hale
Published on 2024-11-23 / 57 Visits
0
0

Cisco IOS FlexVPN Remote Access(Anyconnect本地认证)

我这里设备的环境有两个,一个是17.6.8a的版本;一个是15.8(3)M8的版本,两个版本都可以正常工作。

1,先处理下设备的证书。

crypto key generate rsa modulus 2048 label nj-home-rsa
#先生成一个RSA的密钥

crypto pki server ca.local
 no database archive
 issuer-name cn=ca.local, ou=iteachs.com
 grant auto
 eku server-auth client-auth
 no shutdown
#配置证书服务器

ip http server
#开启http服务,不然证书服务器无法生效

crypto pki trustpoint acvpn.local
 enrollment url http://192.168.50.254:80
 serial-number
 subject-name cn=acvpn.local, ou=iteachs.com
 subject-alt-name acvpn.local
 revocation-check none
 rsakeypair nj-home-rsa
#创建一个个人证书点

crypto pki authenticate acvpn.local
crypto pki enroll acvpn.local
#进行证书验证和申请

查看证书相关信息

#show crypto key mypubkey rsa 
% Key pair was generated at: 20:59:29 Beijing Nov 17 2024
Key name: nj-home-rsa
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable. Redundancy enabled.
 Key Data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
  00BA8E31 6BCD6284 06B9CA72 3B6D75CA 2135B2E6 DAC9F031 4E5DD303 9AAD91FF 
  0B8A6E13 5E77B9CD 597A043E 0B1B04BD 07920804 0C54A256 F6F96E24 37F2A016 
  BCFED0DB D1731F5D CE35B5C0 474922B2 73B0DE59 39BE5B88 1A4ED501 27A5D9B8 
  1A3CDBC7 3803EAEB B15C60F3 8860CD09 3BF819DB 34978237 CD131905 129BB633 
  0195B594 5BA2DA28 ECE15B77 A48BF73B 42ADD239 B00CE711 AA93072D 76B4BE73 
  31940FB6 BBE55795 AEA543E7 5C9255FF D1FC182B 44ADEE0A 14A69CDD A491E1B6 
  71AC0511 DA363B84 C9F1DF72 2B403AD8 947A35AA 94B49178 959E21A7 93ABB2DA 
  AA2D65E8 35A02602 67F27196 C25058EA 29382CA0 E7F911AE F2F64B1A BFEC7CB9 
  C7020301 0001
#查看RSA密钥

#show crypto pki certificates acvpn.local
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer: 
    cn=ca.local
    ou=iteachs.com
  Subject:
    Name: NJ-Home-C1117.iteachs.com
    Serial Number: FGL2342L2UQ
    serialNumber=FGL2342L2UQ+hostname=NJ-Home-C1117.iteachs.com
    cn=acvpn.local
    ou=iteachs.com
  Validity Date: 
    start date: 10:18:37 Beijing Nov 21 2024
    end   date: 10:18:37 Beijing Nov 21 2025
  Associated Trustpoints: acvpn.local 
  Storage: nvram:calocal#3.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer: 
    cn=ca.local
    ou=iteachs.com
  Subject: 
    cn=ca.local
    ou=iteachs.com
  Validity Date: 
    start date: 15:06:11 Beijing Nov 20 2024
    end   date: 15:06:11 Beijing Nov 20 2027
  Associated Trustpoints: acvpn.local ca.local 
  Storage: nvram:calocal#1CA.cer
#查看个人证书

2,处理下acvpn.xml的anyconnect profile文件,注意该文件名称必须是acvpn.xml

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
            <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Disable
            <PPPExclusionServerIP UserControllable="false"/>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="false">false
            <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
        </RetainVpnOnLogoff>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>VPN IOS-XE</HostName>
			<HostAddress>vpn.example.com</HostAddress>
			<PrimaryProtocol>IPsec
                <StandardAuthenticationOnly>true
                    <AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
				</StandardAuthenticationOnly>
			</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

更改<HostName>VPN IOS-XE</HostName><HostAddress>vpn.example.com</HostAddress>为自己的内容,然后将文件另存为acvpn.xml,并将其放置在C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile目录中。将该文件上传一份到路由器的flash中。

