一壁晒、目標
- 本篇基于前兩篇:阿里云部署H3C vSR1000路由器和本地Cisco與云端H3C建立GRE over IPsec;
- 阿里云部署Cisco CSR1000v路由器墅拭,并配置Anyconnect SSL VPN實現(xiàn)與企業(yè)內網互通淤齐;
- 為提升安全性(避免終端撥VPN時提示安全警告)股囊,本例中為Anyconnect SSL VPN使用公網證書;
- 為了測試更啄,本例拓撲相對復雜稚疹,實際應用中云端部署一臺路由器即可。
二祭务、拓撲
- 云端部署H3C vSR1000和Cisco CSR1000v路由器内狗,其中vSR1000用于與企業(yè)內網旁掛的Cisco VPN路由器建立GRE over IPsec隧道;
- vSR1000和CSR1000v建立普通GRE隧道义锥;
- Cisco VPN路由器柳沙、vSR1000和CSR1000v運行OSPF動態(tài)路由協(xié)議;
- Cisco VPN路由器與核心交換機已運行EIGRP動態(tài)路由協(xié)議拌倍;
- CSR1000v配置Anyconnect SSL VPN赂鲤,實現(xiàn)終端通過互聯(lián)網遠程撥入SSL VPN噪径,最終達到訪問企業(yè)內網的目的。
-
注意:
1蛤袒、本例部署的Cisco CSR1000v版本為:16.12.04a熄云,此版本為當前官方推薦使用的版本;
2妙真、阿里云部署Cisco CSR1000v與前兩篇的部署H3C vSR1000同理缴允,但是需注意阿里云部署時CSR1000v可能會存在CSR1000v無接口現(xiàn)象,此處建議選不同實例多部署幾次嘗試珍德,或者部署到騰訊云(騰訊云無此問題)练般;
3、Cisco CSR1000v默認為全功能激活锈候,但是轉發(fā)性能限制為1000kbps薄料。CSR1000v為Smart License許可模型,如果有Cisco Smart Account泵琳,可以為CSR1000v申請Demo License摄职。
sv#show platform hardware throughput level
The current throughput level is 1000 kb/s
三、配置
- 在上篇本地Cisco與云端H3C建立GRE over IPsec中获列,已完成GRE over IPsec配置谷市,此處不再贅述。
3.1 Cisco CSR1000v配置
3.1.1 為CSR1000v申請公網證書
- 本例使用https://freessl.cn提供的免費公網證書击孩。
hostname sv
ip domain name yuezq.com
創(chuàng)建私鑰:
crypto key generate rsa general-keys label svprivatekey exportable modulus 2048
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)
配置PKI信任點:
crypto pki trustpoint sv
enrollment terminal
serial-number none
ip-address none
subject-name cn=sv.yuezq.com,o=yue,ou=yuetech,l=Haidian,st=Beijng,c=CN
subject-alt-name sv.yuezq.com
revocation-check none
rsakeypair svprivatekey
exit
- 生成CSR(證書注冊請求)文件:
csr(config)#crypto pki enroll sv
% Start certificate enrollment ..
