Cisco IOS-XE配置SSL连接

本次实验基于CISCO CSR1000V的虚拟路由器进行




hostname csr1kv
aaa new-model
aaa authentication suppress null-username
aaa authentication login sslvpn local
aaa authorization network sslvpn local 
no ip domain lookup
crypto pki trustpoint csr1kv.local
 enrollment selfsigned
 subject-name cn=csr1kv.local
 revocation-check none
 rsakeypair csr1kv.local
crypto pki certificate chain csr1kv.local
 certificate self-signed 01
  B84230DF 77267A70 ADBEF775 3791C3CF EF45FF13 637343C9 9589D487 E0F4D050 
  3E1A1CEE CEFCC9F8 168F91A2 D62EE440 A1674943 D20F8EDB DB465130 109147BE 
  99C342C5 921D3DBD 910CBECB 5638
username admin privilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username cisco password 7 060506324F41
crypto ssl proposal sslvpn-proposal 
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
crypto ssl authorization policy sslvpn-auth-policy 
 pool sslvpn
 route set access-list sslvpn-tunnel
crypto ssl policy sslvpn-policy 
 ssl proposal sslvpn-proposal
 pki trustpoint csr1kv.local sign
 ip address local port 443
crypto ssl profile sslvpn-profile 
 match policy sslvpn-policy 
 aaa authentication user-pass list sslvpn 
 aaa authorization group user-pass list sslvpn sslvpn-auth-policy 
 authentication remote user-pass 
 max-users 100
crypto vpn anyconnect bootflash:/anyconnect-win-4.6.03049-webdeploy-k9.pkg sequence 1
interface Loopback0
 ip address
interface GigabitEthernet1
 ip address
 negotiation auto
ip local pool sslvpn
ip route
ip access-list standard sslvpn-tunnel


csr1kv#show version 
Cisco IOS XE Software, Version 03.16.06.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASE SOFTWARE (fc3)
Technical Support:
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 24-Jul-17 20:01 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE


csr1kv uptime is 39 minutes
Uptime for this control processor is 40 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax

cisco CSR1000V (VXE) processor (revision VXE) with 1090313K/6147K bytes of memory.
Processor board ID 9ZMT9E7R1HJ
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3022272K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

csr1kv#show crypto ssl session 
SSL profile name: sslvpn-profile
Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used
cisco                1         00:00:49  00:00:29  
csr1kv#show crypto ssl session user cisco

Interface         : SSLVPN-VIF0
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049                                

Username          : cisco                Num Connection : 1                   
Public IP         :     
Profile           : sslvpn-profile      
Policy            : sslvpn-policy       
Last-Used         : 00:00:36             Created        : *08:24:52.328 UTC Thu Dec 6 2018
Tunnel IP         :           Netmask        :             
Rx IP Packets     : 2                    Tx IP Packets  : 28                  
csr1kv#show crypto ssl session user cisco detail 

Interface         : SSLVPN-VIF0
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 4.6.03049                                

Username          : cisco                Num Connection : 1                   
Public IP         :     
Profile           : sslvpn-profile      
Policy            : sslvpn-policy       
Last-Used         : 00:00:00             Created        : *08:24:52.328 UTC Thu Dec 6 2018
Session Timeout   : 43200                Idle Timeout   : 1800                
DNS primary       :           WINS primary   : None                
DNS secondary     : None                 WINS secondary : None                
IP6 DNS primary   : None
IP6 DNS secondary : None
DPD GW Timeout    : 300                  DPD CL Timeout : 300                 
Address Pool      : sslvpn              
MTU Size          : 1406                
Disconnect Time   : 0                   
Rekey Time        : 3600                
Lease Duration    : 43200                Keepalive      : 30                  
Tunnel IP         :           Netmask        :             
Rx IP Packets     : 2                    Tx IP Packets  : 34                  
CSTP Started      : 00:01:32             Last-Received  : 00:00:00            
CSTP DPD-Req sent : 0                   
Msie-ProxyServer  : None                
Msie-PxyOption    : Disabled            
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    :
Client Ports      : 49190 

Detail Session Statistics for User:: cisco

CSTP Statistics::
Rx CSTP Frames    : 36                 Tx CSTP Frames   : 0                   
Rx CSTP Bytes     : 2537               Tx CSTP Bytes    : 120                 
Rx CSTP Data Fr   : 34                 Tx CSTP Data Fr  : 2                   
Rx CSTP CNTL Fr   : 2                  Tx CSTP CNTL Fr  : 0                   
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0                   
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0                   
Rx Addr Renew Req : 0                  Tx Address Renew : 0                   
Rx Dropped Frames : 0                  Tx Dropped Frame : 0                   
Rx IP Packets     : 2                  Tx IP Packets    : 34                  
Rx IP Bytes       : 120                Tx IP Bytes      : 2249                
Rx IP6 Packets    : 0                  Tx IP6 Packets   : 0                   
Rx IP6 Bytes      : 0                  Tx IP6 Bytes     : 0                   

CEF Statistics::
Rx CSTP Data Fr   : 0                  Tx CSTP Data Fr  : 0                   
Rx CSTP Bytes     : 0                  Tx CSTP Bytes    : 0                   



电子邮件地址不会被公开。 必填项已用*标注

解决 : *
24 − 22 =