1. 个人技术记录首页
  2. 技术学习
  3. 网络技术

ssl_vpn(web_vpn)应用于Cisco思科路由器

ssl_vpn(web_vpn)应用于Cisco思科路由器上传anyconnect客户端到路由器:
copy ftp://1.1.1.1/anyconnect-win-4.7.03052-webdeploy-k9.pkg flash:

应用anyconnect客户端:
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.7.03052-webdeploy-k9.pkg sequence 1
!

配置webvpn证书:
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
!
aaa session-id common
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint SSLVPN_CERT
enrollment selfsigned
subject-name CN=fdenofa-SSLVPN.hktmpls.com
revocation-check crl
rsakeypair SSLVPN_KEYPAIR
!
crypto pki certificate chain SSLVPN_CERT
!
(29系列路由器生成证书会出现报错,无法生成。这是因为路由器中默认证书的时间导致,最长时间为2019年。
解决办法:更改路由器时间到2019年或之前即可。)

配置DHCP地址池:
ip local pool SSLVPN_POOL 192.168.2.10 192.168.2.250

配置web vpn:
!
interface Virtual-Template4
ip unnumbered GigabitEthernet0/1
ip nat inside
ip virtual-reassembly in
ip policy route-map oversea
!
!
ip http server
ip http secure-server
!
!
webvpn gateway SSLVPN_GATEWAY
ip address 1.2.4.6 port 8844
http-redirect port 80
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context SSL_Context
virtual-template 4
aaa authentication list SSLVPN_AAA
gateway SSLVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!

完整命令如下:
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
!
aaa session-id common
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint SSLVPN_CERT
enrollment selfsigned
subject-name CN=fdenofa-SSLVPN.hktmpls.com
revocation-check crl
rsakeypair SSLVPN_KEYPAIR
!
crypto pki certificate chain SSLVPN_CERT
!
object-group network chnroutes
1.0.1.0 255.255.255.0
!
username user1 password 0 tw5k9t
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.7.03052-webdeploy-k9.pkg sequence 1
!
interface GigabitEthernet0/1
ip address 1.2.4.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip policy route-map oversea
duplex auto
speed auto
!
!
interface Virtual-Template4
ip unnumbered GigabitEthernet0/1
ip nat inside
ip virtual-reassembly in
ip policy route-map oversea
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 object-group chnroutes
!
ip nat inside source route-map oversea interface GigabitEthernet0/1 overload
!
ip local pool SSLVPN_POOL 192.168.2.10 192.168.2.250
!
route-map oversea permit 10
match ip address 101
set ip next-hop 1.2.4.5
!
ip http server
ip http secure-server
!
!
webvpn gateway SSLVPN_GATEWAY
ip address 1.2.4.6 port 8844
http-redirect port 80
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context SSL_Context
virtual-template 4
aaa authentication list SSLVPN_AAA
gateway SSLVPN_GATEWAY
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!

原创文章,作者:admin,如若转载,请注明出处:https://www.cnyen.com/archives/45