pix-boris(config)# sh cry ips sa
interface: outside
Crypto map tag: test, local addr. 172.29.6.8
local ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
remote ident (addr/mask/p rot/port): (10.1.108.0/255.255.255.0/0/0)
current_peer: 172.29.6.108:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.29.6.8, remote crypto endpt.: 172.29.6.108
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 12370c13
inbound esp sas:
spi: 0x7b8c1e7e(2072780414)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607999/3534)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x12370c13(305597459)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607999/3534)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pix-boris(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-boris
domain-name boris.com
clock timezone EST -5
clock summer-time EST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.1.8.0 255.255.255.0 10.1.108.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 172.29.6.8 255.255.255.0
ip address inside 10.1.8.1 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.29.6.254 1
route outside 10.1.108.0 255.255.255.0 172.29.6.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map test 20 ipsec-isakmp
crypto map test 20 match address 100
crypto map test 20 set peer 172.29.6.108
crypto map test 20 set transform-set myset
crypto map test interface outside
isakmp enable outside
isakmp key ******** address 172.29.6.108 netmask 255.255.255.255
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 36000
ca identity test 172.29.1.43:/certsrv/mscep/mscep.dll
ca configure test ra 1 3
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:87df89e402af0b5156db6fe113320a87
: end
[OK]
pix-boris(config)#
pix-boris(config)# sh cry ca myp rsa
% Key pair was generated at: 14:01:33 EST Jun 5 2005
Key name: pix-boris.boris.com
Usage: General Purpose Key
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00ac804e cb49d328
c751b2e7 e77582df 0baf8bca 4690d616 95f9712b fbd90de3 83b3d757 b93df64d
86151b62 cb2c8a44 2716a629 edebf611 3b60ee48 bd87867b e1020301 0001
pix-boris(config)# sh cry ca cert
Certificate
Status: Available
Certificate Serial Number: 013899e4000000000011
Key Usage: General Purpose
Subject Name:
CN = pix-boris.boris.com
UNSTRUCTURED NAME = pix-boris.boris.com
Validity Date:
start date: 15:09:33 EST Jun 5 2005
end date: 15:19:33 EST Jun 5 2006
RA Signature Certificate
Status: Available
Certificate Serial Number: 610e142a00000000000f
Key Usage: Signature
CN = Delano
OU = all
O = all
L = all
ST = all
C = US
EA =<16> delano@delano.com
Validity Date:
start date: 15:23:33 EST May 22 2005
end date: 15:33:33 EST May 22 2006
CA Certificate
Status: Available
Certificate Serial Number: 6bb252156aa9fea742e3df732a207fca
Key Usage: Signature
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Validity Date:
start date: 20:17:18 EST Nov 9 2004
end date: 20:17:18 EST Nov 9 2006
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 610e1ad1000000000010
Key Usage: Encryption
CN = Delano
OU = all
O = all
L = all
ST = all
C = US
EA =<16> delano@delano.com
Validity Date:
start date: 15:23:35 EST May 22 2005
end date: 15:33:35 EST May 22 2006
==================================================
RouterB#wr t
Building configuration...
Current configuration : 5033 bytes
!
! Last configuration change at 16:07:52 EST Sun Jun 5 2005
! NVRAM config last updated at 16:08:27 EST Sun Jun 5 2005
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterB
!
logging queue-limit 100
!
clock timezone EST -5
clock summer-time EST recurring
ip subnet-zero
!
!
ip domain name test2.com
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint test3
enrollment mode ra
enrollment url http://172.29.1.43:80/certsrv/mscep/mscep.dll
crl optional
!