% The subject name in the certificate will include: cn=sv.yuezq.com,o=yue,ou=yuetech,l=Haidian,st=Beijng,c=CN
% The subject name in the certificate will include: csr.yuezq.com
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
MIIB5zCCAVACAQAwgYUxCzAJBgNVBAYTAkNOMQ8wDQYDVQQIEwZCZWlqbmcxEDAO
BgNVBAcTB0hhaWRpYW4xEDAOBgNVBAsTB3l1ZXRlY2gxDDAKBgNVBAoTA3l1ZTEV
MBMGA1UEAxMMc3YueXVlenEuY29tMRwwGgYJKoZIhvcNAQkCFg1jc3IueXVlenEu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzh5WAt6M1gWdhbDQL+ZK8
PE0P4kmMJrgWfFQ4YfKyXxKiml+Hbb0RX9UKSq7ygpiPtAByXcjt/cnXo5Fd4rFx
arVxqpPhP9RfvMBrKbSrcQGWavhULfgS1PiIDeYEyPs3/EyeaH+aLPvWXVXbNqIv
yMKF/gavk5DDu+SlejEHswIDAsdsdsdEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8B
Af8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEAWriZBxwl+V9qltXNkDdhjlC36okI
Zce2Q8t9Zz6NkbtPhE2T5krDiHyUjYOFr6GFq+7Q7RsM6jaLBUqT22V2SoBQlVxC
uL0Hf+MSwvrERvgYs+jIRP2nM9NcyCTTpx9672j59WjZPSJhwT06wNXYU7Y3a8cA
rmfti1KzLVYgNd4=
---End - This line not part of the certificate request---
- 添加"Begin"和"End"標識之后的CSR為:
-----BEGIN CERTIFICATE REQUEST-----
MIIB5zCCAVACAQAwgYUxCzAJBgNVBAYTAkNOMQ8wDQYDVQQIEwZCZWlqbmcxEDAO
BgNVBAcTB0hhaWRpYW4xEDAOBgNVBAsTB3l1ZXRlY2gxDDAKBgNVBAoTA3l1ZTEV
MBMGA1UEAxMMc3YueXVlenEuY29tMRwwGgYJKoZIhvcNAQkCFg1jc3IueXVlenEu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzh5WAt6M1gWdhbDQL+ZK8
PE0P4kmMJrgWfFQ4YfKyXxKiml+Hbb0RX9UKSq7ygpiPtAByXcjt/cnXo5Fd4rFx
arVxqpPhP9RfvMBrKbSrcQGWavhULfgS1PiIDeYEyPs3/EyeaH+aLPvWXVXbNqIv
yMKF/gavk5DDu+SlejEHswIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8B
Af8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEAWriZBxwl+V9qltXNkDdhjlC36okI
Zce2Q8t9Zz6NkbtPhE2T5krDiHyUjYOFr6GFq+7Q7RsM6jaLBUqT22V2SoBQlVxC
uL0Hf+MSwvrERvgYs+jIRP2nM9NcyCTTpx9672j59WjZPSJhwT06wNXYU7Y3a8cA
rmfti1KzLVYgNd4=
-----END CERTIFICATE REQUEST-----
-
CSR解析驗證迫悠,用于驗證CSR的有效性(可利用搜索引擎搜索"CSR解析"查找CSR驗證網站):
-
在"freessl.cn"申請證書:
-
"txt"解析添加完畢后,即可進行驗證
驗證通過后即可查看頒發(fā)的證書巩梢。
為CSR1000v導入CA根證書:
命令:crypto pki authenticate sv
復制"freessl.cn"顯示的CA證書创泄,直接粘貼到CSR1000v即可,根據(jù)提示輸入"quit"并敲回車實現(xiàn)CA根證書導入括蝠。為CSR1000v導入用戶證書:
命令:crypto pki import sv certificate
復制"freessl.cn"顯示的用戶證書鞠抑,直接粘貼到CSR1000v即可,根據(jù)提示輸入"quit"并敲回車實現(xiàn)用戶證書導入忌警。查看已導入的公網證書:
sv#show crypto pki certificates sv
Certificate
Status: Available
Certificate Serial Number (hex): 0387892EB10CF59091F3D871DDBB7F1F7E4D
Certificate Usage: General Purpose
Issuer:
cn=R3
o=Let's Encrypt
c=US
Subject:
Name: sv.yuezq.com
cn=sv.yuezq.com
Validity Date:
start date: 09:36:54 CST Jan 22 2021
end date: 09:36:54 CST Apr 22 2021
Associated Trustpoints: sv
Storage: nvram:R3#7E4D.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 400175048314A4C8218C84A90C16CDDF
Certificate Usage: Signature
Issuer:
cn=DST Root CA X3
o=Digital Signature Trust Co.
