеет белый IP-адрес, каждому маршрутизатору введено соответствие
его IP-адреса и домена из серии router1.domain.com. Сертификаты выпускались через сервис
https://www.startssl.com/. Для генерации ключей и запросов на сертификаты
использовал следующую статью:
http://anticisco.ru/forum/viewtopic.php ... 988#p66275В итоге, что получилось. На маршрутизаторе 2811 все работает, на 2911 - нет. Дебаг 2911 указывает на то, что не проходит 1 фаза IKE.
Конфиг 2911sh runКод:
!
crypto pki trustpoint **.domain.ru
enrollment terminal
fqdn **.domain.ru
revocation-check none
rsakeypair **.domain.ru
!
crypto pki certificate chain **.domain.ru
--More--
!
crypto isakmp policy 1
encr aes
group 2
!
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile AES128SHA
set transform-set AES128SHA
set pfs group2
!
interface Tunnel1
description RT857W-***
bandwidth 2000
ip address 10.63.70.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination ***
tunnel path-mtu-discovery
tunnel protection ipsec profile AES128SHA
!
sh crypto pki certificatesКод:
Certificate
Status: Available
Certificate Serial Number (hex): 70B7754CCF1D847D
Certificate Usage: General Purpose
Issuer:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
Subject:
Name:**.domain.ru
cn=**.domain.ru
c=RU
CRL Distribution Points:
http://crl.startcomca.com/sca-server1.crl
Validity Date:
start date: 07:49:43 SAMT Apr 20 2017
end date: 23:59:00 SAMT Apr 19 2019
Associated Trustpoints: **.domain.ru
Storage: nvram:StartComBRSS#847D.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 14C9792B2B1DA926
Certificate Usage: Signature
Issuer:
cn=StartCom Certification Authority G3
o=StartCom CA
c=ES
Subject:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
CRL Distribution Points:
http://crl.startcomca.com/sfscabr.crl
Validity Date:
start date: 16:32:39 SAMT Apr 7 2017
end date: 04:49:42 SAMT Feb 14 1906
Associated Trustpoints: **.domain.ru
Storage: nvram:StartComCert#A926CA.cer
sh crypto isakmp saКод:
IPv4 Crypto ISAKMP SA
dst src state conn-id status
*** *** MM_NO_STATE 1164 ACTIVE (deleted)
*** *** MM_NO_STATE 1169 ACTIVE (deleted)
*** *** MM_KEY_EXCH 1172 ACTIVE
*** *** MM_NO_STATE 1163 ACTIVE (deleted)
*** *** MM_NO_STATE 1168 ACTIVE (deleted)
*** *** MM_KEY_EXCH 1175 ACTIVE
*** *** MM_NO_STATE 1167 ACTIVE (deleted)
*** *** MM_NO_STATE 1170 ACTIVE (deleted)
*** *** MM_NO_STATE 1166 ACTIVE (deleted)
*** *** MM_KEY_EXCH 1174 ACTIVE
*** *** MM_NO_STATE 1171 ACTIVE (deleted)
*** *** MM_KEY_EXCH 1173 ACTIVE
*** *** MM_NO_STATE 1165 ACTIVE (deleted)
Конфиг 2811sh runКод:
!
crypto pki trustpoint **.domain.ru
enrollment terminal
fqdn **.domain.ru
revocation-check none
rsakeypair **.domain.ru
!
crypto pki certificate chain **.domain.ru
--More--
!
crypto isakmp policy 1
encr aes
group 2
!
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile AES128SHA
set transform-set AES128SHA
set pfs group2
!
interface Tunnel1
description RT857W-***
bandwidth 320
ip address 10.63.70.33 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0.94
tunnel destination ***
tunnel path-mtu-discovery
tunnel protection ipsec profile AES128SHA
!
sh crypto pki certificatesКод:
Certificate
Status: Available
Certificate Serial Number (hex): 2600F357B41B7A4D
Certificate Usage: General Purpose
Issuer:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
Subject:
Name: ***.domain.ru
cn=***.domain.ru
c=RU
CRL Distribution Points:
http://crl.startcomca.com/sca-server1.crl
Validity Date:
start date: 11:30:20 SAMT Apr 19 2017
end date: 03:39:00 SAMT Apr 19 2019
Associated Trustpoints: ***.domain.ru
Storage: nvram:StartComBRSS#7A7A.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 14C9792B2B1DA926
Certificate Usage: Signature
Issuer:
cn=StartCom Certification Authority G3
o=StartCom CA
c=ES
Subject:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
CRL Distribution Points:
http://crl.startcomca.com/sfscabr.crl
Validity Date:
start date: 16:32:39 SAMT Apr 7 2017
end date: 04:49:42 SAMT Feb 14 1906
Associated Trustpoints: CUS.VLMRK.RU
Storage: nvram:StartComCert#A9A9CA.cer
sh crypto isakmp saКод:
*** *** QM_IDLE 4893 ACTIVE
*** *** QM_IDLE 4509 ACTIVE
*** *** QM_IDLE 4624 ACTIVE
*** *** QM_IDLE 4773 ACTIVE
Конфиг 857sh runКод:
!
crypto pki trustpoint **.domain.ru
enrollment terminal
fqdn **.domain.ru
revocation-check none
rsakeypair **.domain.ru
!
crypto pki certificate chain **.domain.ru
--More--
!
crypto isakmp policy 1
encr aes
group 2
!
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile AES128SHA
set transform-set AES128SHA
set pfs group2
!
interface Tunnel1
description RT2911
bandwidth 2000
ip address 10.63.70.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination ***
tunnel path-mtu-discovery
tunnel protection ipsec profile AES128SHA
!
interface Tunnel2
description RT2811
bandwidth 320
ip address 10.63.70.34 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination ***
tunnel path-mtu-discovery
tunnel protection ipsec profile AES128SHA
!
sh crypto pki certificates Код:
Certificate
Status: Available
Certificate Serial Number: 0xBCDC71F7B286124
Certificate Usage: General Purpose
Issuer:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
Subject:
Name: ***.domain.ru
cn=***.domain.ru
c=RU
CRL Distribution Points:
http://crl.startcomca.com/sca-server1.crl
Validity Date:
start date: 10:56:14 SAMT Apr 19 2017
end date: 03:05:00 SAMT Apr 19 2019
Associated Trustpoints: ***.domain.ru
CA Certificate
Status: Available
Certificate Serial Number: 0x14C9792B2B1DA926
Certificate Usage: Signature
Issuer:
cn=StartCom Certification Authority G3
o=StartCom CA
c=ES
Subject:
cn=StartCom BR SSL ICA
ou=StartCom Certification Authority
o=StartCom CA
c=ES
CRL Distribution Points:
http://crl.startcomca.com/sfscabr.crl
Validity Date:
start date: 16:32:39 SAMT Apr 7 2017
end date: 04:49:42 SAMT Feb 14 1906
Associated Trustpoints: ***.domain.ru
sh crypto isakmp saКод:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
*** *** MM_NO_STATE 2188 0 ACTIVE (deleted)
*** *** MM_KEY_EXCH 2189 0 ACTIVE
*** *** QM_IDLE 2038 0 ACTIVE
На 2911 перепробовал все IOS'ы, заново генерировал ключи и запросы, даже пробовал другое доменное имя - бесполезно.
Какие-то возможно есть особенности настройки 2911 по сравнению с 2811 ?
Заранее спасибо за любые подсказки...