SSL ×××是解决远程用户访问敏感公司数据最简单最安全的解决技术。与复杂的IPSec ×××相比,SSL通过简单易用的方法实现信息远程连通。任何安装浏览器的机器都可以使用SSL ×××, 这是因为SSL 内嵌在浏览器中,它不需要象传统IPSec ×××一样必须为每一台客户机安装客户端软件。
试验平台软件如下::
路由器IOS使用 c7200-advipservicesk9_li-mz.124-11.t.bin
SSL ××× 客户端软件:sslclient-win-1.1.3.173.pkg (只支持XP,若需要支持XP以上请到思科下载或从最新版的SDM中提取)
客户端:XP
拓扑图如下:
第一步: 路由器基础联通配置
- R1#show ip int br
- Interface IP-Address OK? Method Status Protocol
- FastEthernet0/0 unassigned YES unset administratively down down
- FastEthernet1/0 2.2.2.1 YES manual up up
- FastEthernet1/1 unassigned YES unset administratively down down
- Loopback0 1.1.1.1 YES manual up up
- Loopback1 9.9.9.9 YES manual up up
第二步:安装客户端
- R1#format disk0:
- Format operation may take a while. Continue? [confirm]
- Format operation will destroy all data in "disk0:". Continue? [confirm]
- Format: Drive communication & 1st Sector Write OK...
- Writing Monlib sectors.
- .....................................................................................................................................................
- Monlib write complete
- Format: All system sectors written. OK...
- Format: Total sectors in formatted partition: 130883
- Format: Total bytes in formatted partition: 67012096
- Format: Operation completed successfully.
- Format of disk0 complete
- SSL#copy tftp disk0:
- Address or name of remote host []? 2.2.2.3
- Source filename []? sslclient-win-1.1.3.173.pkg
- Destination filename [sslclient-win-1.1.3.173.pkg]?
- Accessing tftp://2.2.2.3/sslclient-win-1.1.3.173.pkg...
- Loading sslclient-win-1.1.3.173.pkg from 2.2.2.3 (via FastEthernet0/0): !!
- [OK - 416354 bytes]
- 416354 bytes copied in 16.064 secs (25918 bytes/sec)
- SSL#dir disk0:
- Directory of disk0:/
- 1-rw- 416354 Mar 24 2010 18:45:20 +08:00 sslclient-win-1.1.3.173.pkg
- 66846720 bytes total (66428928 bytes free)
- R1(config)#web*** install svc disk0:/sslclient-win-1.1.3.173.pkg // 安装客户端
- SSL××× Package SSL-×××-Client : installed successfully
第三步:登录基础配置
- interface Loopback0 //设置为SSL×××网关
- ip address 1.1.1.1 255.255.255.0
- !
- aaa new-model
- !
- aaa authentication login ssl*** local //验证方式
- !
- ip local pool ssl***-pool 1.1.1.2 1.1.1.7 //分配地址池
- username ssl*** password 0 ssl*** //登陆用户密码
第四步:SSL×××主要配置
- web*** gateway ssl***gateway //配置SSL×××网关
- ip interface FastEthernet1/0 port 443 //监听接口和端口
- ssl trustpoint TP-self-signed-4294967295
- inservice //使能网关
- !
- web*** install svc disk0:/web***/svc.pkg
- !
- web*** context ssl***text //配置关联
- ssl authenticate verify all
- !
- !
- policy group ssl***-policy //创建策略
- functions svc-enabled //使能SSL
- svc address-pool "ssl***-pool" //关联地址池
- default-group-policy ssl***-policy //默认使用策略
- aaa authentication list ssl*** //关联验证方式
- gateway ssl***gateway //关联网关
- inservice //使能关联
第五步:验证
客户机登录到https://2.2.2.1
点查看证书-安装证书-确定
输入用户名和密码
成功后跳转到以下界面并下载安装客户端
安装成功后,在桌面右下方出现一把钥匙的图标 查看如下:成功分配到地址:
尝试ping路由器,SSL×××连接成功
查看路由器SSL×××信息:
- R1#show ip local pool
- Pool Begin End Free In use
- ssl***-pool 1.1.1.2 1.1.1.7 5 1
- R1#show web*** session user ssl*** context all
- Web××× user name = ssl*** ; IP address = 2.2.2.3 ; context = ssl***text
- No of connections: 1
- Created 00:24:26, Last-used 00:10:38
- STC IP address 1.1.1.4 netmask 255.255.255.0
- CSTP Started 00:23:22, Last-recieved 00:00:37
- CSTP DPD-Request sent 0
- Client Port: 59191
- User Policy Parameters
- Group name = ssl***-policy
- Group Policy Parameters
- idle timeout = 2100 sec
- session timeout = 43200 sec
- functions =
- svc-enabled
- citrix disabled
- address pool name = "ssl***-pool"
- dpd client timeout = 300 sec
- dpd gateway timeout = 300 sec
- keep ssl*** client installed = disabled
- rekey interval = 3600 sec
- rekey method =
- lease duration = 43200 sec
转载于:https://blog.51cto.com/leadlxx/737414