取消
显示结果 
搜索替代 
您的意思是: 
cancel
2730
查看次数
0
有帮助
1
评论
wuhao0015
Spotlight
Spotlight
现在最新的已经不支持ikev1的remotevpn客户端的认证,所以研究了下,ikev2下的anyconnect客户端连接,这个比之前发的anyconnect-eap认证配置难度大点。
要求:
1,ca服务器(IOS自带)
2,win的anyconnect客户端
3,win的anyconnect配置文件编辑工具(可以不需要,手动改xml文件)
4,ntp服务器,时间很重要
拓扑和上篇文章中的是一样的
如下是配置的重要部分:
service timestampsdebug datetime msec localtime
service timestampslog datetime msec localtime
servicepassword-encryption
!
hostname csr1kv
!
enable secret 5$1$sCqH$3EjUmJF.RnihD09/8pjY00
!
aaa new-model
!
!
aaa authenticationlogin ikev2-win local
aaa authorizationnetwork ikev2-win local
!
clock timezoneBeijing 8 0
!
ip name-server114.114.114.114
!
crypto pki serverca.iteachs.com
database level names
no database archive
grant auto
#启用自动颁发证书,简化流程
hash sha512
lifetime certificate 3650
lifetime ca-certificate 3650
auto-rollover 365
eku server-auth client-auth
#必须敲,用于认证服务器和客户端
!
crypto pkitrustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pkitrustpoint ca.iteachs.com
revocation-check crl
rsakeypair ca.iteachs.com
!
crypto pkitrustpoint csr1kv.iteachs.com
enrollment url http://10.1.1.1:80
ip-address 202.100.1.100
subject-name cn=csr1kv.iteachs.com
revocation-check crl
rsakeypair csr1kv.iteachs.com
auto-enroll regenerate
#自动申请证书
hash sha512
!
!
crypto pkicertificate map ikev2-win-cert-map 10
issuer-name eq cn = ca.iteachs.com
#根证书的cn名称
!
crypto pkicertificate chain csr1kv.local
certificate self-signed 01
3082052A 30820312 A0030201 02020101 300D06092A864886 F70D0101 05050030
5D4C2FF2 DB7060E5 A7983ED4 2997E88C 9AC0754574D6BBDD 23B24A3A E123AF4B
390B15F1 B966483F 4C7987C4 1E1E
quit
crypto pkicertificate chain ca.iteachs.com
certificate ca 01
30820510 308202F8 A0030201 02020101 300D06092A864886 F70D0101 0D050030
F549E40B 49F2D1DE 9480B66A 98EE25EB 9B82AC2E2DB49890 8F37E521 A848FB1E
C120ED30 FFC74359 38204C97 AFFD27DC 268B86C1
quit
crypto pkicertificate chain csr1kv.iteachs.com
certificate 02
C1C8CF14 1ECC5C59 583DEE52 8B393B95 2F1A5B7B3C46761E 3D709F10 FFC15BA4
14F5B26C 1C14066A 1163E133 9405F4C7 A82403C7B55F11EA 6F6D13C9 0B22BF4C
55AD7CD0 D8772947 4A110B67 02FEBFF7 6AB2DA28C168
quit
certificate ca 01
BD4B5877 831F215A A143EE0F F20BBD05 EF56872E611623A2 1B5E07B8 A2A03323
F549E40B 49F2D1DE 9480B66A 98EE25EB 9B82AC2E2DB49890 8F37E521 A848FB1E
C120ED30 FFC74359 38204C97 AFFD27DC 268B86C1
quit
#省去了自签名证书,根证书和自签名证书
!
!
username adminprivilege 15 password 7 13261E010803247B79777C66
username ciscopassword 7 05080F1C2243
!
redundancy
!
crypto ikev2authorization policy ikev2-win-auth-policy
pool win-pool
dns 10.1.1.1
def-domain iteachs.com
route set access-list ikev2-win-acl
!
crypto ikev2proposal ikev2-win-proposal
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policyikev2-win-policy
proposal ikev2-win-proposal
!
crypto ikev2 profileikev2-win-profile
match certificate ikev2-win-cert-map
identity local dn
authentication remote rsa-sig #双向证书认证
authentication local rsa-sig #双向证书认证
pki trustpoint csr1kv.iteachs.com
dpd 60 2 on-demand
aaa authorization group cert list ikev2-winikev2-win-auth-policy
virtual-template 1
!
no cryptoikev2 http-url cert
!
crypto ipsectransform-set ikev2-win-trans esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profileikev2-win-profile
set transform-set ikev2-win-trans
set ikev2-profile ikev2-win-profile
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interfaceGigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interfaceVirtual-Template1 type tunnel
ip unnumbered GigabitEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profileikev2-win-profile
!
ip local poolwin-pool 30.1.1.1 30.1.1.100
ip forward-protocolnd
ip http server
#CA服务器需要,必须开启
no ip httpsecure-server
!
ip route 0.0.0.00.0.0.0 202.100.1.1
ip ssh version 2
!
ip access-liststandard ikev2-win-acl
permit 10.1.1.0 0.0.0.255
!
ntp serverntp3.aliyun.com
ntp serverntp2.aliyun.com
ntp serverntp1.aliyun.com

