取消
显示结果 
搜索替代 
您的意思是: 
cancel
2818
查看次数
0
有帮助
0
评论
wuhao0015
Spotlight
Spotlight
现在最新的已经不支持ikev1的remotevpn客户端的认证,所以研究了下,ikev2下的anyconnect客户端连接。
要求:
1,至少自签名证书
2,win的anyconnect客户端
3,win的anyconnect配置文件编辑工具(可以不需要,手动改xml文件)
拓扑:
csr<--202.100.1.0-->vyos<---192.168.100.0--->win7(client)
如下是关键配置:
service timestampsdebug datetime msec localtime
service timestampslog datetime msec localtime
servicepassword-encryption
no platformpunt-keepalive disable-kernel-core
platform consoleserial
!
hostname csr1kv
!
aaa new-model
!
!
aaa authenticationsuppress null-username
aaa authenticationlogin anyconnect local
aaa authorizationnetwork anyconnect local
!
clock timezoneBeijing 8 0
!
ip name-server114.114.114.114
!
crypto pkitrustpoint csr1kv.local
enrollment selfsigned
subject-name cn=csr1kv.local
revocation-check none
rsakeypair csr1kv.local
!
crypto pkicertificate chain csr1kv.local
certificate self-signed 01
A548459E 1997CDA2 98E8E049 F08967C4 101435B996A88F0E 69AF3D7C 9DD713C9
DBCBBCC0 6B63CDAC B4517973 194D8E89 C10AFF3F9108C84A 6A4427CA AB8234F0
0A39553D 51046D7C E5030792 2E7E
quit
#省去自签名证书
!
username adminprivilege 15 secret 5 $1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
username ciscopassword 7 02050D480809
!
!
crypto ikev2authorization policy anyconnect-auth-policy
pool anyconnect
dns 10.1.1.1
def-domain iteachs.com
route set access-list anyconnect-tunnel
!
crypto ikev2proposal anyconnect-prop
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policyanyconnect-policy
proposal anyconnect-prop
!
crypto ikev2 profileanyconnect-profile
match identity remote key-id*$AnyConnectClient$* #采用anyconnect默认的key-id
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint csr1kv.local
aaa authentication anyconnect-eap anyconnect
#采用anyconnect-eap认证
aaa authorization group anyconnect-eap listanyconnect anyconnect-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 1
!
no cryptoikev2 http-url cert
!
crypto ipsectransform-set anyconnect esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profileanyconncet-profile
set transform-set anyconnect
set ikev2-profile anyconnect-profile
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interfaceGigabitEthernet1
ip address 202.100.1.100 255.255.255.0
negotiation auto
!
interfaceVirtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profileanyconncet-profile
!
ip local poolanyconnect 20.1.1.1 20.1.1.20
noip http server
no ip httpsecure-server
ip route 0.0.0.00.0.0.0 202.100.1.1
!
ip access-liststandard anyconnect-tunnel
permit 10.1.1.0 0.0.0.255
!
ntp serverntp3.aliyun.com
ntp serverntp2.aliyun.com
ntp serverntp1.aliyun.com
!
end

下面是客户端的配置:
142128w9npew9psnu6mekd.png
142128bjapypbgoy20ccbq.png
142129q9wvw3u3s7lzgrm6.png
将文件另存到“%ProgramData%\Cisco\CiscoAnyConnect Secure Mobility Client\Profile\”下

客户端连接成功:
142129pm0g30uwvlj3w7y6.png
142129p116665a1e3a6anv.png

下面是设备的状态信息:
csr1kv#show version
Cisco IOS XESoftware, Version 03.16.06.S - Extended Support Release
Cisco IOS Software,CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6, RELEASESOFTWARE (fc3)
Copyright (c)1986-2017 by Cisco Systems, Inc.
Compiled Mon24-Jul-17 20:01 by mcpre

Cisco IOS-XEsoftware, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rightsreserved. Certain components of CiscoIOS-XE software are
licensed under theGNU General Public License ("GPL") Version 2.0. The
software codelicensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NOWARRANTY. You can redistribute and/ormodify such
GPL code under theterms of GPL Version 2.0. For moredetails, see the
documentation or"License Notice" file accompanying the IOS-XE software,
or the applicableURL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

csr1kv uptime is 3hours, 25 minutes
Uptime for thiscontrol processor is 3 hours, 26 minutes
System returned toROM by reload at 11:27:53 Beijing Tue Dec 11 2018
System restarted at11:30:10 Beijing Tue Dec 11 2018
System image file is"bootflash:packages.conf"
Last reload reason:Reload Command

This productcontains cryptographic features and is subject to United
States and localcountry laws governing import, export, transfer and
use. Delivery ofCisco cryptographic products does not imply
third-partyauthority to import, export, distribute or use encryption.
Importers,exporters, distributors and users are responsible for
compliance with U.S.and local country laws. By using this product you
agree to comply withapplicable laws and regulations. If you are unable
to comply with U.S.and local laws, return this product immediately.

A summary of U.S.laws governing Cisco cryptographic products may be found at:

If you requirefurther assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type:Default. No valid license found.
Next reload licenseLevel: ax

cisco CSR1000V (VXE)processor (revision VXE) with 1090317K/6147K bytes of memory.
Processor board ID9ZMT9E7R1HJ
4 Gigabit Ethernetinterfaces
32768K bytes ofnon-volatile configuration memory.
3022272K bytes ofphysical memory.
7774207K bytes ofvirtual hard disk at bootflash:.

Configurationregister is 0x2102

#查看session信息

csr1kv#show cryptoikev2 session detailed
IPv4 Crypto IKEv2 Session

Session-id:1,Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.1.100/4500 192.168.100.100/51963 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: AnyConnect-EAP
Life/Active Time: 86400/433 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: C8AA5ECDB65D5892 Remote spi: 66370CA60D7FB98F
Local id: 202.100.1.100
Remote id: *$AnyConnectClient$*
Remote EAP id: cisco
Local req msg id: 0 Remote req msg id: 20
Local next msg id: 0 Remote next msg id: 20
Local req queued: 0 Remote req queued: 20
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 20.1.1.1
Initiator of SA : No
Child sa: localselector 0.0.0.0/0 -255.255.255.255/65535
remote selector 20.1.1.1/0 -20.1.1.1/65535
ESP spi in/out:0xBF1BF059/0x34851FB4
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256,esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE,mode tunnel

IPv6 Crypto IKEv2 Session

csr1kv#
#查看IKEV2的SA信息
csr1kv#show cryptoikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.1.100/4500 192.168.100.100/51963 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256,Hash: SHA256, DH Grp:2, Auth sign: RSA, Auth verify: AnyConnect-EAP
Life/Active Time: 86400/473 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: C8AA5ECDB65D5892 Remote spi: 66370CA60D7FB98F
Local id: 202.100.1.100
Remote id: *$AnyConnectClient$*
Remote EAP id: cisco
Local req msg id: 0 Remote req msg id: 21
Local next msg id: 0 Remote next msg id: 21
Local req queued: 0 Remote req queued: 21
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 20.1.1.1
Initiator of SA : No

IPv6 Crypto IKEv2 SA

csr1kv#

相关链接:

【原创】IOS-XE远程连接之一SSLVPN
【原创】IOS-XE远程连接之三Anyconnect证书认证
【原创】IOS-XE远程连接之四和OpenWrt组DMVPN
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接