Cisco IOS-XE配置SSL连接

本次实验基于CISCO CSR1000V的虚拟路由器进行

实验拓扑

实验拓扑

实验配置

hostname csr1kv
!
aaa new-model
!
aaa authentication suppress null-username
aaa authentication login sslvpn local
aaa authorization network sslvpn local 
!
no ip domain lookup
!
crypto pki trustpoint csr1kv.local
 enrollment selfsigned
 subject-name cn=csr1kv.local
 revocation-check none
 rsakeypair csr1kv.local
!         
!
crypto pki certificate chain csr1kv.local
 certificate self-signed 01
  B84230DF 77267A70 ADBEF775 3791C3CF EF45FF13 637343C9 9589D487 E0F4D050 
  3E1A1CEE CEFCC9F8 168F91A2 D62EE440 A1674943 D20F8EDB DB465130 109147BE 
  99C342C5 921D3DBD 910CBECB 5638
        quit
#此处为自签名证书,具体的生成过程略。
!
username admin privilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username cisco password 7 060506324F41
!
! 
crypto ssl proposal sslvpn-proposal 
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
#SSL的加密策略
!
crypto ssl authorization policy sslvpn-auth-policy 
 pool sslvpn
 dns 10.1.1.100
 def-domain iteachs.com
 route set access-list sslvpn-tunnel
 #SSL的授权策略
!
crypto ssl policy sslvpn-policy 
 ssl proposal sslvpn-proposal
 pki trustpoint csr1kv.local sign
 ip address local 202.100.1.100 port 443
!
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication user-pass list sslvpn 
 aaa authorization group user-pass list sslvpn sslvpn-auth-policy 
 authentication remote user-pass 
 max-users 100
!
!
crypto vpn anyconnect bootflash:/anyconnect-win-4.6.03049-webdeploy-k9.pkg sequence 1
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 ip address 202.100.1.100 255.255.255.0
 negotiation auto
!
ip local pool sslvpn 172.16.1.1 172.16.1.100
ip route 192.168.100.0 255.255.255.0 202.100.1.1
ip access-list standard sslvpn-tunnel
 permit 10.1.1.0 0.0.0.255
!

相关查看

csr1kv#show version 
Cisco IOS XE Software, Version 03.16.06.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 24-Jul-17 20:01 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

csr1kv uptime is 39 minutes
Uptime for this control processor is 40 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax

cisco CSR1000V (VXE) processor (revision VXE) with 1090313K/6147K bytes of memory.
Processor board ID 9ZMT9E7R1HJ
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3022272K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

csr1kv#
csr1kv#show crypto ssl session 
SSL profile name: sslvpn-profile
Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used
cisco              192.168.100.100            1         00:00:49  00:00:29  
csr1kv#show crypto ssl session user cisco

Interface         : SSLVPN-VIF0
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049                                

Username          : cisco                Num Connection : 1                   
Public IP         : 192.168.100.100     
Profile           : sslvpn-profile      
Policy            : sslvpn-policy       
Last-Used         : 00:00:36             Created        : *08:24:52.328 UTC Thu Dec 6 2018
Tunnel IP         : 172.16.1.1           Netmask        : 0.0.0.0             
Rx IP Packets     : 2                    Tx IP Packets  : 28                  
csr1kv#
csr1kv#
csr1kv#
csr1kv#show crypto ssl session user cisco detail 

Interface         : SSLVPN-VIF0
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049                                

Username          : cisco                Num Connection : 1                   
Public IP         : 192.168.100.100     
Profile           : sslvpn-profile      
Policy            : sslvpn-policy       
Last-Used         : 00:00:00             Created        : *08:24:52.328 UTC Thu Dec 6 2018
Session Timeout   : 43200                Idle Timeout   : 1800                
DNS primary       : 10.1.1.100           WINS primary   : None                
DNS secondary     : None                 WINS secondary : None                
IP6 DNS primary   : None
IP6 DNS secondary : None
DPD GW Timeout    : 300                  DPD CL Timeout : 300                 
Address Pool      : sslvpn              
MTU Size          : 1406                
Disconnect Time   : 0                   
Rekey Time        : 3600                
Lease Duration    : 43200                Keepalive      : 30                  
Tunnel IP         : 172.16.1.1           Netmask        : 0.0.0.0             
Rx IP Packets     : 2                    Tx IP Packets  : 34                  
CSTP Started      : 00:01:32             Last-Received  : 00:00:00            
CSTP DPD-Req sent : 0                   
Msie-ProxyServer  : None                
Msie-PxyOption    : Disabled            
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    : iteachs.com
Client Ports      : 49190 

Detail Session Statistics for User:: cisco
----------------------------------

CSTP Statistics::
Rx CSTP Frames    : 36                 Tx CSTP Frames   : 0                   
Rx CSTP Bytes     : 2537               Tx CSTP Bytes    : 120                 
Rx CSTP Data Fr   : 34                 Tx CSTP Data Fr  : 2                   
Rx CSTP CNTL Fr   : 2                  Tx CSTP CNTL Fr  : 0                   
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0                   
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0                   
Rx Addr Renew Req : 0                  Tx Address Renew : 0                   
Rx Dropped Frames : 0                  Tx Dropped Frame : 0                   
Rx IP Packets     : 2                  Tx IP Packets    : 34                  
Rx IP Bytes       : 120                Tx IP Bytes      : 2249                
Rx IP6 Packets    : 0                  Tx IP6 Packets   : 0                   
Rx IP6 Bytes      : 0                  Tx IP6 Bytes     : 0                   

CEF Statistics::
Rx CSTP Data Fr   : 0                  Tx CSTP Data Fr  : 0                   
Rx CSTP Bytes     : 0                  Tx CSTP Bytes    : 0                   
csr1kv#
csr1kv#

实验完,转载说明。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

答案 : *
12 − 1 =