end

下面是重要部分,为客户端颁发证书
为客户端加载证书
cryptokey generate rsa general modulus 4096 exportable label user1@iteachs.com

cryptopki trustpoint user1@iteachs.com
enrollment url http://10.1.1.1
serial-number none
fqdn none
ip-address none
subject-name CN=user1@iteachs.com
revocation-check none
rsakeypair user1@iteachs.com
auto-enroll
hash sha512

#此处IOS会知道颁发个人证书,如果没有自动颁发证书,进行如下手动颁发。
crypto pki authenticate user1@iteachs.com
crypto pki enroll user1@iteachs.com

#查看证书服务器的证书申请请求
do show crypto pki server ca-server requests

#颁发个人申请请求,此处为1号申请请求,这里已经自动颁发了证书。
do crypto pki server ca-server grant 1

#将证书导出到客户机器,然后备份到本地flash
crypto pki export user1@iteachs.com pkcs12 tftp://192.168.100.100/user.pfx password
crypto pki export user1@iteachs.com pkcs12 bootflash0:/user.pfx password

#导出之后清除个人证书和密钥,否则客户端将无法连接
cryptokey zeroize rsa user1@iteachs.com

no crypto pki trustpoint user1@iteachs.com

客户端加载证书
客户端双击输入导出的密码,然后默认导入证书。
此时客户端的个人证书和根证书都有了。
143719fmxq1soosdmj899u.png
143719dqvs4awzasacvss3.png
对客户端进行设置
143720g8mz9gg53g8y84db.png
由于IOS开启了http server,需要在客户端关闭portal检查。否则anyconnect客户端会出现webauth required的提示,导致无法连接成功。
143720qmbmmny5b2wybwl3.png
143720cahqs04a2zars120.png
确定后将文件另存到“%ProgramData%\Cisco\CiscoAnyConnect Secure Mobility Client\Profile\”下。

客户端连接直接成功。
143721ggbgbxc0zctx0xu0.png
143721hl4s64wpl6l3fy4h.png
143721yaux2dudmh2jharp.png
143722w1bp2wfndfppdopf.png

下面是设备信息:
csr1kv#show version
Cisco IOS XESoftware, Version 16.03.07
Cisco IOS Software[Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7,RELEASE SOFTWARE (fc4)
Copyright (c)1986-2018 by Cisco Systems, Inc.
Compiled Sat04-Aug-18 00:29 by mcpre

Cisco IOS-XEsoftware, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rightsreserved. Certain components of CiscoIOS-XE software are
licensed under theGNU General Public License ("GPL") Version 2.0. The
software codelicensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NOWARRANTY. You can redistribute and/ormodify such
GPL code under theterms of GPL Version 2.0. For moredetails, see the
documentation or"License Notice" file accompanying the IOS-XE software,
or the applicableURL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

csr1kv uptime is 18hours, 29 minutes
Uptime for thiscontrol processor is 18 hours, 30 minutes
System returned toROM by reload
System restarted at15:21:45 Beijing Thu Dec 13 2018
System image file is"bootflash:packages.conf"
Last reload reason:Unknown reason

This productcontains cryptographic features and is subject to United
States and localcountry laws governing import, export, transfer and
use. Delivery ofCisco cryptographic products does not imply
third-partyauthority to import, export, distribute or use encryption.
Importers,exporters, distributors and users are responsible for
compliance with U.S.and local country laws. By using this product you
agree to comply withapplicable laws and regulations. If you are unable
to comply with U.S.and local laws, return this product immediately.

