Cisco Cisco ASA 5585-X Adaptive Security Appliance 故障排查指南

crypto map mymap 10 set peer 10.10.10.1

crypto map mymap 10 set ikev2 ipsec−proposal prop1

crypto map mymap 10 set trustpoint ec_ca

crypto map mymap interface outside

This command configures the IKEv2 policy with NGE:

crypto ikev2 policy 10

 encryption aes

 integrity sha256

 group 19

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside

Tunnel group configured for peer commands:

tunnel−group 10.10.10.1 type ipsec−l2l

tunnel−group 10.10.10.1 ipsec−attributes

 peer−id−validate cert

 ikev2 remote−authentication certificate

 ikev2 local−authentication certificate ec_ca

Verify that the ECDSA keys have been successfully generated.

Router1#show crypto key mypubkey ec router1.cisco.com

% Key pair was generated at: 21:28:26 UTC Feb 19 2013

Key name: router1.cisco.com

Key type: EC KEYS

 Storage Device: private−config

 Usage: Signature Key

 Key is not exportable.

 Key Data:

<...omitted...>

ASA−1(config)#show crypto key mypubkey ecdsa

Key pair was generated at: 21:11:24 UTC Feb 19 2013

Key name: asa1.cisco.com

 Usage: General Purpose Key

 EC Size (bits): 256

 Key Data&colon;

<...omitted...>

Verify that the certificate has successfully been imported and that ECDSA is used.

Router1#show crypto pki certificates verbose

Certificate

  Status: Available

  Version: 3

  Certificate Serial Number (hex): 0137

  Certificate Usage: General Purpose

  Issuer:

<...omitted...>

  Subject Key Info:

    Public Key Algorithm: rsaEncryption

    EC Public Key:  (256 bit)

  Signature Algorithm: SHA256 with ECDSA

ASA−1(config)#show crypto ca certificates

CA Certificate