crypto ca certificate chain test3
certificate 0167839F000000000014
30820341 308202EB A0030201 02020A01 67839F00 00000000 14300D06 092A8648
86F70D01 01050500 3052310B 30090603 55040613 02555331 0B300906 03550408
13024E59 310C300A 06035504 0713034E 5943310C 300A0603 55040A13 03746379
310C300A 06035504 0B130374 6379310C 300A0603 55040313 03746379 301E170D
30353036 30353230 30303533 5A170D30 36303630 35323031 3035335A 30223120
301E0609 2A864886 F70D0109 02131152 6F757465 72422E74 65737432 2E636F6D
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D705A3 543C3050
79FDE115 E720132F C3B26AAA 1FB7674E 42A9A65A 56830B38 5E0C5A97 092AB824
EC36BEE8 2C58DD6E 19CBF7AF 086D3E22 6433B63A 0AA18D71 E7020301 0001A382
01D13082 01CD300B 0603551D 0F040403 0205A030 1D060355 1D0E0416 0414BC0D
3BAF49B3 00AE9564 6E814A7F 587BA608 4BE63081 8B060355 1D230481 83308180
801466A5 346054BD 82F9F154 BE3DA707 83A8BB9C 0121A156 A4543052 310B3009
06035504 06130255 53310B30 09060355 04081302 4E59310C 300A0603 55040713
034E5943 310C300A 06035504 0A130374 6379310C 300A0603 55040B13 03746379
310C300A 06035504 03130374 63798210 6BB25215 6AA9FEA7 42E3DF73 2A207FCA
301F0603 551D1101 01FF0415 30138211 526F7574 6572422E 74657374 322E636F
6D306306 03551D1F 045C305A 302AA028 A0268624 68747470 3A2F2F74 63793230
33383734 352F4365 7274456E 726F6C6C 2F746379 2E63726C 302CA02A A0288626
66696C65 3A2F2F5C 5C544359 32303338 3734355C 43657274 456E726F 6C6C5C74
63792E63 726C3081 8A06082B 06010505 07010104 7E307C30 3B06082B 06010505
07300286 2F687474 703A2F2F 74637932 30333837 34352F43 65727445 6E726F6C
6C2F5443 59323033 38373435 5F746379 2E637274 303D0608 2B060105 05073002
86316669 6C653A2F 2F5C5C54 43593230 33383734 355C4365 7274456E 726F6C6C
5C544359 32303338 3734355F 7463792E 63727430 0D06092A 864886F7 0D010105
05000341 00053644 63F984AF 195FCB43 BBF28A80 71AA5A5C 627B25CA 25FB0890
84799F86 0590A49A 97158B41 E6E01908 B291B5CD 28466F0E 49924847 A17E229F
377795BC BA
quit
certificate ca 6BB252156AA9FEA742E3DF732A207FCA
3082025C 30820206 A0030201 0202106B B252156A A9FEA742 E3DF732A 207FCA30
0D06092A 864886F7 0D010105 05003052 310B3009 06035504 06130255 53310B30
09060355 04081302 4E59310C 300A0603 55040713 034E5943 310C300A 06035504
0A130374 6379310C 300A0603 55040B13 03746379 310C300A 06035504 03130374
6379301E 170D3034 31313130 30313137 31385A17 0D303631 31313030 31313731
385A3052 310B3009 06035504 06130255 53310B30 09060355 04081302 4E59310C
300A0603 55040713 034E5943 310C300A 06035504 0A130374 6379310C 300A0603
55040B13 03746379 310C300A 06035504 03130374 6379305C 300D0609 2A864886
F70D0101 01050003 4B003048 024100BD 100BA4E2 F558871E 10B6728A 071F1BF4
61CB8668 B467DDC9 E3BF2D11 E11E2D3B 720FCC07 DD4B7138 A43AE6F1 054E4B3B
672F4C7C A5BB2360 4CB77E33 28584B02 03010001 A381B730 81B4300B 0603551D
0F040403 0201C630 0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04
16041466 A5346054 BD82F9F1 54BE3DA7 0783A8BB 9C012130 63060355 1D1F045C
305A302A A028A026 86246874 74703A2F 2F746379 32303338 3734352F 43657274
456E726F 6C6C2F74 63792E63 726C302C A02AA028 86266669 6C653A2F 2F5C5C54
43593230 33383734 355C4365 7274456E 726F6C6C 5C746379 2E63726C 30100609
2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505 00034100
A78295F2 822C2E34 0BBFF5BE 05D681FA 58EAA456 C751232D 4E65760A EF9FF43D
07B4B75D D82A4359 6A90C5D8 7AF6060C B2CDF220 8A39445B D627D31E 55DC58D5
quit
!