A summary of U.S.laws governing Cisco cryptographic products may be found at:

If you requirefurther assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type:Default. No valid license found.
Next reload licenseLevel: ax

cisco CSR1000V (VXE)processor (revision VXE) with 1077534K/3075K bytes of memory.
Processor board ID9KK51W8HWKD
4 Gigabit Ethernetinterfaces
32768K bytes ofnon-volatile configuration memory.
3019320K bytes ofphysical memory.
7774207K bytes ofvirtual hard disk at bootflash:.
0K bytes of at webui:.

Configurationregister is 0x2102

查看IKEv2的状态
csr1kv#show cryptopki server ca.iteachs.com
Certificate Serverca.iteachs.com:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ca.iteachs.com
CA cert fingerprint: 2B899259 B3633B317B4F6EC8 5673CF49
Granting mode is: auto
Last certificate issued serial number(hex): 3
CA certificate expiration timer: 16:06:38Beijing Dec 10 2028
CRL NextUpdate timer: 10:06:11 Beijing Dec14 2018
Current primary storage dir: nvram:
Database Level: Names - subject name datawritten as .cnm
Auto-Rollover configured, overlap period365 days
Autorollover timer: 16:06:37 Beijing Dec 112027
csr1kv#
csr1kv#show cryptopki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.iteachs.com
Subject:
Name: csr1kv
IP Address: 202.100.1.100
hostname=csr1kv+ipaddress=202.100.1.100
cn=csr1kv.iteachs.com
Validity Date:
start date: 16:09:47 Beijing Dec 13 2018
end date: 16:06:38 Beijing Dec 10 2028
Associated Trustpoints: csr1kv.iteachs.com
Storage: nvram:caiteachscom#2.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.iteachs.com
Subject:
cn=ca.iteachs.com
Validity Date:
start date: 16:06:38 Beijing Dec 13 2018
end date: 16:06:38 Beijing Dec 10 2028
Associated Trustpoints: csr1kv.iteachs.comca.iteachs.com
Storage: nvram:caiteachscom#1CA.cer

Router Self-SignedCertificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=csr1kv
cn=csr1kv.local
Subject:
Name: csr1kv
hostname=csr1kv
cn=csr1kv.local
Validity Date:
start date: 15:54:32 Beijing Dec 13 2018
end date: 08:00:00 Beijing Jan 1 2020
Associated Trustpoints: csr1kv.local
Storage: nvram:csr1kv#1.cer

csr1kv#
csr1kv#show cryptopki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca.iteachs.com
Subject:
Name: csr1kv
IP Address: 202.100.1.100
hostname=csr1kv+ipaddress=202.100.1.100
cn=csr1kv.iteachs.com
Validity Date:
start date: 16:09:47 Beijing Dec 13 2018
end date: 16:06:38 Beijing Dec 10 2028
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA512 with RSAEncryption
Fingerprint MD5: EC54CC31 8584913F 5F8C3951C09A5AD3
Fingerprint SHA1: 1EB1857E C7BCB608 A743BD94FBD0C395 8F042FFF
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 5ACF0D3F 6996EE9EAC6D842B D725ACA8 98899B29

X509v3 Authority Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
Authority Info Access:
Extended Key Usage:
Client Auth
Server Auth
Associated Trustpoints: csr1kv.iteachs.com
Storage: nvram:caiteachscom#2.cer
Key Label: csr1kv.iteachs.com
Key storage device: private config

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca.iteachs.com
Subject:
cn=ca.iteachs.com
Validity Date:
start date: 16:06:38 Beijing Dec 13 2018
end date: 16:06:38 Beijing Dec 10 2028
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA512 with RSAEncryption
Fingerprint MD5: 2B899259 B3633B31 7B4F6EC85673CF49
Fingerprint SHA1: E46666A0 C79B941C 14F51042184E7C2D 8EE08E0F
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
X509v3 Basic Constraints:
CA: TRUE