Subject:
cn=R3
o=Let's Encrypt
c=US
CRL Distribution Points:
http://crl.identrust.com/DSTROOTCAX3CRL.crl
Validity Date:
start date: 03:21:40 CST Oct 8 2020
end date: 03:21:40 CST Sep 30 2021
Associated Trustpoints: sv
Storage: nvram:DSTRootCAX3#CDDFCA.cer
- 以上即完成了公網證書的申請和導入碍拆。
3.1.2 配置Anyconnect SSL VPN
配置AAA,用于終端撥SSL VPN時的登錄認證和授權:
aaa new-model
aaa authentication suppress null-username
aaa authentication login sslvpn local
aaa authorization network sslvpn local
關閉路由器的HTTPS服務(或修改HTTPS的服務端口)慨蓝,以避免與SSL VPN端口沖突:
no ip http secure-server
配置終端撥入后獲取的IP地址段:
ip local pool sslpool 10.1.2.10 10.1.2.100
配置終端撥入后獲取的加密訪問路由(隧道分離路由),注意不要使用擴展ACL端幼,否則隧道分離路由無法正常下發(fā):
ip access-list standard split_acl
10 permit 172.16.100.0 0.0.1.255
配置SSL提議:
crypto ssl proposal sslvpn_proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
配置SSL授權策略(指定終端撥入后獲取的IP段礼烈、掩碼、隧道分離路由等信息):
crypto ssl authorization policy sslvpn_author_policy
netmask 255.255.255.0
include-local-lan
pool sslpool
def-domain yuezq.com
route set access-list split_acl
配置SSL策略(關聯(lián)SSL提議婆跑、關聯(lián)公網證書此熬,另由于443端口未開放,此處使用4433端口):
crypto ssl policy sslvpn_policy
ssl proposal sslvpn_proposal
pki trustpoint sv sign
ip address local 172.25.25.104 port 4433
配置SSL Profile(關聯(lián)SSL策略、關聯(lián)認證SSL VPN用戶認證&授權方案):
crypto ssl profile sslvpn_profile
match policy sslvpn_policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn_author_policy
authentication remote user-pass
max-users 500
調用Anyconnect VPN鏡像(需先把鏡像復制到bootflash內):
crypto vpn anyconnect bootflash:/anyconnect-win-4.8.01090-webdeploy-k9.pkg sequence 1
crypto vpn anyconnect bootflash:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg sequence 2
創(chuàng)建SSL VPN用戶:
username sv1 secret xxxxx
3.1.3 配置GRE和路由
配置到H3C vSR1000的GRE隧道:
interface Tunnel20
ip address 10.101.101.2 255.255.255.252
ip ospf network point-to-point
tunnel source 172.25.25.104
tunnel destination 172.25.25.88
router ospf 10
router-id 172.25.25.104
network 10.101.101.0 0.0.0.3 area 0
3.2 H3C vSR1000配置
3.2.1 配置GRE和路由
interface Tunnel10
ospf network-type p2p
配置到Cisco CSR1000v的GRE隧道:
interface Tunnel20 mode gre
ip address 10.101.101.1 255.255.255.252
ospf network-type p2p
source 172.25.25.88
destination 172.25.25.104
ospf 10 router-id 10.195.195.1
area 0.0.0.0
network 10.100.100.0 0.0.0.3
network 10.101.101.0 0.0.0.3
ip route-static 10.1.2.0 24 10.101.101.2
3.3 Cisco VPN路由器配置
3.3.1 配置路由
interface Tunnel10
ip ospf network point-to-point
ip prefix-list e2o seq 5 permit 172.16.100.0/24
ip prefix-list e2o seq 10 permit 172.16.101.0/24
route-map e2o permit 10
match ip address prefix-list e2o
172.16.100.0/23已被宣告在EIGRP中犀忱,所以此處將EIGRP引入到OSPF中
router ospf 10
router-id 10.195.195.2
redistribute eigrp 100 metric 80 metric-type 1 subnets route-map e2o
network 10.100.100.0 0.0.0.3 area 0
ip route 10.1.2.0 255.255.255.0 10.100.100.1
3.4 核心交換機配置
3.4.1 配置路由
ip route 10.1.2.0 255.255.255.0 172.16.101.101
四募谎、驗證
- 查看vSR1000上OSPF鄰居:
[VSR1K]dis ospf peer
OSPF Process 10 with Router ID 10.195.195.1
