SSL ***是解決遠程用戶訪問敏感公司數據最簡單最安全的解決技術。與複雜的IPSec ***相比,SSL通過簡單易用的方法實現信息遠程連通。任何安裝瀏覽器的機器都可以使用SSL ***, 這是因爲SSL 內嵌在瀏覽器中,它不需要象傳統IPSec ***一樣必須爲每一臺客戶機安裝客戶端軟件。
一、網絡結構
路由器*2(採用7200)
PC機*1 (採用WIN-XP)
二、SSL *** Server 配置
1、格式化 disk0
(ITCHENYI)R1#format disk0: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "disk0:". Continue? [confirm] Format: Drive communication & 1st Sector Write OK... Writing Monlib sectors. ............................................................................................................... Monlib write complete Format: All system sectors written. OK... Format: Total sectors in formatted partition: 8003 Format: Total bytes in formatted partition: 4097536 Format: Operation completed successfully. Format of disk0 complete
2、上傳軟件
(ITCHENYI)R1#copy tftp disk0: Address or name of remote host []? 192.168.1.100 Source filename []? sslclient-win-1.1.3.173.pkg Destination filename [sslclient-win-1.1.3.173.pkg]? Accessing tftp://192.168.1.100/sslclient-win-1.1.3.173.pkg... Loading sslclient-win-1.1.3.173.pkg from 192.168.1.100 (via FastEthernet1/0): !! [OK - 416354 bytes] 416354 bytes copied in 12.288 secs (33883 bytes/sec)
3、安裝 client 軟件
(ITCHENYI)R1(config)#WEB*** install svc disk0:/sslclient-win-1.1.3.173.pkg SSL*** Package SSL-***-Client : installed successfully
4、配置 SSL ***
(ITCHENYI)R1(config)#aaa new-model
(ITCHENYI)R1(config)#aaa authentication login default local #爲防止控制檯超時而造成無法進入Exec
(ITCHENYI)R1(config)#aaa authentication login WEB*** local
(ITCHENYI)R1(config)#ip local pool ssl-add 11.1.1.10 11.1.1.20 #定義Web***本地認證用戶名,密碼
(ITCHENYI)R1(config)#username itchenyi password 123
(ITCHENYI)R1(config)#web*** gateway ***gateway #定義Web***在哪個接口上進行監聽,此時IOS會自動產生自簽名證書。
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
(ITCHENYI)R1(config-web***-gateway)#ip address 192.168.1.1 port 443
(ITCHENYI)R1(config-web***-gateway)#inservice #啓用web*** gateway配置
(ITCHENYI)R1(config-web***-gateway)#web*** context webcontext #定義web***的相關配置,相當於ASA的tunnel-group,在這裏可以定義
(ITCHENYI)R1(config-web***-context)#gateway ***gateway #將context和gateway相關聯
(ITCHENYI)R1(config-web***-context)#aaa authentication list web***
(ITCHENYI)R1(config-web***-context)#inservice #啓用web*** context配置
(ITCHENYI)R1(config-web***-context)#policy group ssl***-policy #進入ssl***策略組
(ITCHENYI)R1(config-web***-group)#functions svc-enabled
(ITCHENYI)R1(config-web***-group)#svc address-pool ssl-add #分配svc使用的地址池
(ITCHENYI)R1(config-web***-group)#svc split include 192.168.10.0 255.255.255.0 #定義隧道分離的目標地址,如果不配置,則默認爲0.0.0.0
(ITCHENYI)R1(config-web***-group)#exit
(ITCHENYI)R1(config-web***-context)#default-group-policy ssl***-policy #當配置了多個policy group後,默認使用的策略組
注 意: 在IOS中,如果地址池不和內網在一個段,則需創建一個和地址池在同一網段的loopback接口作爲***客戶端的網關,否則會報錯網關指示錯誤。 還可以在context中指定virtual-host,類似於iis中的文件頭,允許多個主機映射到同一個IP地址 同時context中還可以設置web登陸框的樣式,比如logo,title等
5、下爲我R1 show的完整配置
