Cisco配置實例:CiscoSSLVPN配置實例

字號:

注意:這里的配置是SSL VPN的隧道模式
    一、網(wǎng)絡(luò)拓?fù)鋱D
    
    二、SSL VPN Server 配置
    軟件版本:
    Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
    VPN 客戶端軟件:sslclient-win-1.1.2.169.pkg
    1、格式化 disk0
    R1#format disk0:
    Format operation may take a while. Continue? [confirm]
    Format operation will destroy all data in "disk0:". Continue? [confirm]
    Format: Drive communication & 1st Sector Write OK...
    Writing Monlib sectors.
    ..............................................................................................................................................
    Monlib write complete
    Format: All system sectors written. OK...
    Format: Total sectors in formatted partition: 8009
    Format: Total bytes in formatted partition: 4100608
    Format: Operation completed successfully.
    Format of disk0 complete
    2、上傳軟件
    R1#copy tftp disk0:
    Address or name of remote host []? 192.168.10.100
    Source filename []? sslclient-win-1.1.2.169.pkg
    Destination filename [sslclient-win-1.1.2.169.pkg]?
    Accessing tftp://192.168.10.100/sslclient-win-1.1.2.169.pkg...
    Loading sslclient-win-1.1.2.169.pkg from 192.168.10.100 (via FastEthernet0/0): !!
    [OK - 415090 bytes]
    415090 bytes copied in 12.892 secs (32197 bytes/sec)
    3、安裝 client 軟件
    R1(config)#web* install svc disk0:/sslclient-win-1.1.2.169.pkg
    SSLVPN Package SSL-VPN-Client : installed successfully
    4、配置 SSL VPN
    R1(config)# aaa new-model
    R1(config)# aaa authentication login default local //為防止控制臺超時而造成無法進(jìn)入Exec
    R1(config))# aaa authentication login web* local
    R1(config)# ip local pool ssl-add 11.1.1.10 11.1.1.20
    R1(config)# username user1 password 123 //定義WebVPN本地認(rèn)證用戶名,密碼
    R1(config))# web* gateway *gateway //定義WebVPN在哪個接口上進(jìn)行監(jiān)聽,此時IOS會自動產(chǎn)生自簽名證書。
    R1 (config-web*-gateway)# ip address 192.168.10.10 port 443
    R1 (config-web*-gateway)# inservice //啟用web* gateway配置
    R1 (config)# web* context webcontext //定義web*的相關(guān)配置,相當(dāng)于ASA的tunnel-group,在這里可以定義
    R1 (config-web*-context)# gateway *gateway //將context和gateway相關(guān)聯(lián)
    R1 (config-web*-context)# aaa authentication list web*
    R1 (config-web*-context)# inservice //啟用web* context配置
    R1(config-web*-context)# policy group ssl*-policy //進(jìn)入ssl*策略組
    R1(config-web*-group)# functions svc-enabled
    R1(config-web*-group)# svc address-pool ssl-add //分配svc使用的地址池
    R1(config-web*-group)# svc split include 192.168.20.0 255.255.255.0 //定義隧道分離的目標(biāo)地址,如果不配置,則默認(rèn)為0.0.0.0
    R1(config-web*-group)#exit
    R1(config-web*-context)# default-group-policy ssl*-policy //當(dāng)配置了多個policy group后,默認(rèn)使用的策略組
    注意:
    在IOS中,如果地址池不和內(nèi)網(wǎng)在一個段,則需創(chuàng)建一個和地址池在同一網(wǎng)段的loopback接口作為*客戶端的網(wǎng)關(guān)。
    還可以在context中指定virtual-host,類似于iis中的文件頭,允許多個主機映射到同一個IP地址
    同時context中還可以設(shè)置web登陸框的樣式,比如logo,title等
    5、完整配置
    R1#show running-config
    Building configuration...
    Current configuration : 3223 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login web* local
    !
    aaa session-id common
    !
    resource policy
    !
    ip cef
    !
    !
    !
    crypto pki trustpoint TP-self-signed-4294967295
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4294967295
    revocation-check none
    rsakeypair TP-self-signed-4294967295
    !
    !
    crypto pki certificate chain TP-self-signed-4294967295
    certificate self-signed 01
    3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 34323934 39363732 3935301E 170D3038 31323135 31393039
