Cisco IOS-XE如何配置SSL连接？

本次实验基于CISCO CSR1000V的虚拟路由器进行

实验拓扑

实验拓扑

实验配置

hostnamecsr1kv
!
aaanew-model
!
aaaauthenticationsuppressnull-username
aaaauthenticationloginsslvpnlocal
aaaauthorizationnetworksslvpnlocal
!
noipdomainlookup
!
cryptopkitrustpointcsr1kv.local
enrollmentselfsigned
subject-namecn=csr1kv.local
revocation-checknone
rsakeypaircsr1kv.local
!
!
cryptopkicertificatechaincsr1kv.local
certificateself-signed01
B84230DF77267A70ADBEF7753791C3CFEF45FF13637343C99589D487E0F4D050
3E1A1CEECEFCC9F8168F91A2D62EE440A1674943D20F8EDBDB465130109147BE
99C342C5921D3DBD910CBECB5638
quit
#此处为自签名证书，具体的生成过程略。
!
usernameadminprivilege15secret5$1$bVLV$u0lFX9bJ3IFSF7M6R7UFe.
usernameciscopassword7060506324F41
!
!
cryptosslproposalsslvpn-proposal
protectionrsa-3des-ede-sha1rsa-rc4128-md5rsa-aes128-sha1rsa-aes256-sha1
#SSL的加密策略
!
cryptosslauthorizationpolicysslvpn-auth-policy
poolsslvpn
dns10.1.1.100
def-domainiteachs.com
routesetaccess-listsslvpn-tunnel
#SSL的授权策略
!
cryptosslpolicysslvpn-policy
sslproposalsslvpn-proposal
pkitrustpointcsr1kv.localsign
ipaddresslocal202.100.1.100port443
!
cryptosslprofilesslvpn-profile
matchpolicysslvpn-policy
aaaauthenticationuser-passlistsslvpn
aaaauthorizationgroupuser-passlistsslvpnsslvpn-auth-policy
authenticationremoteuser-pass
max-users100
!
!
cryptovpnanyconnectbootflash:/anyconnect-win-4.6.03049-webdeploy-k9.pkgsequence1
!
interfaceLoopback0
ipaddress10.1.1.1255.255.255.0
!
interfaceGigabitEthernet1
ipaddress202.100.1.100255.255.255.0
negotiationauto
!
iplocalpoolsslvpn172.16.1.1172.16.1.100
iproute192.168.100.0255.255.255.0202.100.1.1
ipaccess-liststandardsslvpn-tunnel
permit10.1.1.00.0.0.255
!

相关查看

csr1kv#showversion
CiscoIOSXESoftware,Version03.16.06.S-ExtendedSupportRelease
CiscoIOSSoftware,CSR1000VSoftware(X86_64_LINUX_IOSD-UNIVERSALK9-M),Version15.5(3)S6,RELEASESOFTWARE(fc3)
TechnicalSupport:http://www.cisco.com/techsupport
Copyright(c)1986-2017byCiscoSystems,Inc.
CompiledMon24-Jul-1720:01bymcpre


CiscoIOS-XEsoftware,Copyright(c)2005-2017byciscoSystems,Inc.
Allrightsreserved.CertaincomponentsofCiscoIOS-XEsoftwareare
licensedundertheGNUGeneralPublicLicense("GPL")Version2.0.The
softwarecodelicensedunderGPLVersion2.0isfreesoftwarethatcomes
withABSOLUTELYNOWARRANTY.Youcanredistributeand/ormodifysuch
GPLcodeunderthetermsofGPLVersion2.0.Formoredetails,seethe
documentationor"LicenseNotice"fileaccompanyingtheIOS-XEsoftware,
ortheapplicableURLprovidedontheflyeraccompanyingtheIOS-XE
software.


ROM:IOS-XEROMMON

csr1kvuptimeis39minutes
Uptimeforthiscontrolprocessoris40minutes
SystemreturnedtoROMbyreload
Systemimagefileis"bootflash:packages.conf"
Lastreloadreason:Unknownreason



ThisproductcontainscryptographicfeaturesandissubjecttoUnited
Statesandlocalcountrylawsgoverningimport,export,transferand
use.DeliveryofCiscocryptographicproductsdoesnotimply
third-partyauthoritytoimport,export,distributeoruseencryption.
Importers,exporters,distributorsandusersareresponsiblefor
compliancewithU.S.andlocalcountrylaws.Byusingthisproductyou
agreetocomplywithapplicablelawsandregulations.Ifyouareunable
tocomplywithU.S.andlocallaws,returnthisproductimmediately.

