在线资料当前位置  当前位置:首页 > 在线资料 > 

使用证书建立EZVPN

发布时间:2015-05-20 13:45:24 作者:瑞德实验室 点击量 :
更多

四、使用证书建立EZVPN(标准)

4.1实验拓扑

\

4.2 网络基础配置

4.2.1 EZIOSVPN-CA配置
  host EZIOSVPN-CA
  int f0/0
  ip add 200.1.1.10 255.255.255.0
  no sh
  clock timezone GMT 8
clock set 16:53:00 19 may 2015
  ntp master
  ip http server
  ip domain name raidnet.cn
4.2.2 EZClient配置
host EZclient
  int f0/0
  ip add 200.1.1.3 255.255.255.0
  no sh
  ex
  clock timezone GMT 8
  ip domain name raidnet.cn
  ntp server 200.1.1.10
  ip route 0.0.0.0 0.0.0.0 200.1.1.10

4.3 配置证书服务器

4.3.1 配置根证书服务器
  crypto pki server CA
  issuer-name cn=ezserver-ca.raidnet.cn, ou=sec, o=raidnet, l=hefei
  grant auto
  no shutdown
4.3.2 EZVPNServer申请个人证书
  crypto pki trustpoint EZVPN
    enrollment url http://200.1.1.10
    revocation-check none
subject-name cn=ezvpnserver.raidnet.cn, ou=sec, o=raidnet, l=hefei
申请证书
EZIOSVPN-CA(config)#crypto pki authenticate EZVPN
Certificate has the following attributes:
       Fingerprint MD5: 73615359 C85FBAC6 BEC62E5D EA02E421
      Fingerprint SHA1: 1FD0092C 2990E6D6 27F89823 3A343687 6DB3418A
 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
EZIOSVPN-CA(config)#crypto pki enroll EZVPN
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
 
Password:
Re-enter password:
 
% The subject name in the certificate will include: cn=ezvpnserver.raidnet.cn, ou=sec, o=raidnet, l=hefei
% The subject name in the certificate will include: EZIOSVPN-CA.raidnet.cn
% Include the router serial number in the subject name? [yes/no]:
May 19 09:01:35.451: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
yes
% The serial number in the certificate will be: 3B843B84
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate EZVPN verbose' commandwill show the fingerprint
EZIOSVPN-CA#crypto pki server CA grant 1
4.3.3 EZClient硬件客户端在线申请个人证书
  crypto pki trustpoint EZVPN
    enrollment url http://200.1.1.10
    revocation-check none
subject-name cn=ezvpnserver.raidnet.cn, ou=CCSP, o=raidnet, l=hefei
ou必须等于Group(申请步骤同上)
4.3.4 软件客户端申请证书(离线)
1、证书服务器导出根证书(另存为xxx.cer格式)
EZIOSVPN-CA(config)#crypto pki export EZVPN pem terminal
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICcTCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQQFADBMMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMRowGAYDVQQDExFSb290
Q0EucmFpZG5ldC5jbjAeFw0xNTA1MTkwOTUyMTBaFw0xODA1MTgwOTUyMTBaMEwx
DjAMBgNVBAcTBWhlZmVpMRAwDgYDVQQKEwdyYWlkbmV0MQwwCgYDVQQLEwNzZWMx
GjAYBgNVBAMTEVJvb3RDQS5yYWlkbmV0LmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCvZml4W2GwNbQ7HEcbMb2dS2bnJFQr/Aw5E9X6wOTw6PpcWbfAhBhf
+y3LN7ia4Qq5jEJZCOMlxUdVligsrzQsoqqM4eYaT5VWFMiRu3wLgAe31xSqD3P4
6hp3dExV0ETyldeMIxFTynrBxnkfHzaWg6St+fqdjCb4AdQIWdadBwIDAQABo2Mw
YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAfBgNVHSMEGDAWgBSc
bmizvIsw2sSq04eBYXLmYn+j2zAdBgNVHQ4EFgQUnG5os7yLMNrEqtOHgWFy5mJ/
o9swDQYJKoZIhvcNAQEEBQADgYEARKjLlJErWkZhUUNV+hRGnkRzuUKg8vshw811
KVaNQ3/TRPwLs0eTgmLLAP/B37At4yH2Gxu9FE9FOY6H9YPNhEB4uH4VOuvXbZFX
VQK8s6pOFBQyivw4JdJeDlLApA+m522M2hkxV42I+jV78Db4usNEdymD5JNwDpgt
1KCUxOg=
-----END CERTIFICATE-----
 
% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIICUjCCAbugAwIBAgIBAjANBgkqhkiG9w0BAQQFADBMMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMRowGAYDVQQDExFSb290
Q0EucmFpZG5ldC5jbjAeFw0xNTA1MTkwOTU2MDZaFw0xNjA1MTgwOTU2MDZaMIGE
MQ4wDAYDVQQHEwVoZWZlaTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2Vj
MRowGAYDVQQDExFSb290Q0EucmFpZG5ldC5jbjE2MA8GA1UEBRMIM0I4NDNCODQw
IwYJKoZIhvcNAQkCFhZFWklPU1ZQTi1DQS5yYWlkbmV0LmNuMFwwDQYJKoZIhvcN
AQEBBQADSwAwSAJBAOrN7vL32tRI1aKYDsmgzcDegUuTaaL6UxCxU/ZzAc3Roy8Q
9NjFeJy4SBtIfVSadPeOKkn5b/6/yCfOArokXP0CAwEAAaNPME0wCwYDVR0PBAQD
AgWgMB8GA1UdIwQYMBaAFJxuaLO8izDaxKrTh4FhcuZif6PbMB0GA1UdDgQWBBRg
2nUVmzwth8Z0X30hyo7I3Vtp1TANBgkqhkiG9w0BAQQFAAOBgQArMzL63GH1gYgk
sQfch9gcr2r0sOogHG5y65eYEsK5/80whU2GnZ7t+vqJASOoyfCxqZX1crM/ZhIB
P6J95XywFXLql0w3c+Hg/XrPFLiPW6azFcWdqqzYOBFqHU7YTGF6dRWmaX6w1gaD
8svrF2BkYzHQNqzOQ+lgqWobnk7wzw==
-----END CERTIFICATE-----
2、XP生成证书申请
\
\
复制所产生的PKCS#10到证书服务器申请个人证书
EZIOSVPN-CA#crypto pki server CA request pkcs10 terminal
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICdjCCAV4CAQAwMTETMBEGA1UEChMKcmFpZG5ldC5jbjENMAsGA1UECxMEQ0NJ
RTELMAkGA1UEAxMCWFAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw
cNthX9y/Pn0+8YE4PplvpQ4oDzXt0gWaXhWSr7MHOohM/gWORn0drenb3063QMuf
OZPRgYeyn/FuqjpoiLRLv+bH/ghGI43HLR49ViVMU9AW/LYb+RtDDYFbrrdwr5ks
Wagx8U3eRj11+DBBMnMEjevkdjH2IHx2dZhAsJWQTtHdgcw6ZMZ3hHB9lGlf/eE+
klpiKCEGCuJW3JTlwuD7QmQTRpI9Jq2HrIlmp4VuI5ii/IrOwE7B1LicYu0sZhqy
zBWKDlp/n6v+wF4uKoU56tgtYOvxoWKB0TKDTPmXurWQYCTA8gra6i1mG25tXKy3
Ocvgjn0faLTegunEWxi/AgMBAAGgADANBgkqhkiG9w0BAQQFAAOCAQEAffBezORa
54Xxp3UsKz9XjZp62zEtWHcDBoclVJcvkrNOi5ALX3tNcqpWeJMZ1iuKH7XsIAau
k2FmGcUkrIz58UjMH9M/IM/9rcfUVv3rVRJC3ceSaCJ5+xLRarcbziAvpncy53TU
+ouPXpcJ9BeJXUzYRYPw6i6bjarzr78NxkOoFYE15sJf8CQysNmMK5bDlj0MepQ6
8fos2AXeF2kmNQCOd6l2GAOdKoTXMIB5XjCy5xTqr1SNTbt7+eKovYX7iMC4e+PB
l3Npw8J3Aee+TkBolVjYYKUpP/oWlLv7k2c5mz/CicsW/M8crY7CvNi0ZH7Fyc1J
q+qwV5wDTMazXg==
-----END NEW CERTIFICATE REQUEST-----
 
