前言
在公有云环境上有SSLVPN需求,通过SSLVPN可以简单完成云上的主机访问,思科在公有云上可以通过CSR1000V虚拟路由器和ASA虚拟防火墙进行SSLVPN部署。
这里介绍一下CSR1000V虚拟机路由器SSLVPN的配置方式。
除了配置CSR1000V的SSLVPN配置外,还需开通针对CSR1000V的安全策略,并且正对SSLVPN地址池进行安全放行,这里涉及公有云内容不在复述。
1.创建自签名证书
创建密钥对
crypto key generate rsa general-keys label SSLVPN module 1024
进行证书自签名
crypto pki trustpoint SSLVPN
enrollment selfsigned
subject-name cn=SSLVPN
revocation-check none
rsakeypair SSLVPN
crypto pki enroll SSLVPN
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
2.上传anyconnect安装包
copy tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg bootflash:/
Address or name of remote host [10.0.0.150]?
Source filename [anyconnect-win-3.1.05160-k9.pkg]?
Destination filename [anyconnect-win-3.1.05160-k9.pkg]?
Accessing tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg...!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2635734 bytes copied in 4.480 secs (658933 bytes/sec)
配置使用的安装包
crypto vpn anyconnect bootflash:/anyconnect-win-3.1.05160-k9.pkg sequence 1
3.创建用户认证策略
new-model
aaa authentication login SSLVPN local
aaa authorization network SSLVPN local
username cisco password cisco
4.配置VPN的地址池
ip local pool sslvpn 192.168.10.1 192.168.100.20
5.配置加密算法策略
crypto ssl proposal proposal1
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
6.创建VPN的访问路由网段
ip access-list standard sslacl
permit 10.200.0.0 0.0.255.255
7.配置SSLVPN策略集
crypto ssl policy policy1
ssl proposal proposal1
pki trustpoint SSLVPN sign
ip interface GigabitEthernet1 port 443
no shutdown
8.配置SSLVPN授权策略集
crypto ssl authorization policy policy1
mtu 1200
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
smartcard-removal-disconnect
include-local-lan
pool sslpool
dns 10.200.2.11
banner This is SSL VPN tunnel.
route set access-list sslacl
timeout disconnect 10000
9.配置SSLVPN策略集
crypto ssl profile profile1
match policy policy1
aaa authentication user-pass list SSLVPN //AAA的认证集
aaa authorization group user-pass list SSLVN policy1 //AAA里的授权集和SSLVPN授权策略集
authentication remote user-pass