Cisco SSL VPN
Материал из Xgu.ru
На этой странице описывается настройка SSL VPN на маршрутизаторах Cisco.
|
Раньше технология называлась WebVPN. В командах пока что используется старое название. |
Содержание |
[править] Настройка SSL VPN
[править] Генерация самоподписанного сертификата
Самый простой способ настроить SSL VPN с самодписанным сертификатом это настроить gateway и включить его. Сертификат сгенерируется автоматически:
dyn(config)# webvpn gateway xguru_gate dyn(config-webvpn-gateway)# inservice
Если необходимо задать какие-либо параметры сертификата, то можно настроить локальную trustpoint, которая сгенерирует этот сертификат.
Генерация пары ключей для сертификата:
dyn(config)# crypto key generate rsa label ssl_vpn modulus 1024
Настройка trustpoint:
dyn(config)# crypto pki trustpoint ssl_ca dyn(ca-trustpoint)# enrollment selfsigned dyn(ca-trustpoint)# subject-name cn=SSL_VPN dyn(ca-trustpoint)# revocation-check none dyn(ca-trustpoint)# rsakeypair ssl_vpn
Генерация самоподписанного сертификата:
dyn2(config)# crypto pki enroll ssl_ca % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
Проверка сертификата:
dyn2#sh cry pki certificates Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: General Purpose Issuer: hostname=dyn2 cn=SSL_VPN Subject: Name: dyn2 hostname=dyn2 cn=SSL_VPN Validity Date: start date: 16:59:17 UTC Jul 18 2011 end date: 00:00:00 UTC Jan 1 2020 Associated Trustpoints: ssl_ca
[править] Просмотр настроек
dyn#show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- xguru_gate up up
dyn# show webvpn context Context Name: xguru_context Admin Status: up Operation Status: up Error and Event Logging: Disabled CSD Status: Disabled Certificate authentication type: All attributes (like CRL) are verified AAA Authentication List: auth_xguru AAA Authorization List not configured AAA Accounting List not configured AAA Authentication Domain not configured Authentication mode: AAA authentication Default Group Policy: xguru_policy Associated WebVPN Gateway: xguru_gate Domain Name and Virtual Host not configured Maximum Users Allowed: 1000 (default) NAT Address not configured VRF Name not configured Virtual Template not configured
dyn#show webvpn policy group xguru_policy context all WEBVPN: group policy = xguru_policy ; context = xguru_context banner = "Welcome xguru users" idle timeout = 2100 sec session timeout = Disabled functions = svc-enabled citrix disabled address pool name = "users_pool" default domain = "xgu.ru" dpd client timeout = 300 sec dpd gateway timeout = 300 sec keepalive interval = 30 sec SSLVPN Full Tunnel mtu size = 1406 bytes keep sslvpn client installed = enabled rekey interval = 3600 sec rekey method = lease duration = 43200 sec split include = 192.168.34.0 255.255.255.0 split include = 10.0.1.0 255.255.255.0 DNS primary server = 10.0.2.11
dyn2#show webvpn session user xguru context all
[править] Пример настройки SSL VPN (IOS 15.1)
Пример настройки SSL VPN в режиме Full tunnel с использованием клиента anyconnect:
aaa new-model ! aaa authentication login auth_xguru local ! username xguru password xguru ! ip local pool users_pool 10.0.200.100 10.0.200.120 ! webvpn gateway xguru_gate ip address 192.168.1.1 port 443 logging enable inservice ! ! webvpn install svc flash:/webvpn/anyconnect-win-2.5.2017-k9.pkg ! webvpn context xguru_context ! policy group xguru_policy functions svc-enabled banner "Welcome xguru users" svc address-pool "users_pool" svc default-domain "xgu.ru" svc keep-client-installed svc split include 192.168.34.0 255.255.255.0 svc split include 10.0.1.0 255.255.255.0 svc dns-server primary 10.0.2.11 default-group-policy xguru_policy aaa authentication list auth_xguru gateway xguru_gate inservice
[править] Дополнительная информация