AsummaryofU.S.lawsgoverningCiscocryptographicproductsmaybefoundat:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

Ifyourequirefurtherassistancepleasecontactusbysendingemailto
export@cisco.com.

LicenseLevel:ax
LicenseType:Default.Novalidlicensefound.
NextreloadlicenseLevel:ax

ciscoCSR1000V(VXE)processor(revisionVXE)with1090313K/6147Kbytesofmemory.
ProcessorboardID9ZMT9E7R1HJ
4GigabitEthernetinterfaces
32768Kbytesofnon-volatileconfigurationmemory.
3022272Kbytesofphysicalmemory.
7774207Kbytesofvirtualharddiskatbootflash:.

Configurationregisteris0x2102

csr1kv#

csr1kv#showcryptosslsession
SSLprofilename:sslvpn-profile
Client_Login_NameClient_IP_AddressNo_of_ConnectionsCreatedLast_Used
cisco192.168.100.100100490029
csr1kv#showcryptosslsessionusercisco

Interface:SSLVPN-VIF0
SessionType:FullTunnel
ClientUser-Agent:AnyConnectWindows4.6.03049

Username:ciscoNumConnection:1
PublicIP:192.168.100.100
Profile:sslvpn-profile
Policy:sslvpn-policy
Last-Used:0036Created:*0852.328UTCThuDec62018
TunnelIP:172.16.1.1Netmask:0.0.0.0
RxIPPackets:2TxIPPackets:28
csr1kv#
csr1kv#
csr1kv#

csr1kv#showcryptosslsessionuserciscodetail

Interface:SSLVPN-VIF0
SessionType:FullTunnel
ClientUser-Agent:AnyConnectWindows4.6.03049

Username:ciscoNumConnection:1
PublicIP:192.168.100.100
Profile:sslvpn-profile
Policy:sslvpn-policy
Last-Used:0000Created:*0852.328UTCThuDec62018
SessionTimeout:43200IdleTimeout:1800
DNSprimary:10.1.1.100WINSprimary:None
DNSsecondary:NoneWINSsecondary:None
IP6DNSprimary:None
IP6DNSsecondary:None
DPDGWTimeout:300DPDCLTimeout:300
AddressPool:sslvpn
MTUSize:1406
DisconnectTime:0
RekeyTime:3600
LeaseDuration:43200Keepalive:30
TunnelIP:172.16.1.1Netmask:0.0.0.0
RxIPPackets:2TxIPPackets:34
CSTPStarted:0032Last-Received:0000
CSTPDPD-Reqsent:0
Msie-ProxyServer:None
Msie-PxyOption:Disabled
Msie-Exception:None
SplitDNS:None
ACL:sslvpn-tunnel
DefaultDomain:iteachs.com
ClientPorts:49190

DetailSessionStatisticsforUser::cisco
----------------------------------

CSTPStatistics::
RxCSTPFrames:36TxCSTPFrames:0
RxCSTPBytes:2537TxCSTPBytes:120
RxCSTPDataFr:34TxCSTPDataFr:2
RxCSTPCNTLFr:2TxCSTPCNTLFr:0
RxCSTPDPDReq:0TxCSTPDPDReq:0
RxCSTPDPDRes:0TxCSTPDPDRes:0
RxAddrRenewReq:0TxAddressRenew:0
RxDroppedFrames:0TxDroppedFrame:0
RxIPPackets:2TxIPPackets:34
RxIPBytes:120TxIPBytes:2249
RxIP6Packets:0TxIP6Packets:0
RxIP6Bytes:0TxIP6Bytes:0

CEFStatistics::
RxCSTPDataFr:0TxCSTPDataFr:0
RxCSTPBytes:0TxCSTPBytes:0
csr1kv#
csr1kv#

实验完。

审核编辑：刘清