!
crypto isakmp policy 20
group 2
crypto isakmp key cisco address 172.29.6.8
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map test 20 ipsec-isakmp
set peer 172.29.6.8
set transform-set myset
match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 10.1.108.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.29.6.108 255.255.255.0
half-duplex
crypto map test
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
no ip http server
no ip http secure-server
ip classless
ip route 10.1.8.0 255.255.255.0 172.29.6.8
ip route 172.29.1.0 255.255.255.0 172.29.6.254
!
!
!
access-list 100 permit ip 10.1.108.0 0.0.0.255 10.1.8.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
RouterB#
RouterB#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.29.0.0/24 is subnetted, 2 subnets
S 172.29.1.0 [1/0] via 172.29.6.254
C 172.29.6.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
S 10.1.8.0 [1/0] via 172.29.6.8
C 10.1.108.0 is directly connected, Loopback0
RouterB#
RouterB#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: test, local addr. 172.29.6.108
protected vrf:
local ident (addr/mask/prot/port): (10.1.108.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 172.29.6.8:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest 20
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 172.29.6.108, remote crypto endpt.: 172.29.6.8
path mtu 1500, media mtu 1500
current outbound spi: 7B8C1E7E
inbound esp sas:
spi: 0x12370C13(305597459)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: test
sa timing: remaining key lifetime (k/sec): (4453062/3148)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7B8C1E7E(2072780414)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: test
sa timing: remaining key lifetime (k/sec): (4453062/3148)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
RouterB#
RouterB#sh cry ca ?
certificates Show certificates
crls Show Certificate Revocation Lists
timers Show PKI Timers
trustpoints Show trustpoints
RouterB#sh cry ca cert
Certificate
Status: Available
Certificate Serial Number: 0167839F000000000014
Certificate Usage: General Purpose
Issuer:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Subject:
Name: RouterB.test2.com
OID.1.2.840.113549.1.9.2 = RouterB.test2.com
CRL Distribution Point:
http://tcy2038745/CertEnroll/tcy.crl
Validity Date:
start date: 16:00:53 EST Jun 5 2005
end date: 16:10:53 EST Jun 5 2006
renew date: 19:00:00 EST Dec 31 1969
Associated Trustpoints: test3
CA Certificate
Status: Available
Certificate Serial Number: 6BB252156AA9FEA742E3DF732A207FCA
Certificate Usage: Signature
Issuer:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Subject:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
CRL Distribution Point:
http://tcy2038745/CertEnroll/tcy.crl
Validity Date:
start date: 20:17:18 EST Nov 9 2004
end date: 20:17:18 EST Nov 9 2006
Associated Trustpoints: test3
RouterB#
RouterB#sh cry ca trust test3
Trustpoint test3:
Subject Name:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Serial Number: 6BB252156AA9FEA742E3DF732A207FCA
Certificate configured.
CEP URL: http://172.29.1.43
RouterB#sh cry ?
ca Show certification authority policy
dynamic-map Crypto map templates
engine Show crypto engine info
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP Security Associations
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
sockets Secure Socket Information
RouterB#sh cry key ?
mypubkey Show public keys associated with this router
pubkey-chain Show peer public keys
RouterB#sh cry key mypubkey ?