针对16.9之前的设备拨号,需要将BypassDownloader选项设置为true,例如:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap/encoding/ AnyConnectLocalPolicy.xsd" acversion="4.6.03049">
	<BypassDownloader>true</BypassDownloader>
	<EnableCRLCheck>false</EnableCRLCheck>
	<ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
	<ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
	<ExcludePemFileCertStore>false</ExcludePemFileCertStore>
	<ExcludeWinNativeCertStore>false</ExcludeWinNativeCertStore>
	<FipsMode>false</FipsMode>
	<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
	<RestrictTunnelProtocols>false</RestrictTunnelProtocols>
	<RestrictWebLaunch>false</RestrictWebLaunch>
	<StrictCertificateTrust>false</StrictCertificateTrust>
	<UpdatePolicy>
		<AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
		<AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
		<AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
		<AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
		<AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer>
	</UpdatePolicy>
</AnyConnectLocalPolicy>

该配置文件的位置在:

For Windows:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

For MAC OS:

/opt/cisco/anyconnect/AnyConnectLocalPolicy.xml

3,进行路由器的相关配置


aaa new-model
aaa authentication login acvpn-aaa-authen local
aaa authorization network acvpn-aaa-author local 
username acvpn privilege 0 secret 9 $9$8BdJ39e86YA6/.$ETr4dZxCkZ5oAG25d3MneCLnjpUxhVU9RPQDQsLzFvA
#配置AAA的登录认证和授权策略,配置acvpn登录的本地用户名

crypto ikev2 authorization policy acvpn-ikev2-auth-policy 
 pool acvpn-ipv4-pool
 def-domain iteachs.com
 route set remote ipv4 192.168.0.0 255.255.0.0
#配置授权策略,包括IP地址,域名及远程授权的路由

crypto ikev2 proposal acvpn-ikev2-proposal 
 encryption aes-cbc-256
 integrity sha256
 group 15 19
crypto ikev2 policy acvpn-ikev2-policy 
 proposal acvpn-ikev2-proposal
#配置第一阶段策略

crypto ikev2 profile acvpn-ikev2-profile
 match identity remote key-id *$AnyConnectClient$*
#anyconnect客户端的默认key-id为*$AnyConnectClient$*,可以在xml文件中进行自定义
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint acvpn.local
 aaa authentication anyconnect-eap acvpn-aaa-authen
 aaa authorization group anyconnect-eap list acvpn-aaa-author acvpn-ikev2-auth-policy
 aaa authorization user anyconnect-eap cached
 virtual-template 10
 anyconnect profile acvpn
#15.8版本设备无法配置该命令
#配置acvpn的认证和授权策略

crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
#配置acvpn的对应的位置

crypto ipsec transform-set acvpn-ts esp-aes 256 esp-sha256-hmac 
 mode transport
#配置第二阶段策略

crypto ipsec profile acvpn-profile
 set transform-set acvpn-ts 
 set ikev2-profile acvpn-ikev2-profile
#配置IPsec的profile

interface Virtual-Template10 type tunnel
 description To:ACVPN-Client
 ip unnumbered Dialer1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile acvpn-profile
#配置虚拟模板接口,并调用ipsec profile

ip local pool acvpn-ipv4-pool 192.168.51.1 192.168.51.100

4,远程连接测试。

使用anyconnect拨号进行测试。

设备相关信息查看

#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         222.94.190.163/4500   192.168.50.18/53784   none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: AnyConnect-EAP
      Life/Active Time: 86400/91 sec

 IPv6 Crypto IKEv2  SA 
#查看sa的状态

#show crypto ikev2 session detailed 
 IPv4 Crypto IKEv2 Session 

Session-id:15, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         222.94.190.163/4500   192.168.50.18/53784   none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: AnyConnect-EAP
      Life/Active Time: 86400/100 sec
      CE id: 1038, Session-id: 15
      Status Description: Negotiation done
      Local spi: 75EF525E1AF0BC29       Remote spi: FCA0C4EDDFF11E9C
      Local id: 222.94.190.163
      Remote id: *$AnyConnectClient$*
      Remote EAP id: acvpn
      Local req msg id:  0              Remote req msg id:  9         
      Local next msg id: 0              Remote next msg id: 9         
      Local req queued:  0              Remote req queued:  9         
      Local window:      5              Remote window:      1         
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 192.168.51.17
      Initiator of SA : No
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 192.168.51.17/0 - 192.168.51.17/65535
          ESP spi in/out: 0x8E74BBA3/0xF9233843  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

 IPv6 Crypto IKEv2 Session 
#查看session的状态

至此操作完成。

相关参考连接:https://www.cisco.com/c/zh_cn/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html


Comment