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
10.195.195.2 10.100.100.2 1 38 Full/ - Tun10
172.25.25.104 10.101.101.2 1 34 Full/ - Tun20
- 查看vSR1000上路由表:
[VSR1K]dis ip routing-table
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 172.25.25.1 GE1/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.1.2.0/24 Static 60 0 10.101.101.2 Tun20
10.100.100.0/30 Direct 0 0 10.100.100.1 Tun10
10.100.100.0/32 Direct 0 0 10.100.100.1 Tun10
10.100.100.1/32 Direct 0 0 127.0.0.1 InLoop0
10.100.100.3/32 Direct 0 0 10.100.100.1 Tun10
10.101.101.0/30 Direct 0 0 10.101.101.1 Tun20
10.101.101.0/32 Direct 0 0 10.101.101.1 Tun20
10.101.101.1/32 Direct 0 0 127.0.0.1 InLoop0
10.101.101.3/32 Direct 0 0 10.101.101.1 Tun20
10.195.195.1/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
172.16.100.0/24 O_ASE1 150 1642 10.100.100.2 Tun10
172.16.101.0/24 O_ASE1 150 1642 10.100.100.2 Tun10
172.25.25.0/25 Direct 0 0 172.25.25.88 GE1/0
172.25.25.0/32 Direct 0 0 172.25.25.88 GE1/0
172.25.25.88/32 Direct 0 0 127.0.0.1 InLoop0
172.25.25.127/32 Direct 0 0 172.25.25.88 GE1/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
-
遠程終端撥Anyconnect SSL VPN:
-
查看隧道分離路由:
查看終端獲取的IP:
c:\>ipconfig /all
以太網適配器 以太網 2:
連接特定的 DNS 后綴 . . . . . . . : yuezq.com
描述. . . . . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
物理地址. . . . . . . . . . . . . : 00-05-9A-3C-7A-00
DHCP 已啟用 . . . . . . . . . . . : 否
自動配置已啟用. . . . . . . . . . : 是
本地鏈接 IPv6 地址. . . . . . . . : fe80::474:6ab6:3ea1:1365%26(首選)
本地鏈接 IPv6 地址. . . . . . . . : fe80::5b93:51c4:d999:35a5%26(首選)
IPv4 地址 . . . . . . . . . . . . : 10.1.2.21(首選)
子網掩碼 . . . . . . . . . . . . : 255.255.255.0
默認網關. . . . . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 452986266
DHCPv6 客戶端 DUID . . . . . . . : 00-01-00-01-27-57-F5-A7-E8-6A-64-CC-95-AF
DNS 服務器 . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
TCPIP 上的 NetBIOS . . . . . . . : 已啟用
- 查看終端路由表(已刪減):
c:\>route print
IPv4 路由表
===========================================================================
活動路由:
網絡目標 網絡掩碼 網關 接口 躍點數(shù)
0.0.0.0 0.0.0.0 10.87.0.1 10.87.15.117 35
172.16.100.0 255.255.254.0 10.1.2.1 10.1.2.21 2
- 訪問企業(yè)內網:
c:\>ping 172.16.100.254
正在 Ping 172.16.100.254 具有 32 字節(jié)的數(shù)據(jù):
來自 172.16.100.254 的回復: 字節(jié)=32 時間=20ms TTL=251
來自 172.16.100.254 的回復: 字節(jié)=32 時間=21ms TTL=251
來自 172.16.100.254 的回復: 字節(jié)=32 時間=19ms TTL=251
來自 172.16.100.254 的回復: 字節(jié)=32 時間=19ms TTL=251
172.16.100.254 的 Ping 統(tǒng)計信息:
數(shù)據(jù)包: 已發(fā)送 = 4,已接收 = 4阴汇,丟失 = 0 (0% 丟失)数冬,
往返行程的估計時間(以毫秒為單位):
最短 = 19ms,最長 = 21ms搀庶,平均 = 19ms
c:\>ping 172.16.101.254
正在 Ping 172.16.101.254 具有 32 字節(jié)的數(shù)據(jù):
來自 172.16.101.254 的回復: 字節(jié)=32 時間=19ms TTL=251
來自 172.16.101.254 的回復: 字節(jié)=32 時間=22ms TTL=251
來自 172.16.101.254 的回復: 字節(jié)=32 時間=24ms TTL=251
來自 172.16.101.254 的回復: 字節(jié)=32 時間=21ms TTL=251
172.16.101.254 的 Ping 統(tǒng)計信息:
數(shù)據(jù)包: 已發(fā)送 = 4拐纱,已接收 = 4,丟失 = 0 (0% 丟失)哥倔,
往返行程的估計時間(以毫秒為單位):
最短 = 19ms秸架,最長 = 24ms,平均 = 21ms