rsa Show RSA public keys
RouterB#sh cry key mypubkey rsa
% Key pair was generated at: 15:29:57 EST Jun 5 2005
Key name: RouterB.test2.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D705A3 543C3050
79FDE115 E720132F C3B26AAA 1FB7674E 42A9A65A 56830B38 5E0C5A97 092AB824
EC36BEE8 2C58DD6E 19CBF7AF 086D3E22 6433B63A 0AA18D71 E7020301 0001
% Key pair was generated at: 15:30:03 EST Jun 5 2005
Key name: RouterB.test2.com.server
Usage: Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C8E42F BC4E6645
25075BBB 34A2D87D 47FD5CE7 139A19EB 10A21A45 1563EE44 8F6D701D 880AC48F
7B640A47 FB92A461 87FFBA93 5FFFF19E 2F89E745 52477BEB 56B892F3 DA1FFA88
3792C0EC C83105AC F94C7649 C593B130 E1D6E9D0 01C3EC1A B9020301 0001
interface: outside
Crypto map tag: test, local addr. 172.29.6.8
local ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
remote ident (addr/mask/p rot/port): (10.1.108.0/255.255.255.0/0/0)
current_peer: 172.29.6.108:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.29.6.8, remote crypto endpt.: 172.29.6.108
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 12370c13
inbound esp sas:
spi: 0x7b8c1e7e(2072780414)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607999/3534)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x12370c13(305597459)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607999/3534)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pix-boris(config)# wr t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100basetx
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-boris
domain-name boris.com
clock timezone EST -5
clock summer-time EST recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.1.8.0 255.255.255.0 10.1.108.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 172.29.6.8 255.255.255.0
ip address inside 10.1.8.1 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 172.29.6.254 1
route outside 10.1.108.0 255.255.255.0 172.29.6.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map test 20 ipsec-isakmp
crypto map test 20 match address 100
crypto map test 20 set peer 172.29.6.108
crypto map test 20 set transform-set myset
crypto map test interface outside
isakmp enable outside
isakmp key ******** address 172.29.6.108 netmask 255.255.255.255
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 36000
ca identity test 172.29.1.43:/certsrv/mscep/mscep.dll
ca configure test ra 1 3
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:87df89e402af0b5156db6fe113320a87
: end
[OK]
pix-boris(config)#
pix-boris(config)# sh cry ca myp rsa
% Key pair was generated at: 14:01:33 EST Jun 5 2005
Key name: pix-boris.boris.com
Usage: General Purpose Key
Key Data:
305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00ac804e cb49d328
c751b2e7 e77582df 0baf8bca 4690d616 95f9712b fbd90de3 83b3d757 b93df64d
86151b62 cb2c8a44 2716a629 edebf611 3b60ee48 bd87867b e1020301 0001
pix-boris(config)# sh cry ca cert
Certificate
Status: Available
Certificate Serial Number: 013899e4000000000011
Key Usage: General Purpose
Subject Name:
CN = pix-boris.boris.com
UNSTRUCTURED NAME = pix-boris.boris.com
Validity Date:
start date: 15:09:33 EST Jun 5 2005
end date: 15:19:33 EST Jun 5 2006
RA Signature Certificate
Status: Available
Certificate Serial Number: 610e142a00000000000f
Key Usage: Signature
CN = Delano
OU = all
O = all
L = all
ST = all
C = US
EA =<16> delano@delano.com
Validity Date:
start date: 15:23:33 EST May 22 2005
end date: 15:33:33 EST May 22 2006
CA Certificate
Status: Available
Certificate Serial Number: 6bb252156aa9fea742e3df732a207fca
Key Usage: Signature
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Validity Date:
start date: 20:17:18 EST Nov 9 2004
end date: 20:17:18 EST Nov 9 2006
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 610e1ad1000000000010
Key Usage: Encryption
CN = Delano
OU = all
O = all
L = all
ST = all
C = US
EA =<16> delano@delano.com
Validity Date:
start date: 15:23:35 EST May 22 2005
end date: 15:33:35 EST May 22 2006
==================================================
RouterB#wr t
Building configuration...
Current configuration : 5033 bytes
!
! Last configuration change at 16:07:52 EST Sun Jun 5 2005
! NVRAM config last updated at 16:08:27 EST Sun Jun 5 2005
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterB
!
logging queue-limit 100
!
clock timezone EST -5
clock summer-time EST recurring
ip subnet-zero
!
!
ip domain name test2.com
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint test3
enrollment mode ra
enrollment url http://172.29.1.43:80/certsrv/mscep/mscep.dll
crl optional
!