% Enrollment request pending, reqId=3
EZIOSVPN-CA#crypto pki server CA grant 3如果是自动颁发,则直接弹出证书
% Granted certificate:
MIICvjCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBRMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMR8wHQYDVQQDExZlenNl
cnZlci1jYS5yYWlkbmV0LmNuMB4XDTE1MDUxOTA5MTYzMFoXDTE2MDUxODA5MTYz
MFowMTETMBEGA1UEChMKcmFpZG5ldC5jbjENMAsGA1UECxMEQ0NJRTELMAkGA1UE
AxMCWFAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwcNthX9y/Pn0+
8YE4PplvpQ4oDzXt0gWaXhWSr7MHOohM/gWORn0drenb3063QMufOZPRgYeyn/Fu
qjpoiLRLv+bH/ghGI43HLR49ViVMU9AW/LYb+RtDDYFbrrdwr5ksWagx8U3eRj11
+DBBMnMEjevkdjH2IHx2dZhAsJWQTtHdgcw6ZMZ3hHB9lGlf/eE+klpiKCEGCuJW
3JTlwuD7QmQTRpI9Jq2HrIlmp4VuI5ii/IrOwE7B1LicYu0sZhqyzBWKDlp/n6v+
wF4uKoU56tgtYOvxoWKB0TKDTPmXurWQYCTA8gra6i1mG25tXKy3Ocvgjn0faLTe
gunEWxi/AgMBAAGjQjBAMB8GA1UdIwQYMBaAFKUacz3rrwR19zXpa2kYvvcR2mgy
MB0GA1UdDgQWBBQCFGgnZ+2AFKxOemOXiVUSaIVOYjANBgkqhkiG9w0BAQQFAAOB
gQCOwp3i4wSd9hSVcivvrlnxWTLneE6fSRsOmhOMx1MSk/31xgNgl7KsjkTikEwm
MtKe66RKx+/Lsodfct6HmarO7No5BzWzce7dPdPwmGNyvbjwKp7p7II2SzO34GqQ
M6E6cwaFVC1Xh1K7MBWrXsO7aA4HFOnQtZ8MsFYGBj92IA==
将个人证书另存为yyy.cer格式
软件客户端得到根证书和个人证书
\
将证书存放到软件客户端的安装目录下的Certificates文件夹下
软件客户端导入证书

4.4 配置EZVPN

aaa new-model
  aaa authentication login raid local
  aaa authorization network raid local
  username admin password admin
  ip local pool ippool  123.1.1.100 123.1.1.200
  crypto isakmp policy 10
    encryption 3des
    group 2
    ex
  crypto isakmp identity dn
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  crypto isakmp client configuration group CCSP
pool ippool
acl 100
crypto ipsec transform-set cisco esp-des esp-md5-hmac
  ex
  crypto dynamic-map dymap 10
  set transform-set cisco
  reverse-route
  ex
  crypto map cisco client authentication list raid
  crypto map cisco isakmp authorization list raid
  crypto map cisco client configuration address respond
  crypto map cisco 10 ipsec-isakmp dynamic dymap
  int f0/0
  crypto map cisco

4.5 硬件客户端配置

crypto ipsec client ezvpn EZVPN
    connect manual
    mode client
    peer 200.1.1.10
    ex
  int lo 0
  crypto ipsec client ezvpn EZVPN inside
  int f0/0
  crypto ipsec client ezvpn EZVPN outside