    30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393439
    36373239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C6F2 B499879D 1CEB3638 BA59B459 A72167BB FDD2CD73 3E3E6FB6
    D1347E43
    8CC21C65 BAC01E28 50013497 71CF8062 C54F254C A6DB2D5A CDDB864D
    CFF71A50
    F3C20566 1405E49B 18CE2DAB 469C58E8 5B4A1FD6 59DCBCA5 12A34543
    4F6842B6
    24B9A7BD CE36E98A A5463EB3 2D2C5BC0 FAA247C1 E44DB455 4537465F
    18895A14
    66D10203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
    551D1104 06300482 02523130 1F060355 1D230418 30168014 9F7F1B46 F6903BC5
    803F4AD7 2433EBD0 5813E29D 301D0603 551D0E04 1604149F 7F1B46F6
    903BC580
    3F4AD724 33EBD058 13E29D30 0D06092A 864886F7 0D010104 05000381
    81002516
    3F75E2AA 33544113 9A9179DB DFED2529 DF5A972F C2BFDE0E 0279D1F5
    8D30CAC7
    59BE79C6 85825281 AB2D0B08 2CA84D01 85A4DB19 8977BC82 9E59F764
    ADE75E22
    9A7FF37A 9D83819A 2287BE75 773FAA32 D38DD3C2 2C0DF23F 7D45D7A3
    E8006C1A
    6B9E0540 12483241 6EEAA0FF B31240F3 94044BCB 75210037 FEF5AD15 F49B
    quit
    username user1 password 0 123
    !
    !
    !
    !
    !
    !
    interface Loopback0
    ip address 11.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.10.10 255.255.255.0
    duplex half
    !
    interface Serial1/0
    ip address 10.1.1.1 255.255.255.0
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router rip
    version 2
    network 10.0.0.0
    network 11.0.0.0
    network 192.168.10.0
    no auto-summary
    !
    ip local pool ssl-add 11.1.1.10 11.1.1.20
    no ip http server
    no ip http secure-server
    !
    !
    !
    logging alarm informational
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    !
    !
    web* gateway *gateway
    ip address 192.168.10.10 port 443
    ssl trustpoint TP-self-signed-4294967295
    inservice
    !
    web* install svc disk0:/web*/svc.pkg
    !
    web* context webcontext
    ssl authenticate verify all
    !
    !
    policy group ssl*-policy
    functions svc-enabled
    svc address-pool "ssl-add"
    svc split include 192.168.20.0 255.255.255.0
    default-group-policy ssl*-policy
    aaa authentication list web*
    gateway *gateway domain ssh*
    inservice
    !
    !
    end
    R2#show running-config
    Building configuration...
    Current configuration : 973 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    ip cef
    !
    !
    !
    !
    !
    !
    interface Loopback1
    ip address 22.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.20.10 255.255.255.0
    duplex half
    !
    interface Serial1/0
    ip address 10.1.1.2 255.255.255.252
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router rip
    version 2
    network 10.0.0.0
    network 22.0.0.0
    network 192.168.20.0
    no auto-summary
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    logging alarm informational
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    !
    !
    end
    三、客戶端配置
    在瀏覽器中輸入https://192.168.10.10/ 訪問WebVPN,這時會彈出提示信息,點擊“確定”
    需要安裝證書,點擊“是”,這里第一個感嘆號是因為這個證書只路由器自簽發(fā)的,沒有經(jīng)過驗證,而第二個感嘆號是因為配置WebVPN時應(yīng)該注意證書頒發(fā)后的證書的有效期,往往頒發(fā)證書時的有有效期間會比當(dāng)前時間晚一二天
    這時會彈出網(wǎng)頁,輸入用戶和密碼,點擊 login
    這時會自動安裝 SSL VPN Client 軟件
    需要點擊允許安裝 ACTIVE 控件,會彈出安裝界面,點擊安裝
    正在進(jìn)行 SSL VPN Client
    點擊安裝證書
    安裝證書之后,這樣 VPN連接就建立起來,在屏幕的右下部會顯示出黃色的小鑰匙的標(biāo)志
    四、驗證配置
    在客戶端上可以查看 VPN的狀態(tài)。
    可以查看 VPN隧道的分離子網(wǎng)。
    使用ipconfig命令可以查看到獲得的地址。
    查看路由表,可以看到一條指向192.168.20.0的路由條目