© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.017-1 Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN. - презентация

1 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 17 Configure the Cisco Virtual Private Network 3000 Series Concentrator for LAN-to-LAN Using Digital Certificates

2 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon completion of this lesson, you will be able to perform the following tasks: Explain the purpose of SCEP. Explain how root certificates are installed via SCEP. Explain how identity certificates are installed via SCEP. Configure the Concentrator for LAN-to-LAN support with digital certificates.

3 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP Support Overview

4 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA server

5 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP-Based Enrollment SCEP Certificate server

6 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP Loading Process Load root certificate via SCEP Load identity certificate via SCEP Certificate server Certificate server

7 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Root Certificate Installation

8 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Receive CA certificate Verify CA certificate SCEPRoot Certificate Send CA certificate Request CA certificate SCEP Certificate server

9 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Management

10 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN ConcentratorSCEP Enrollment Procedure Installed root certificate

11 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEP URL CA server information: What is the URL of the CA server? Is a descriptor required? Certificate server

12 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Root Installed

13 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN View the Root Certificate

14 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Installation

15 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN SCEPIdentity Certificate Generate keys Generate and send certificate request Store certificate Send polling request Store certificate Process request –If approved, generate identity certificate or –Send request pending –(Approved) Stored SCEP-issued root certificate SCEP Certificate server

16 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Enrollment

17 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Installation 5

18 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Enrollment Form

19 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Identity Certificate Installed

20 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN View the Identity Certificate

21 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Enrollment Status

22 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Certificate Renewal

23 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring Certificate Authority CRL retrieval policy CRL caching CRL distribution points

24 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator SCEP Configuration

25 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Activate the IKE Proposal

26 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IKE Proposal

27 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Add RSA SA

28 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configure RSA SA

29 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Add IPSec LAN-to-LAN IPSec Internet

30 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Boston IPSec LAN-to-LAN Boston Houston

31 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec LAN-to-LAN Is Finished IPSec Internet Boston Houston

32 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec LAN-to-LAN Connection IPSec Internet Boston Houston

33 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary

34 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary SCEP certificate generation is a two-step process: –CA certificate requests are sent to and CA certificates are received from the CA. –Identity certificate requests are sent to and identity certificates are received from the CA. CA and identity certificates are validated before being loaded on a Concentrator. For CA support you configure the Concentrator much the same as you would for pre-shared keys, substituting the digital certificates when necessary. Add, verify, and delete certificates in the Administration-Certificate Management window.

35 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lab Exercise

36 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Q P.0 Lab Visual Objective Student PC.5 Student PC P Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6–10.10 Web FTP CA Server RBB Concentrator