|
很多人以为在做VPN实验的时候,IOS有K8表示只支持des加密,K9表示同时支持des和3des加密,其实这种理解有点误区,为了说明清楚特意写下这个文档。
【1】.DES算法:(Data Encryption Algorithm数据加密算法),采用64位密钥技术(有效密钥为56位,有8位校验位)。 3DES算法:以DES为基本模块,通过组合分组方法设计出分组加密算法,连续使用3次DES算法,这样3DES就可以采用192为密钥(有效密钥位为168位)进行加密,安全性能大幅提升。
【2】.在ASA上执行show version命令,发现asa804-k8.bin 只支持des,这个看似和之前的理解一样: ciscoasa# sh version Cisco Adaptive Security Appliance Software Version 8.0(4) Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config" ciscoasa up 55 mins 49 secs Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 4055.3981.c3f8, irq 9
1: Ext: GigabitEthernet0/1 : address is 4055.3981.c3f9, irq 9
2: Ext: GigabitEthernet0/2 : address is 4055.3981.c3fa, irq 9
3: Ext: GigabitEthernet0/3 : address is 4055.3981.c3fb, irq 9
4: Ext: Management0/0 : address is 4055.3981.c3f7, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5 Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2 This platform has an ASA 5520 VPN Plus license. Serial Number: JMX1522L1NN
Running Activation Key: 0x85015755 0xa8d8edd8 0x1ce3d52c 0xb44c68b0 0x4d1f2db7
Configuration register is 0x2001
Configuration has not been modified since last system restart.
ciscoasa#
再看另外一个项目中ASA5520的配置,发现asa803-k8.bin支持des和3des。 ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(3) Device Manager Version 6.2(1)51 Compiled on Tue 06-Nov-07 22:59 by builders System image file is "disk0:/asa803-k8.bin" Config file at boot was "startup-config" 1F-N2-10-SPAY-FW-C5520A-APP up 82 days 19 hours failover cluster up 92 days 12 hours Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : [1]CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04 0: Ext: GigabitEthernet0/0 : address is 0025.45d7.8902, irq 9 1: Ext: GigabitEthernet0/1 : address is 0025.45d7.8903, irq 9 2: Ext: GigabitEthernet0/2 : address is 0025.45d7.8904, irq 9 3: Ext: GigabitEthernet0/3 : address is 0025.45d7.8905, irq 9 4: Ext: Management0/0 : address is 0025.45d7.8906, irq 11 5: Int: Not used : irq 11 6: Int: Not used : irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 750 WebVPN Peers : 2 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled This platform has an ASA 5520 VPN Plus license. Serial Number: JMX1331L1BH Running Activation Key: 0x3f25f447 0x2cfd45ce 0xd4200d9c 0x87fc50e4 0x43333c8e Configuration register is 0x1 Configuration last modified by chenyt at 12:22:41.705 BeiJing Thu Aug 30 查了一下相关信息,发现原来是美国禁止出口128位以上的加密技术,所以具备3des功能的IOS只能用K8的形式表达出来,非美国本土的设备有的就是用K9的形式。
【3】.K8升级到K9方法: K8和K9的软硬件版本都相同,所以从K8升级到K9只需要去cisco官网申请相关license即可。
⑴.登陆cisco license网站,选择ASA 3DES/AES License
⑵.输入ASA里面的序列号,通过show version查看。
⑶.点击“I agree”,然后填写邮箱地址,CISCO会发邮件到邮箱
⑷.以下是收到的邮件信息,会给出3des激活的license,用“activation-key”命令激活即可: DO NOT DISCARD THIS EMAIL. You have received this email because your email address was provided to Cisco Systems during the registration process for a Cisco ASA 5500 Series Adaptive Security Appliance activation key. Please read this email carefully and forward it with any attachments to the proper system administrator if you are not the correct person.Below, you will find the Activation Key for your Cisco Adaptive Security Appliance. Serial #: JMX1522L1NN Failover : Enabled Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled AnyConnect Premium Peers : Default Other VPN Peers : 750 AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Shared License : Disabled Total UC Proxy Sessions : Default AnyConnect Essentials : Disabled Botnet Traffic Filter : Disabled Intercompany Media Engine : Disabled Platform = asa JMX1522L1NN: 6422e665 881bffd5 306205cc 81dc88ec 8d2c0b89 Installing Your Cisco Adaptive Security Appliance Activation Key Step 1. From the command line interface (CLI), enter configuration mode using the "conf t" command. Step 2. Type the "activation-key" command, and then, when prompted, enter the new activation key listed above. Note: For some new license settings to take effect a system reboot may be required.
| 
[复制链接]
|熊猫同学技术论坛|小黑屋|
网络工程师论坛
( 沪ICP备09076391 )
发表于 2012-9-5 14:05:54
提升卡
置顶卡
变色卡
显身卡
楼主