crypto ca certificate chain test3
certificate 0167839F000000000014
30820341 308202EB A0030201 02020A01 67839F00 00000000 14300D06 092A8648
86F70D01 01050500 3052310B 30090603 55040613 02555331 0B300906 03550408
13024E59 310C300A 06035504 0713034E 5943310C 300A0603 55040A13 03746379
310C300A 06035504 0B130374 6379310C 300A0603 55040313 03746379 301E170D
30353036 30353230 30303533 5A170D30 36303630 35323031 3035335A 30223120
301E0609 2A864886 F70D0109 02131152 6F757465 72422E74 65737432 2E636F6D
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D705A3 543C3050
79FDE115 E720132F C3B26AAA 1FB7674E 42A9A65A 56830B38 5E0C5A97 092AB824
EC36BEE8 2C58DD6E 19CBF7AF 086D3E22 6433B63A 0AA18D71 E7020301 0001A382
01D13082 01CD300B 0603551D 0F040403 0205A030 1D060355 1D0E0416 0414BC0D
3BAF49B3 00AE9564 6E814A7F 587BA608 4BE63081 8B060355 1D230481 83308180
801466A5 346054BD 82F9F154 BE3DA707 83A8BB9C 0121A156 A4543052 310B3009
06035504 06130255 53310B30 09060355 04081302 4E59310C 300A0603 55040713
034E5943 310C300A 06035504 0A130374 6379310C 300A0603 55040B13 03746379
310C300A 06035504 03130374 63798210 6BB25215 6AA9FEA7 42E3DF73 2A207FCA
301F0603 551D1101 01FF0415 30138211 526F7574 6572422E 74657374 322E636F
6D306306 03551D1F 045C305A 302AA028 A0268624 68747470 3A2F2F74 63793230
33383734 352F4365 7274456E 726F6C6C 2F746379 2E63726C 302CA02A A0288626
66696C65 3A2F2F5C 5C544359 32303338 3734355C 43657274 456E726F 6C6C5C74
63792E63 726C3081 8A06082B 06010505 07010104 7E307C30 3B06082B 06010505
07300286 2F687474 703A2F2F 74637932 30333837 34352F43 65727445 6E726F6C
6C2F5443 59323033 38373435 5F746379 2E637274 303D0608 2B060105 05073002
86316669 6C653A2F 2F5C5C54 43593230 33383734 355C4365 7274456E 726F6C6C
5C544359 32303338 3734355F 7463792E 63727430 0D06092A 864886F7 0D010105
05000341 00053644 63F984AF 195FCB43 BBF28A80 71AA5A5C 627B25CA 25FB0890
84799F86 0590A49A 97158B41 E6E01908 B291B5CD 28466F0E 49924847 A17E229F
377795BC BA
quit
certificate ca 6BB252156AA9FEA742E3DF732A207FCA
3082025C 30820206 A0030201 0202106B B252156A A9FEA742 E3DF732A 207FCA30
0D06092A 864886F7 0D010105 05003052 310B3009 06035504 06130255 53310B30
09060355 04081302 4E59310C 300A0603 55040713 034E5943 310C300A 06035504
0A130374 6379310C 300A0603 55040B13 03746379 310C300A 06035504 03130374
6379301E 170D3034 31313130 30313137 31385A17 0D303631 31313030 31313731
385A3052 310B3009 06035504 06130255 53310B30 09060355 04081302 4E59310C
300A0603 55040713 034E5943 310C300A 06035504 0A130374 6379310C 300A0603
55040B13 03746379 310C300A 06035504 03130374 6379305C 300D0609 2A864886
F70D0101 01050003 4B003048 024100BD 100BA4E2 F558871E 10B6728A 071F1BF4
61CB8668 B467DDC9 E3BF2D11 E11E2D3B 720FCC07 DD4B7138 A43AE6F1 054E4B3B
672F4C7C A5BB2360 4CB77E33 28584B02 03010001 A381B730 81B4300B 0603551D
0F040403 0201C630 0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04
16041466 A5346054 BD82F9F1 54BE3DA7 0783A8BB 9C012130 63060355 1D1F045C
305A302A A028A026 86246874 74703A2F 2F746379 32303338 3734352F 43657274
456E726F 6C6C2F74 63792E63 726C302C A02AA028 86266669 6C653A2F 2F5C5C54
43593230 33383734 355C4365 7274456E 726F6C6C 5C746379 2E63726C 30100609
2B060104 01823715 01040302 0100300D 06092A86 4886F70D 01010505 00034100
A78295F2 822C2E34 0BBFF5BE 05D681FA 58EAA456 C751232D 4E65760A EF9FF43D
07B4B75D D82A4359 6A90C5D8 7AF6060C B2CDF220 8A39445B D627D31E 55DC58D5
quit
!