(ITCHENYI)R1(config)#do sh running-config Building configuration... Current configuration : 3081 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname (ITCHENYI)R1 ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login default local aaa authentication login WEB*** local ! ! aaa session-id common ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-4294967295 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4294967295 revocation-check none rsakeypair TP-self-signed-4294967295 ! ! crypto pki certificate chain TP-self-signed-4294967295 certificate self-signed 01 30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34323934 39363732 3935301E 170D3133 30323035 31363133 33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393439 36373239 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BB9A 57431585 6D67AD94 FA6358DE 4606BC8F B7C67AB2 340703CF DA2F49E7 F54EDD5C CCC0EC0F 51493327 60C729E6 E17B273A E3925F83 764206BD 4B9AB34D FC6BA0FF 5BD230A9 E3360762 825CBB45 20B3D5A1 F8BD0EB9 BCC0BBCD D0DE12D3 6250153F F329BFE2 1B08A503 92AF03AE EDD0E053 29167A6B 8B317A66 A8DEC310 1A010203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C284954 4348454E 59492952 31301F06 03551D23 04183016 8014CB86 7372F704 9AC3C428 9A1AAB40 68E4C215 D350301D 0603551D 0E041604 14CB8673 72F7049A C3C4289A 1AAB4068 E4C215D3 50300D06 092A8648 86F70D01 01040500 03818100 88363A3C EB6C6E32 FFE99E22 3F34FCB5 99699649 A5075A8D ABE0BABE 6562B9E4 ACFE180D A6108344 7003F056 26366C81 B616EA6B DB388E54 56DF4E84 F99E03F9 F527774F 88AB9998 A11DE569 80383DD3 62919DED 29757760 BB3129F4 BC6E54D2 40393BB3 28570654 C0A46360 B6F6373B 032AF538 D9A9CC4C 45FD6879 1F35E6CA quit username itchenyi password 0 123 ! ! ! ! ! ! ! interface Loopback0 ip address 11.1.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 202.103.24.68 255.255.255.0 duplex half ! interface FastEthernet1/0 ip address 192.168.1.1 255.255.255.0 duplex half ! ip local pool ssl-add 11.1.1.10 11.1.1.20 ip route 192.168.2.0 255.255.255.0 202.103.24.69 no ip http server no ip http secure-server ! ! ! logging alarm informational ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! web*** gateway ***gateway ip address 192.168.1.1 port 443 ssl trustpoint TP-self-signed-4294967295 inservice ! web*** install svc disk0:/web***/svc.pkg ! web*** context webcontext ssl authenticate verify all ! ! policy group ssl***-policy functions svc-enabled svc address-pool "ssl-add" svc split include 192.168.10.0 255.255.255.0 default-group-policy ssl***-policy gateway ***gateway inservice ! ! end
6、下爲我R2 show的完整配置
(ITCHENYI)R2(config)#do sh running-config Building configuration... Current configuration : 773 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname (ITCHENYI)R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 202.103.24.69 255.255.255.0 duplex half ! interface FastEthernet1/0 ip address 192.168.2.1 255.255.255.0 duplex half ! ip route 192.168.1.0 255.255.255.0 202.103.24.68 no ip http server no ip http secure-server ! ! ! logging alarm informational ! ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ! end
三、客戶端配置
在瀏覽器中輸入https://192.168.1.1/ 訪問Web***,這時會彈出提示信息,點擊"確定"
需要安裝證書,點擊“是”,這裏第一個感嘆號是因爲這個證書只路由器自簽發的,沒有經過驗證,而第二個感嘆號是因爲配置Web***時應該注意證書頒發後的證書的有效期,往往頒發證書時的有有效期限時間會比當前時間晚一二天
這時會彈出網頁,輸入用戶和密碼,點擊 login![]( "cisco***1")
這時會自動安裝 SSL *** Client 軟件(取決於你IE的安全級別配置)
中途會提示在***服務器證書中發現了一個錯誤;
點擊是後安裝導入證書即可
安裝證書之後,這樣 ***連接就建立起來,在屏幕的右下部會顯示出黃色的小鑰匙的標誌
可以查看***隧道的分離子網
使用ipconfig命令可以查看獲取到的IP地址
查看路由表,可以看到一條指向192.168.10.0的路由條目
