Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance
ASA
Create domain−name and hostname, which are prerequisites in order to create an EC keypair.
domain−name cisco.com
hostname ASA1
crypto key generate ecdsa label asa1.cisco.com elliptic−curve 256
1.
Create a local trustpoint in order to obtain a certificate from the CA.
crypto ca trustpoint ec_ca
enrollment terminal
subject−name cn=asa1.cisco.com
revocation−check none
keypair asa1.cisco.com
Note: Because the CA is offline, revocation checking is disabled; revocation checking should be
enabled for maximum security in a production environment.
enabled for maximum security in a production environment.
2.
Authenticate the trustpoint. This obtains a copy of the CAs certificate, which contains the public
key.
key.
crypto ca authenticate ec_ca
3.
You are then prompted to enter the base 64 encoded certificate of the CA. This is the file ca.pem,
which was created with OpenSSL. In order to view this file, open it in an editor or with the OpenSSL
command openssl x509 −in ca.pem. Enter quit when you paste this file, and then type yes to accept.
which was created with OpenSSL. In order to view this file, open it in an editor or with the OpenSSL
command openssl x509 −in ca.pem. Enter quit when you paste this file, and then type yes to accept.
4.
Enrol the ASA into the PKI on the CA.
crypto ca enrol ec_ca
5.
The output that you receive must be used in order to submit a certificate request to the CA. This can
be saved as a text file (asa.csr) and then signed with the OpenSSL command.
be saved as a text file (asa.csr) and then signed with the OpenSSL command.
openssl ca −keyfile ca.key −cert ca.pem −md sha256 −in asa.csr −out asa.pem
6.
Import the certificate, which is contained within the file as a.pem, generated from the CA into the
router after this command is entered. Then enter quit when completed.
router after this command is entered. Then enter quit when completed.
crypto ca import ec_ca certificate
7.
Configuration
FlexVPN
Create a certificate map to match the certificate of the peer device.
crypto pki certificate map certmap 10
subject−name co cisco.com
Enter these commands for IKEv2 Proposal for Suite−B configuration:
Note: For maximum security, configure with the aes−cbc−256 with sha512 hash command.
crypto ikev2 proposal default
encryption aes−cbc−128
integrity sha256
group 19
Match the IKEv2 profile to the certificate map and use ECDSA with the trustpoint previously defined.
crypto ikev2 profile default