!
crypto isakmp policy 20
group 2
crypto isakmp key cisco address 172.29.6.8
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map test 20 ipsec-isakmp
set peer 172.29.6.8
set transform-set myset
match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 10.1.108.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.29.6.108 255.255.255.0
half-duplex
crypto map test
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
no ip http server
no ip http secure-server
ip classless
ip route 10.1.8.0 255.255.255.0 172.29.6.8
ip route 172.29.1.0 255.255.255.0 172.29.6.254
!
!
!
access-list 100 permit ip 10.1.108.0 0.0.0.255 10.1.8.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
RouterB#
RouterB#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.29.0.0/24 is subnetted, 2 subnets
S 172.29.1.0 [1/0] via 172.29.6.254
C 172.29.6.0 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
S 10.1.8.0 [1/0] via 172.29.6.8
C 10.1.108.0 is directly connected, Loopback0
RouterB#
RouterB#sh cry ips sa
interface: Ethernet0/0
Crypto map tag: test, local addr. 172.29.6.108
protected vrf:
local ident (addr/mask/prot/port): (10.1.108.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 172.29.6.8:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest 20
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 172.29.6.108, remote crypto endpt.: 172.29.6.8
path mtu 1500, media mtu 1500
current outbound spi: 7B8C1E7E
inbound esp sas:
spi: 0x12370C13(305597459)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: test
sa timing: remaining key lifetime (k/sec): (4453062/3148)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7B8C1E7E(2072780414)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: test
sa timing: remaining key lifetime (k/sec): (4453062/3148)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
RouterB#
RouterB#sh cry ca ?
certificates Show certificates
crls Show Certificate Revocation Lists
timers Show PKI Timers
trustpoints Show trustpoints
RouterB#sh cry ca cert
Certificate
Status: Available
Certificate Serial Number: 0167839F000000000014
Certificate Usage: General Purpose
Issuer:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Subject:
Name: RouterB.test2.com
OID.1.2.840.113549.1.9.2 = RouterB.test2.com
CRL Distribution Point:
http://tcy2038745/CertEnroll/tcy.crl
Validity Date:
start date: 16:00:53 EST Jun 5 2005
end date: 16:10:53 EST Jun 5 2006
renew date: 19:00:00 EST Dec 31 1969
Associated Trustpoints: test3
CA Certificate
Status: Available
Certificate Serial Number: 6BB252156AA9FEA742E3DF732A207FCA
Certificate Usage: Signature
Issuer:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Subject:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
CRL Distribution Point:
http://tcy2038745/CertEnroll/tcy.crl
Validity Date:
start date: 20:17:18 EST Nov 9 2004
end date: 20:17:18 EST Nov 9 2006
Associated Trustpoints: test3
RouterB#
RouterB#sh cry ca trust test3
Trustpoint test3:
Subject Name:
CN = tcy
OU = tcy
O = tcy
L = NYC
ST = NY
C = US
Serial Number: 6BB252156AA9FEA742E3DF732A207FCA
Certificate configured.
CEP URL: http://172.29.1.43
RouterB#sh cry ?
ca Show certification authority policy
dynamic-map Crypto map templates
engine Show crypto engine info
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP Security Associations
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
sockets Secure Socket Information
RouterB#sh cry key ?
mypubkey Show public keys associated with this router
pubkey-chain Show peer public keys
RouterB#sh cry key mypubkey ?
rsa Show RSA public keys
RouterB#sh cry key mypubkey rsa
% Key pair was generated at: 15:29:57 EST Jun 5 2005
Key name: RouterB.test2.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D705A3 543C3050
79FDE115 E720132F C3B26AAA 1FB7674E 42A9A65A 56830B38 5E0C5A97 092AB824
EC36BEE8 2C58DD6E 19CBF7AF 086D3E22 6433B63A 0AA18D71 E7020301 0001
% Key pair was generated at: 15:30:03 EST Jun 5 2005
Key name: RouterB.test2.com.server
Usage: Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C8E42F BC4E6645
25075BBB 34A2D87D 47FD5CE7 139A19EB 10A21A45 1563EE44 8F6D701D 880AC48F
7B640A47 FB92A461 87FFBA93 5FFFF19E 2F89E745 52477BEB 56B892F3 DA1FFA88
3792C0EC C83105AC F94C7649 C593B130 E1D6E9D0 01C3EC1A B9020301 0001