X509v3 Authority Key ID: 4BB7BF0A F382CCDEA847B5F5 542BC799 132F9089
Authority Info Access:
Associated Trustpoints: csr1kv.iteachs.comca.iteachs.com
Storage: nvram:caiteachscom#1CA.cer

Router Self-SignedCertificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=csr1kv
cn=csr1kv.local
Subject:
Name: csr1kv
hostname=csr1kv
cn=csr1kv.local
Validity Date:
start date: 15:54:32 Beijing Dec 13 2018
end date: 08:00:00 Beijing Jan 1 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 3727293A 4A97EC99 D80CE5ADF12CE209
Fingerprint SHA1: 70959153 505DFF3A 3F26671249EC90E6 D494575D
X509v3 extensions:
X509v3 Subject Key ID: A31844D0 FDDD84F57416513B 15475ECC 51BF284F
X509v3 Basic Constraints:
CA: TRUE

X509v3 Authority Key ID: A31844D0 FDDD84F57416513B 15475ECC 51BF284F
Authority Info Access:
Associated Trustpoints: csr1kv.local
Storage: nvram:csr1kv#1.cer

csr1kv#
csr1kv#show cryptoikev2 session detailed
IPv4 Crypto IKEv2 Session

Session-id:12,Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.1.100/4500 192.168.100.100/53321 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/61 sec
CE id: 1025, Session-id: 12
Status Description: Negotiation done
Local spi: C36E62B63C53AC2F Remote spi: 28A069048829B80A
Local id:hostname=csr1kv+ipaddress=202.100.1.100,cn=csr1kv.iteachs.com
Remote id: cn=user1@iteachs.com
Local req msg id: 0 Remote req msg id: 3
Local next msg id: 0 Remote next msg id: 3
Local req queued: 0 Remote req queued: 3
Local window: 5 Remote window: 1
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 30.1.1.12
Initiator of SA : No
Child sa: localselector 0.0.0.0/0 -255.255.255.255/65535
remote selector 30.1.1.12/0 -30.1.1.12/65535
ESP spi in/out:0xDCEA552E/0xBB95F31B
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256,esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE,mode tunnel

IPv6 Crypto IKEv2 Session

csr1kv#
csr1kv#show cryptoipsec sa

interface:Virtual-Access1
Crypto map tag: Virtual-Access1-head-0,local addr 202.100.1.100

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port):(30.1.1.12/255.255.255.255/0/0)
current_peer 192.168.100.100 port 53321
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pktsdigest: 13
#pkts decaps: 88, #pkts decrypt: 88, #pktsverify: 88
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.failed: 0
#pkts not decompressed: 0, #pkts decompressfailed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 202.100.1.100, remotecrypto endpt.: 192.168.100.100
plaintext mtu 1422, path mtu 1500, ip mtu1500, ip mtu idb GigabitEthernet1
current outbound spi:0xBB95F31B(3147166491)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDCEA552E(3706344750)
transform: esp-256-aes esp-sha256-hmac,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2023, flow_id: CSR:23,sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime(k/sec): (4607990/3532)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xBB95F31B(3147166491)
transform: esp-256-aes esp-sha256-hmac,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2024, flow_id: CSR:24,sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime(k/sec): (4607999/3532)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
csr1kv#
csr1kv#show cryptoikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.1.100/4500 192.168.100.100/53321 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/84 sec

IPv6 Crypto IKEv2 SA

csr1kv#

csr1kv#

下面有时间再研究下win自带客户端的ikev2连接。

相关链接:

【原创】IOS-XE远程连接之一SSLVPN
【原创】IOS-XE远程连接之二Anyconnect-EAP
【原创】IOS-XE远程连接之四和OpenWrt组DMVPN
评论
wuhao0015
Spotlight
Spotlight
有个重要的关键点我放在一楼:
1,开启http的时候,拨号会出现web auth的请求,导致拨号不成功,需要在profile中关闭web auth的选项,帖子共已经说明。
2,设备重启后或者在时间同步前时间前面是有个*号,导致重启后ca server无法启动,vpn连接不成功。需要加上clock calendar-valid命令。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接