Fulltunnel SSL VPN

以下配置只在传统 IOS 平台 800, 1900, 2900, 3900 才能使用。


路由器配置

1. 制作 KEY

crypto key generate rsa label SSLVPN_KEYPAIR modulus 2048

2. 加密配置

crypto pki trustpoint SSLVPN_CERT
 enrollment selfsigned
 subject-name CN=终端连上SSL VPN的网址或IP地址
 rsakeypair SSLVPN_KEYPAIR

3. 产生 CERT

crypto pki enroll SSLVPN_CERT

% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

4. 配置账号密码

aaa new-model
username xxx privilege 0 password xxx

5. 配置 SSL VPN 终端連上来以后,获得的 IP 范围

ip local pool SSLVPN_POOL 192.168.10.1 192.168.10.10

6. 配置端口

interface Virtual-Template 1
 ip unnumbered 广域网端口
 ip nat inside --> 如果要做NAT上网记得加这条命令,NAT配置的ACL,也要记得加上面步骤5的IP范围

7. SSL VPN 配置

webvpn gateway SSLVPN_GATEWAY
 ip address x.x.x.x port 443 --> 也可以是别的端口
 ssl trustpoint SSLVPN_CERT
 inservice

webvpn context SSL_Context
 gateway SSLVPN_GATEWAY
 policy group SSL_Policy
  functions svc-enabled
  svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
  svc dns-server primary 8.8.8.8
 virtual-template 1
 default-group-policy SSL_Policy
 inservice

AnyConnect 软件配置


Troubleshooting

查看所有连入的终端

sh webvpn session context all

查看某个连入的终端的详细讯息

sh webvpn session user freepark context all
除非特别注明,本页内容采用以下授权方式: Creative Commons Attribution-ShareAlike 3.0 License