Cisco SSL VPN
Материал из Xgu.ru
На этой странице описывается настройка SSL VPN на маршрутизаторах Cisco.
|
|
Раньше технология называлась WebVPN. В командах пока что используется старое название. |
Содержание |
[править] Настройка SSL VPN
[править] Генерация самоподписанного сертификата
Самый простой способ настроить SSL VPN с самодписанным сертификатом это настроить gateway и включить его. Сертификат сгенерируется автоматически:
dyn(config)# webvpn gateway xguru_gate dyn(config-webvpn-gateway)# inservice
Если необходимо задать какие-либо параметры сертификата, то можно настроить локальную trustpoint, которая сгенерирует этот сертификат.
Генерация пары ключей для сертификата:
dyn(config)# crypto key generate rsa label ssl_vpn modulus 1024
Настройка trustpoint:
dyn(config)# crypto pki trustpoint ssl_ca dyn(ca-trustpoint)# enrollment selfsigned dyn(ca-trustpoint)# subject-name cn=SSL_VPN dyn(ca-trustpoint)# revocation-check none dyn(ca-trustpoint)# rsakeypair ssl_vpn
Генерация самоподписанного сертификата:
dyn2(config)# crypto pki enroll ssl_ca % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
Проверка сертификата:
dyn2#sh cry pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=dyn2
cn=SSL_VPN
Subject:
Name: dyn2
hostname=dyn2
cn=SSL_VPN
Validity Date:
start date: 16:59:17 UTC Jul 18 2011
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: ssl_ca
[править] Просмотр настроек
dyn#show webvpn gateway Gateway Name Admin Operation ------------ ----- --------- xguru_gate up up
dyn# show webvpn context Context Name: xguru_context Admin Status: up Operation Status: up Error and Event Logging: Disabled CSD Status: Disabled Certificate authentication type: All attributes (like CRL) are verified AAA Authentication List: auth_xguru AAA Authorization List not configured AAA Accounting List not configured AAA Authentication Domain not configured Authentication mode: AAA authentication Default Group Policy: xguru_policy Associated WebVPN Gateway: xguru_gate Domain Name and Virtual Host not configured Maximum Users Allowed: 1000 (default) NAT Address not configured VRF Name not configured Virtual Template not configured
dyn#show webvpn policy group xguru_policy context all
WEBVPN: group policy = xguru_policy ; context = xguru_context
banner = "Welcome xguru users"
idle timeout = 2100 sec
session timeout = Disabled
functions =
svc-enabled
citrix disabled
address pool name = "users_pool"
default domain = "xgu.ru"
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keepalive interval = 30 sec
SSLVPN Full Tunnel mtu size = 1406 bytes
keep sslvpn client installed = enabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec
split include = 192.168.34.0 255.255.255.0
split include = 10.0.1.0 255.255.255.0
DNS primary server = 10.0.2.11
dyn2#show webvpn session user xguru context all
[править] Пример настройки SSL VPN (IOS 15.1)
Пример настройки SSL VPN в режиме Full tunnel с использованием клиента anyconnect:
aaa new-model ! aaa authentication login auth_xguru local ! username xguru password xguru ! ip local pool users_pool 10.0.200.100 10.0.200.120 ! webvpn gateway xguru_gate ip address 192.168.1.1 port 443 logging enable inservice ! ! webvpn install svc flash:/webvpn/anyconnect-win-2.5.2017-k9.pkg ! webvpn context xguru_context ! policy group xguru_policy functions svc-enabled banner "Welcome xguru users" svc address-pool "users_pool" svc default-domain "xgu.ru" svc keep-client-installed svc split include 192.168.34.0 255.255.255.0 svc split include 10.0.1.0 255.255.255.0 svc dns-server primary 10.0.2.11 default-group-policy xguru_policy aaa authentication list auth_xguru gateway xguru_gate inservice
[править] Дополнительная информация
