请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

  思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 405|回复: 0

【原创】IOS-XE远程连接之二Anyconnect-EAP

[复制链接]
发表于 2018-12-28 14:24:21 | 显示全部楼层 |阅读模式
现在最新的已经不支持ikev1的remotevpn客户端的认证,所以研究了下,ikev2下的anyconnect客户端连接。
要求:
1,至少自签名证书
2,win的anyconnect客户端
3,win的anyconnect配置文件编辑工具(可以不需要,手动改xml文件)

拓扑:
csr<--202.100.1.0-->vyos<---192.168.100.0--->win7(client)

如下是关键配置:

service timestampsdebug datetime msec localtime
service timestampslog datetime msec localtime
servicepassword-encryption
no platformpunt-keepalive disable-kernel-core
platform consoleserial
!
hostname csr1kv
!
aaa new-model
!
!
aaa authenticationsuppress null-username
aaa authenticationlogin anyconnect local
aaa authorizationnetwork anyconnect local
!
clock timezoneBeijing 8 0
!
ip name-server114.114.114.114
!
crypto pkitrustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pkicertificate chain csr1kv.local
certificate self-signed 01
  A548459E 1997CDA2 98E8E049 F08967C4 101435B996A88F0E 69AF3D7C 9DD713C9
  DBCBBCC0 6B63CDAC B4517973 194D8E89 C10AFF3F9108C84A 6A4427CA AB8234F0
  0A39553D 51046D7C E5030792 2E7E
        quit
#省去自签名证书
!
username adminprivilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username ciscopassword 7 02050D480809
!
!         
crypto ikev2authorization policy anyconnect-auth-policy
pool anyconnect
dns 10.1.1.1
def-domain iteachs.com
route set access-list anyconnect-tunnel
!
crypto ikev2proposal anyconnect-prop
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policyanyconnect-policy
proposal anyconnect-prop
!
crypto ikev2 profileanyconnect-profile
match identity remote key-id*$AnyConnectClient$* #采用anyconnect默认的key-id
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint csr1kv.local
aaa authentication anyconnect-eap anyconnect
#采用anyconnect-eap认证
aaa authorization group anyconnect-eap listanyconnect anyconnect-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 1
!
no cryptoikev2 http-url cert
!
crypto ipsectransform-set anyconnect esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profileanyconncet-profile
set transform-set anyconnect
set ikev2-profile anyconnect-profile
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interfaceGigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interfaceVirtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profileanyconncet-profile
!
ip local poolanyconnect 20.1.1.1 20.1.1.20
noip http server
no ip httpsecure-server
ip route 0.0.0.00.0.0.0 202.100.1.1
!
ip access-liststandard anyconnect-tunnel
permit 10.1.1.0 0.0.0.255
!
ntp serverntp3.aliyun.com
ntp serverntp2.aliyun.com
ntp serverntp1.aliyun.com
!
end

下面是客户端的配置:
将文件另存到“%ProgramData%\Cisco\CiscoAnyConnect Secure Mobility Client\Profile\”下

客户端连接成功:

下面是设备的状态信息:
csr1kv#show version
Cisco IOS XESoftware, Version 03.16.06.S - Extended Support Release
Cisco IOS Software,CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASESOFTWARE (fc3)
Copyright (c)1986-2017 by Cisco Systems, Inc.
Compiled Mon24-Jul-17 20:01 by mcpre


Cisco IOS-XEsoftware, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rightsreserved.  Certain components of CiscoIOS-XE software are
licensed under theGNU General Public License ("GPL") Version 2.0.  The
software codelicensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NOWARRANTY.  You can redistribute and/ormodify such
GPL code under theterms of GPL Version 2.0.  For moredetails, see the
documentation or"License Notice" file accompanying the IOS-XE software,
or the applicableURL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

csr1kv uptime is 3hours, 25 minutes
Uptime for thiscontrol processor is 3 hours, 26 minutes
System returned toROM by reload at 11:27:53 Beijing Tue Dec 11 2018
System restarted at11:30:10 Beijing Tue Dec 11 2018
System image file is"bootflash:packages.conf"
Last reload reason:Reload Command



This productcontains cryptographic features and is subject to United
States and localcountry laws governing import, export, transfer and
use. Delivery ofCisco cryptographic products does not imply
third-partyauthority to import, export, distribute or use encryption.
Importers,exporters, distributors and users are responsible for
compliance with U.S.and local country laws. By using this product you
agree to comply withapplicable laws and regulations. If you are unable
to comply with U.S.and local laws, return this product immediately.

A summary of U.S.laws governing Cisco cryptographic products may be found at:

If you requirefurther assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type:Default. No valid license found.
Next reload licenseLevel: ax

cisco CSR1000V (VXE)processor (revision VXE) with 1090317K/6147K bytes of memory.
Processor board ID9ZMT9E7R1HJ
4 Gigabit Ethernetinterfaces
32768K bytes ofnon-volatile configuration memory.
3022272K bytes ofphysical memory.
7774207K bytes ofvirtual hard disk at bootflash:.

Configurationregister is 0x2102

#查看session信息

csr1kv#show cryptoikev2 session detailed
IPv4 Crypto IKEv2 Session

Session-id:1,Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         202.100.1.100/4500    192.168.100.100/51963 none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: AnyConnect-EAP
      Life/Active Time: 86400/433 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: C8AA5ECDB65D5892       Remote spi: 66370CA60D7FB98F
      Local id: 202.100.1.100
      Remote id: *$AnyConnectClient$*
      Remote EAP id: cisco
      Local req msg id:  0             Remote req msg id:  20        
      Local next msg id: 0              Remote next msg id: 20        
      Local req queued:  0             Remote req queued:  20        
      Local window:      5              Remote window:      1        
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 20.1.1.1
      Initiator of SA : No
Child sa: localselector  0.0.0.0/0 -255.255.255.255/65535
          remote selector 20.1.1.1/0 -20.1.1.1/65535
          ESP spi in/out:0xBF1BF059/0x34851FB4  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256,esp_hmac: SHA256
          ah_hmac: None, comp: IPCOMP_NONE,mode tunnel

IPv6 Crypto IKEv2 Session

csr1kv#   
#查看IKEV2的SA信息
csr1kv#show cryptoikev2 sa detailed
IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         202.100.1.100/4500    192.168.100.100/51963 none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: AnyConnect-EAP
      Life/Active Time: 86400/473 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: C8AA5ECDB65D5892       Remote spi: 66370CA60D7FB98F
      Local id: 202.100.1.100
      Remote id: *$AnyConnectClient$*
      Remote EAP id: cisco
      Local req msg id:  0             Remote req msg id:  21        
      Local next msg id: 0              Remote next msg id: 21        
      Local req queued:  0             Remote req queued:  21        
      Local window:      5              Remote window:      1        
      DPD configured for 0 seconds, retry 0
      Fragmentation not  configured.
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Assigned host addr: 20.1.1.1
      Initiator of SA : No

IPv6 Crypto IKEv2  SA

csr1kv#



相关链接:
【原创】IOS-XE远程连接之一SSLVPN
【原创】IOS-XE远程连接之三Anyconnect证书认证
【原创】IOS-XE远程连接之四和OpenWrt组DMVPN

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-3-27 05:50 , Processed in 0.085491 second(s), 31 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表