4.6 测试

4.6.1 测试软件客户端
\

\
\

 \
 \
4.6.2 测试硬件客户端
EZCLient#crypto ipsec client ezvpn connect
EZCLient#
*May 19 15:23:33.982: EZVPN(EZVPN): Pending XAuth Request, Please enter the following command:
*May 19 15:23:33.982: EZVPN: crypto ipsec client ezvpn xauth
 
EZCLient#crypto ipsec client ezvpn xauth
Username: admin
Password:
EZCLient#
*May 19 15:23:44.106: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=  Group=  Client_public_addr=200.1.1.1  Server_public_addr=200.1.1.10  Assigned_client_addr=123.1.1.100 
EZCLient#
*May 19 15:23:45.012: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
*May 19 15:23:45.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
EZCLient#ping 192.168.10.1 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
EZCLient#sh crypto engine connections active
Crypto Engine Connections
 
   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    1  IPsec   DES+MD5                   0        5        5 200.1.1.1
    2  IPsec   DES+MD5                   5        0        0 200.1.1.1
 1003  IKE     SHA+3DES                  0        0        0 200.1.1.1
4.6.3 硬件客户端离线申请证书步骤(附)
  crypto pki trustpoint EZVPN
    enrollment terminal
    revocation-check none
    subject-name cn=ezvpnclient.raidnet.cn, ou=CCSP, o=raidnet, l=hefei
1、导出根证书
EZVPN-CA(config)#crypto pki export CA pem terminal
% The specified trustpoint is not enrolled (CA).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICezCCAeSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBRMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMR8wHQYDVQQDExZlenNl
cnZlci1jYS5yYWlkbmV0LmNuMB4XDTE1MDUxOTEzNTM1NloXDTE4MDUxODEzNTM1
NlowUTEOMAwGA1UEBxMFaGVmZWkxEDAOBgNVBAoTB3JhaWRuZXQxDDAKBgNVBAsT
A3NlYzEfMB0GA1UEAxMWZXpzZXJ2ZXItY2EucmFpZG5ldC5jbjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEApVBm4aGNm8pre1vVsuCYzXqpT/V24aurstpJ34jX
RYidOFh/D715ic2O5iLxqA45da8udVw8vGB1KyrarwWlaPxE1mOnrTZmvGgNa+hy
jHLvHHWZBXLwtIg8Xvxx8cgTtVOc33Us3EWDk9kkgR2RViluRVp+QfTpXEJ41eXu
fXcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYD
VR0jBBgwFoAU+Blk1tSDhAWzXGTj7h9jxXUSDzIwHQYDVR0OBBYEFPgZZNbUg4QF
s1xk4+4fY8V1Eg8yMA0GCSqGSIb3DQEBBAUAA4GBACyNTmF3SStw27KU2mgV3FqE
/h+waze8WAgo/xgmiKuRhpFOT5Wg8a82dp6mHP5U2BPaI9sAvmdI7R1+JnUrqA2z
SLb3pogOh+PTwdx/zkBsiPjU8jOYXz0cfmqw4kRk4iYOtMvUd56zAdTdIfHPOod2
7ccSNa4Djbg/E+J1nMIZ
-----END CERTIFICATE-----
2、客户端导入根证书
EZClient(config)#crypto pki authenticate EZVPN
 
