Cisco CSR1000v (IOS XE 16.x) 配置 AnyConnect SSL VPN

注意事项

  • 这一配置方法不支持IPSec模式(IPSec模式需要用FlexVPN方法配置,是另一套东西)
  • 只支持用户名密码登录,不支持证书登录

如果开了http server,需要改一下端口,它和AnyConnect不能开在同一个端口上,否则二者都不能正常使用。

ip http secure-port 8443

基础配置

部署客户端

如果不部署对应平台的客户端部署包,该平台的客户端是无法连接的。

安装AnyConnect客户端部署包:

copy http://your.server.example.com/anyconnect-win-4.7.02036-webdeploy-k9.pkg bootflash:
conf t
crypto vpn anyconnect bootflash:/anyconnect-win-4.7.02036-webdeploy-k9.pkg sequence 1

证书

这边为了方便起见,直接在路由器上生成自签证书。

生成SSL CA证书:

(config)#crypto key generate rsa label SSLVPN modulus 2048
The name for the keys will be: SSLVPN

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

创建TrustPoint:

(config)#crypto pki trustpoint SSLVPN_CERT
(ca-trustpoint)#enrollment selfsigned 
(ca-trustpoint)#subject-name CN=anyconnect.example.com
(ca-trustpoint)#rsakeypair SSLVPN
(ca-trustpoint)#exit
(config)#crypto pki enroll SSLVPN_CERT
The router has already generated a Self Signed Certificate for
trustpoint TP-self-signed-263234056.
If you continue the existing trustpoint and Self Signed Certificate
will be deleted.

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: no 
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

创建用户

aaa new-model
aaa authentcation login SSLVPN_AAA local
aaa authorization network SSLVPN_AAA local
username VPNUSER password PASSWORD

创建SSL VPN客户端IP池

ip local pool SSLVPN_POOL 192.168.10.1 192.168.10.10

创建SSL Proposal/Policy

这里和IPSec的相应概念是比较相似的。

crypto ssl proposal webvpn_proposal
protection rsa-aes128-sha1 rsa-aes256-sha1 

crypto ssl policy webvpn_policy
shut
! 
ip interface Gi1 port 443
! or
! ip address local your.router.external.ip port 443
pki trustpoint SSLVPN_CERT sign 
ssl proposal webvpn_proposal
no shut

创建SSL Authorization Policy

这个东西是连接时下发给客户端的数据。

crypto ssl authorization policy webvpn_authorization_policy1
banner Welcome to our super secure company VPN!
client profile profile1
def-domain example.com
dns 1.1.1.1 1.0.0.1
dpd client 500
include-local-lan 
keepalive 500
netmask 255.255.255.0
pool SSLVPN_POOL
smartcard-removal-disconnect

创建SSL Profile

用于服务器验证客户端发送的数据(各种头部,用户账户)是否正确。注意这边一定要用group override。

crypto ssl profile webvpn_profile1
match policy webvpn_policy
! if you need specific host header to be matched:
! match url https://example.com/test1
aaa accounting user-pass list SSLVPN_AAA
aaa authentication user-pass list SSLVPN_AAA
aaa authorization group override user-pass list SSLVPN_AAA webvpn_authorization_policy1
authentication remote user-pass 
max-users 100
no shut

NAT

那个叫SSLVPN-VIF0的interface是不能也不需要配置的。

interface Gi1
ip nat outside
ip access-list standard nat_allowed
10 permit 192.168.10.0 0.0.0.255 
ip nat inside source list nat_allowed interface Gi1 overload

调试

客户端在弹出用户登录之前就提示Connection failed due to server communication errors:检查是否有别的东西和AnyConnect的端口冲突了。

User not authorized to access full tunnel:aaa authorization group override ...那一行没写。

其它问题可以用debug crypto ssl aaadebug crypto ssl tunnel errors来debug。


参考:

Cisco CSR1000v (IOS XE 16.x) 配置 AnyConnect SSL VPN》有3个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据