注意事项
- 这一配置方法不支持 IPSec 模式(IPSec 模式需要用 FlexVPN 方法配置,是另一套东西)
- 只支持用户名密码登录,不支持证书登录
如果开了 http server,需要改一下端口,它和 AnyConnect 不能开在同一个端口上,否则二者都不能正常使用。
基础配置
部署客户端
如果不部署对应平台的客户端部署包,该平台的客户端是无法连接的。
安装 AnyConnect 客户端部署包:
|
copy http://your.server.example.com/anyconnect-win-4.7.02036-webdeploy-k9.pkg bootflash: conf t crypto vpn anyconnect bootflash:/anyconnect-win-4.7.02036-webdeploy-k9.pkg sequence 1 |
证书
这边为了方便起见,直接在路由器上生成自签证书。
生成 SSL CA 证书:
|
(config)#crypto key generate rsa label SSLVPN modulus 2048 The name for the keys will be: SSLVPN % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) |
创建 TrustPoint:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
|
(config)#crypto pki trustpoint SSLVPN_CERT (ca-trustpoint)#enrollment selfsigned (ca-trustpoint)#subject-name CN=anyconnect.example.com (ca-trustpoint)#rsakeypair SSLVPN (ca-trustpoint)#exit (config)#crypto pki enroll SSLVPN_CERT The router has already generated a Self Signed Certificate for trustpoint TP-self-signed-263234056. If you continue the existing trustpoint and Self Signed Certificate will be deleted. Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created |
创建用户
|
aaa new-model aaa authentcation login SSLVPN_AAA local aaa authorization network SSLVPN_AAA local username VPNUSER password PASSWORD |
创建 SSL VPN 客户端 IP 池
|
ip local pool SSLVPN_POOL 192.168.10.1 192.168.10.10 |
创建 SSL Proposal/Policy
这里和 IPSec 的相应概念是比较相似的。
|
crypto ssl proposal webvpn_proposal protection rsa-aes128-sha1 rsa-aes256-sha1 crypto ssl policy webvpn_policy shut ! ip interface Gi1 port 443 ! or ! ip address local your.router.external.ip port 443 pki trustpoint SSLVPN_CERT sign ssl proposal webvpn_proposal no shut |
创建 SSL Authorization Policy
这个东西是连接时下发给客户端的数据。
|
crypto ssl authorization policy webvpn_authorization_policy1 banner Welcome to our super secure company VPN! client profile profile1 def-domain example.com dns 1.1.1.1 1.0.0.1 dpd client 500 include-local-lan keepalive 500 netmask 255.255.255.0 pool SSLVPN_POOL smartcard-removal-disconnect |
创建 SSL Profile
用于服务器验证客户端发送的数据(各种头部,用户账户)是否正确。注意这边一定要用 group override。
|
crypto ssl profile webvpn_profile1 match policy webvpn_policy ! if you need specific host header to be matched: ! match url https://example.com/test1 aaa accounting user-pass list SSLVPN_AAA aaa authentication user-pass list SSLVPN_AAA aaa authorization group override user-pass list SSLVPN_AAA webvpn_authorization_policy1 authentication remote user-pass max-users 100 no shut |
NAT
那个叫 SSLVPN-VIF0 的 interface 是不能也不需要配置的。
|
interface Gi1 ip nat outside ip access-list standard nat_allowed 10 permit 192.168.10.0 0.0.0.255 ip nat inside source list nat_allowed interface Gi1 overload |
调试
客户端在弹出用户登录之前就提示 Connection failed due to server communication errors:检查是否有别的东西和 AnyConnect 的端口冲突了。
User not authorized to access full tunnel:aaa authorization group override ...
那一行没写。
其它问题可以用 debug crypto ssl aaa
和 debug crypto ssl tunnel errors
来 debug。
参考:
请教一下 CSR1KV 是否要花钱买授权?
您好, 要的, 而且挺贵的……
好的, 谢谢!