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
 
EZVPN-CA(config)#crypto pki export CA pem terminal
% The specified trustpoint is not enrolled (CA).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICezCCAeSgAwIBAgIBATANBgkqhkiG9w0BAQQFADBRMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMR8wHQYDVQQDExZlenNl
cnZlci1jYS5yYWlkbmV0LmNuMB4XDTE1MDUxOTEzNTM1NloXDTE4MDUxODEzNTM1
NlowUTEOMAwGA1UEBxMFaGVmZWkxEDAOBgNVBAoTB3JhaWRuZXQxDDAKBgNVBAsT
A3NlYzEfMB0GA1UEAxMWZXpzZXJ2ZXItY2EucmFpZG5ldC5jbjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEApVBm4aGNm8pre1vVsuCYzXqpT/V24aurstpJ34jX
RYidOFh/D715ic2O5iLxqA45da8udVw8vGB1KyrarwWlaPxE1mOnrTZmvGgNa+hy
jHLvHHWZBXLwtIg8Xvxx8cgTtVOc33Us3EWDk9kkgR2RViluRVp+QfTpXEJ41eXu
fXcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYD
VR0jBBgwFoAU+Blk1tSDhAWzXGTj7h9jxXUSDzIwHQYDVR0OBBYEFPgZZNbUg4QF
s1xk4+4fY8V1Eg8yMA0GCSqGSIb3DQEBBAUAA4GBACyNTmF3SStw27KU2mgV3FqE
/h+waze8WAgo/xgmiKuRhpFOT5Wg8a82dp6mHP5U2BPaI9sAvmdI7R1+JnUrqA2z
SLb3pogOh+PTwdx/zkBsiPjU8jOYXz0cfmqw4kRk4iYOtMvUd56zAdTdIfHPOod2
7ccSNa4Djbg/E+J1nMIZ
-----END CERTIFICATE-----
 
Certificate has the following attributes:
       Fingerprint MD5: 0AA72713 6EC8D268 6C5DDE53 1FA4F980
      Fingerprint SHA1: 24C559CB 492BB8A2 DD075074 D53D11D1 60EAC76E
 
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
3、硬件客户申请个人证书(复制PKCS#10到根证书服务器)
EZClient(config)#crypto pki enroll EZVPN
% Start certificate enrollment ..
 
% The subject name in the certificate will include: cn=ezvpnclient.raidnet.cn, ou=dc, o=raidnet, l=hefei
% The subject name in the certificate will include: EZClient.raidnet.cn
% The serial number in the certificate will be: 3B843B84
% Include an IP address in the subject name? [no]:
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
 
MIIBYjCCAQwCAQAwgYUxDjAMBgNVBAcTBWhlZmVpMRAwDgYDVQQKEwdyYWlkbmV0
MQswCQYDVQQLEwJkYzEfMB0GA1UEAxMWZXp2cG5jbGllbnQucmFpZG5ldC5jbjEz
MA8GA1UEBRMIM0I4NDNCODQwIAYJKoZIhvcNAQkCFhNFWkNsaWVudC5yYWlkbmV0
LmNuMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOY5zlwjreHHAqrf+cnK70GdwtzH
7bbPZnhwOtfJylXfz7A6mo8undfzYJ7eL+W9FYbPUfw4GdtNqx1l2weTC7cCAwEA
AaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEB
BAUAA0EAFqwS3w1fm/GMd32zvSj8U/LlZGdU2zTpeAtnCxIiVVibRjpnCGsxZ4Vh
YwaV2h0iVX95hDuBQ/adNo7DVK6WKQ==
 
---End - This line not part of the certificate request---
 
Redisplay enrollment request? [yes/no]: no
4、根证书服务器颁发证书
EZVPN-CA#crypto pki server CA request pkcs10 terminal
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBYjCCAQwCAQAwgYUxDjAMBgNVBAcTBWhlZmVpMRAwDgYDVQQKEwdyYWlkbmV0
MQswCQYDVQQLEwJkYzEfMB0GA1UEAxMWZXp2cG5jbGllbnQucmFpZG5ldC5jbjEz
MA8GA1UEBRMIM0I4NDNCODQwIAYJKoZIhvcNAQkCFhNFWkNsaWVudC5yYWlkbmV0
LmNuMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOY5zlwjreHHAqrf+cnK70GdwtzH
7bbPZnhwOtfJylXfz7A6mo8undfzYJ7eL+W9FYbPUfw4GdtNqx1l2weTC7cCAwEA
AaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEB
BAUAA0EAFqwS3w1fm/GMd32zvSj8U/LlZGdU2zTpeAtnCxIiVVibRjpnCGsxZ4Vh
YwaV2h0iVX95hDuBQ/adNo7DVK6WKQ==
 
