Cisco Cisco ASA 5585-X Adaptive Security Appliance 故障排查指南
crypto map mymap 10 set peer 10.10.10.1
crypto map mymap 10 set ikev2 ipsec−proposal prop1
crypto map mymap 10 set trustpoint ec_ca
crypto map mymap interface outside
This command configures the IKEv2 policy with NGE:
crypto ikev2 policy 10
encryption aes
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
Tunnel group configured for peer commands:
tunnel−group 10.10.10.1 type ipsec−l2l
tunnel−group 10.10.10.1 ipsec−attributes
peer−id−validate cert
ikev2 remote−authentication certificate
ikev2 local−authentication certificate ec_ca
Connection Verification
Verify that the ECDSA keys have been successfully generated.
Router1#show crypto key mypubkey ec router1.cisco.com
% Key pair was generated at: 21:28:26 UTC Feb 19 2013
Key name: router1.cisco.com
Key type: EC KEYS
Storage Device: private−config
Usage: Signature Key
Key is not exportable.
Key Data:
<...omitted...>
ASA−1(config)#show crypto key mypubkey ecdsa
Key pair was generated at: 21:11:24 UTC Feb 19 2013
Key name: asa1.cisco.com
Usage: General Purpose Key
EC Size (bits): 256
Key Data:
<...omitted...>
Verify that the certificate has successfully been imported and that ECDSA is used.
Router1#show crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 0137
Certificate Usage: General Purpose
Issuer:
<...omitted...>
Subject Key Info:
Public Key Algorithm: rsaEncryption
EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
ASA−1(config)#show crypto ca certificates
CA Certificate