我需要实现两种类型的 Anyconnect。一个必须是基于 IPSec、用户的 AAA 身份验证和隧道中基于证书的身份验证 (IKEv2)。其次必须是 SSL(隧道模式)、基于证书的用户身份验证(用户和机器证书),以及隧道中基于证书的身份验证(IKEv2)。证书可以是自签名的。任何人都可以粘贴我的cli配置或指向我的要求的一些手册吗?
Anyconnect 示例配置
网络工程
思科-anyconnect
2022-02-24 01:35:40
1个回答
请在以下配置中找到从AnyConnect over IKEv2 到 ASA 与 AAA 和证书身份验证的两种情况:
ASA 上的配置
本节介绍在连接发生之前所需的 ASA 配置。
注意:思科自适应安全设备管理器 (ASDM) 让您只需单击几下即可创建基本配置。Cisco 建议您使用它以避免错误。
加密映射配置
这是一个加密映射示例配置:
crypto dynamic-map DYN 1 set pfs group1 crypto dynamic-map DYN 1 set ikev2 ipsec-proposal secure crypto dynamic-map DYN 1 set reverse-route crypto map STATIC 65535 ipsec-isakmp dynamic DYN crypto map STATIC interface outsideIPsec 提案
这是一个 IPsec 提议示例配置:
crypto ipsec ikev2 ipsec-proposal secure protocol esp encryption aes 3des protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal AES256-SHA protocol esp encryption aes-256 protocol esp integrity sha-1IKEv2 策略
这是一个 IKEv2 策略示例配置:
crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400客户服务和证书
您必须在正确的接口上启用客户端服务和证书,在这种情况下是外部接口。这是一个示例配置:
crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint OUTSIDE ssl trust-point OUTSIDE outside注意:同样的信任点也分配给安全套接字层 (SSL),这是预期的和必需的。
启用 AnyConnect 配置文件
您必须在 ASA 上启用 AnyConnect 配置文件。这是一个示例配置:
webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 regex "Windows NT" anyconnect profiles Anyconnect disk0:/anyconnect.xml anyconnect enable tunnel-group-list enable用户名、组策略和隧道组
以下是 ASA 上基本用户名、组策略和隧道组的示例配置:
group-policy GroupPolicy_AC internal group-policy GroupPolicy_AC attributes dns-server value 4.2.2.2 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless default-domain value cisco.com webvpn anyconnect profiles value Anyconnect type user username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 tunnel-group AC type remote-access tunnel-group AC general-attributes address-pool VPN-POOL default-group-policy GroupPolicy_AC tunnel-group AC webvpn-attributes authentication aaa certificate group-alias AC enable group-url https://bsns-asa5520-1.cisco.com/AC enable without-csdAnyConnect 配置文件
这是一个示例配置文件,相关部分以粗体显示:
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="true">false </AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>All</CertificateStore> <CertificateStoreOverride>false</CertificateStoreOverride> <ProxySettings>Native</ProxySettings> <AllowLocalProxyConnections>true</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart> <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> <LocalLanAccess UserControllable="true">false</LocalLanAccess> <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> <AutoReconnect UserControllable="false">true <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend </AutoReconnectBehavior> </AutoReconnect> <AutoUpdate UserControllable="false">true</AutoUpdate> <RSASecurIDIntegration UserControllable="true">Automatic </RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> <PPPExclusion UserControllable="false">Disable <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> </PPPExclusion> <EnableScripting UserControllable="false">false</EnableScripting> <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> </EnableAutomaticServerSelection> <RetainVpnOnLogoff>false </RetainVpnOnLogoff> </ClientInitialization> <ServerList> <HostEntry> <HostName>bsns-asa5520-1</HostName> <HostAddress>bsns-asa5520-1.cisco.com</HostAddress> <UserGroup>AC</UserGroup> <PrimaryProtocol>IPsec</PrimaryProtocol> </HostEntry> </ServerList> </AnyConnectProfile>以下是有关此配置示例的一些重要说明:
- 创建配置文件时,HostAddress 必须与用于 IKEv2 的证书上的证书名称 (CN) 匹配。
输入crypto ikev2 remote-access trustpoint命令以定义它。- UserGroup 必须与 IKEv2 连接所属的隧道组的名称匹配。如果它们不匹配,则连接通常会
失败,并且调试会指示 Diffie-Hellman (DH) 组不匹配或类似的假阴性。ASA验证
在 ASA 上输入此命令以验证连接是否使用 IKEv2 以及 AAA 和证书身份验证:
bsns-asa5520-1# show vpn-sessiondb detail anyconnect filter name cisco Session Type: AnyConnect Detailed Username : cisco Index : 6 Assigned IP : 172.16.99.5 Public IP : 1.2.3.4 Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent License : AnyConnect Premium Encryption : AES256 AES128 Hashing : none SHA1 SHA1 Bytes Tx : 0 Bytes Rx : 960 Pkts Tx : 0 Pkts Rx : 10 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : GroupPolicy_AC Tunnel Group : AC Login Time : 15:45:41 UTC Tue Aug 28 2012 Duration : 0h:02m:41s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none IKEv2 Tunnels: 1 IPsecOverNatT Tunnels: 1 AnyConnect-Parent Tunnels: 1 AnyConnect-Parent: Tunnel ID : 6.1 Public IP : 1.2.3.4 Encryption : none Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client Type : AnyConnect Client Ver : 3.0.08057 IKEv2: Tunnel ID : 6.2 UDP Src Port : 60468 UDP Dst Port : 4500 Rem Auth Mode: Certificate and userPassword Loc Auth Mode: rsaCertificate Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86238 Seconds PRF : SHA1 D/H Group : 5 Filter Name : Client OS : Windows IPsecOverNatT: Tunnel ID : 6.3 Local Addr : 0.0.0.0/0.0.0.0/0/0 Remote Addr : 172.16.99.5/255.255.255.255/0/0 Encryption : AES128 Hashing : SHA1\ Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28638 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Bytes Tx : 0 Bytes Rx : 960 Pkts Tx : 0 Pkts Rx : 10