Example: Configuring IKE negotiation with RSA digital signature from a Windows Server 2003 CA server
Network configuration
As shown in Figure 107, an IPsec tunnel is required to be established between Device A and Device B. The IPsec tunnel protects the traffic between Host A on subnet 10.1.1.0/24 and Host B on subnet 1.1.1.0/24.
Device A and Device B use IKE to set up SAs, and the IKE proposal uses RSA digital signature for identity authentication.
Device A and Device B use the same CA.
Figure 107: Network diagram
Configuring the Windows Server 2003 CA server
See "Example: Requesting a certificate from a Windows Server 2003 CA server."
Configuring Device A
# Configure a PKI entity.
<DeviceA> system-view [DeviceA] pki entity en [DeviceA-pki-entity-en] ip 2.2.2.1 [DeviceA-pki-entity-en] common-name devicea [DeviceA-pki-entity-en] quit
# Configure a PKI domain.
[DeviceA] pki domain 1 [DeviceA-pki-domain-1] ca identifier CA1 [DeviceA-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [DeviceA-pki-domain-1] certificate request entity en [DeviceA-pki-domain-1] ldap-server host 1.1.1.102
# Configure the device to send certificate requests to ra.
[DeviceA-pki-domain-1] certificate request from ra
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[DeviceA-pki-domain-1] public-key rsa general name abc length 1024 [DeviceA-pki-domain-1] quit
# Generate the RSA key pair.
[DeviceA] public-key local create rsa name abc The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully.
# Obtain the CA certificate and save it locally.
[DeviceA] pki retrieve-certificate domain 1 ca
# Submit a certificate request manually.
[DeviceA] pki request-certificate domain 1
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceA] ike proposal 1 [DeviceA-ike-proposal-1] authentication-method rsa-signature [DeviceA-ike-proposal-1] quit
# Specify the PKI domain used in IKE negotiation for IKE profile peer.
[DeviceA] ike profile peer [DeviceA-ike-profile-peer] certificate domain 1
Configuring Device B
# Configure a PKI entity.
<DeviceB> system-view [DeviceB] pki entity en [DeviceB-pki-entity-en] ip 3.3.3.1 [DeviceB-pki-entity-en] common-name deviceb [DeviceB-pki-entity-en] quit
# Configure a PKI domain.
[DeviceB] pki domain 1 [DeviceB-pki-domain-1] ca identifier CA1 [DeviceB-pki-domain-1] certificate request url http://1.1.1.100/certsrv/mscep/mscep.dll [DeviceB-pki-domain-1] certificate request entity en [DeviceB-pki-domain-1] ldap-server host 1.1.1.102
# Configure the device to send certificate requests to ra.
[DeviceB-pki-domain-1] certificate request from ra
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[DeviceB-pki-domain-1] public-key rsa general name abc length 1024 [DeviceB-pki-domain-1] quit
# Generate the RSA key pair.
[DeviceB] public-key local create rsa name abc The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully.
# Obtain the CA certificate and save it locally.
[DeviceB] pki retrieve-certificate domain 1 ca
The trusted CA's finger print is:
MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC
SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266
Is the finger print correct?(Y/N):y
Retrieved the certificates successfully.
# Submit a certificate request manually.
[DeviceB] pki request-certificate domain 1 Start to request general certificate ... ... Certificate requested successfully.
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceB] ike proposal 1 [DeviceB-ike-proposal-1] authentication-method rsa-signature [DeviceB-ike-proposal-1] quit
# Specify the PKI domain used in IKE negotiation for IKE profile peer.
[DeviceB] ike profile peer [DeviceB-ike-profile-peer] certificate domain 1
The configurations are for IKE negotiation with RSA digital signature. For information about how to configure IPsec SAs to be set up, see "Configuring IPsec."