% Granted certificate:
MIICWzCCAcSgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBRMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMR8wHQYDVQQDExZlenNl
cnZlci1jYS5yYWlkbmV0LmNuMB4XDTE1MDUxOTE0MTUxM1oXDTE2MDUxODE0MTUx
M1owgYUxDjAMBgNVBAcTBWhlZmVpMRAwDgYDVQQKEwdyYWlkbmV0MQswCQYDVQQL
EwJkYzEfMB0GA1UEAxMWZXp2cG5jbGllbnQucmFpZG5ldC5jbjEzMA8GA1UEBRMI
M0I4NDNCODQwIAYJKoZIhvcNAQkCFhNFWkNsaWVudC5yYWlkbmV0LmNuMFwwDQYJ
KoZIhvcNAQEBBQADSwAwSAJBAOY5zlwjreHHAqrf+cnK70GdwtzH7bbPZnhwOtfJ
ylXfz7A6mo8undfzYJ7eL+W9FYbPUfw4GdtNqx1l2weTC7cCAwEAAaNSMFAwDgYD
VR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFPgZZNbUg4QFs1xk4+4fY8V1Eg8yMB0G
A1UdDgQWBBRftWHQ4EgyBL9nOyT5HO7EB30mSjANBgkqhkiG9w0BAQQFAAOBgQCB
mCVyndCDzilolzsUMXgp40sumntzd5b5rvMRX+okWnKXbPhcbPqnPTncBXP7ySP5
pBDog4asS0QqiwLxd02Egb2uH0jmK24YrTlIoTUTZo7vQbHERKbaxCpvxQEdYVyg
dhYeUEF6o2n99UMOQN2NTxm5oHNbUQaF8+TKymsXWA==
5、将得到的个人证书导入到硬件客户端
EZClient(config)#crypto pki import EZVPN certificate
 
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
 
MIICWzCCAcSgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBRMQ4wDAYDVQQHEwVoZWZl
aTEQMA4GA1UEChMHcmFpZG5ldDEMMAoGA1UECxMDc2VjMR8wHQYDVQQDExZlenNl
cnZlci1jYS5yYWlkbmV0LmNuMB4XDTE1MDUxOTE0MTUxM1oXDTE2MDUxODE0MTUx
M1owgYUxDjAMBgNVBAcTBWhlZmVpMRAwDgYDVQQKEwdyYWlkbmV0MQswCQYDVQQL
EwJkYzEfMB0GA1UEAxMWZXp2cG5jbGllbnQucmFpZG5ldC5jbjEzMA8GA1UEBRMI
M0I4NDNCODQwIAYJKoZIhvcNAQkCFhNFWkNsaWVudC5yYWlkbmV0LmNuMFwwDQYJ
KoZIhvcNAQEBBQADSwAwSAJBAOY5zlwjreHHAqrf+cnK70GdwtzH7bbPZnhwOtfJ
ylXfz7A6mo8undfzYJ7eL+W9FYbPUfw4GdtNqx1l2weTC7cCAwEAAaNSMFAwDgYD
VR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaAFPgZZNbUg4QFs1xk4+4fY8V1Eg8yMB0G
A1UdDgQWBBRftWHQ4EgyBL9nOyT5HO7EB30mSjANBgkqhkiG9w0BAQQFAAOBgQCB
mCVyndCDzilolzsUMXgp40sumntzd5b5rvMRX+okWnKXbPhcbPqnPTncBXP7ySP5
pBDog4asS0QqiwLxd02Egb2uH0jmK24YrTlIoTUTZo7vQbHERKbaxCpvxQEdYVyg
dhYeUEF6o2n99UMOQN2NTxm5oHNbUQaF8+TKymsXWA==
 
% Router Certificate successfully imported

在线咨询