本举例是在M9000-AI-E8的R9071版本上进行配置和验证的。
如下图所示,Device为SSL VPN网关设备,连接公网用户和企业私有网络。用户通过Device可以通过IP接入方式安全地访问私有网络内的Server。Device通过LDAP server采用远程认证和授权方式对用户进行认证和授权。
图-1 IP接入LDAP认证、授权配置组网图
· 本文以Microsoft Windows Server 2008 R2的Active Directory为例,说明该例中LDAP服务器的基本配置。
· 在LDAP服务器上设置管理员admin的密码为admin!123456。
· 在LDAP服务器上添加用户名为sslvpn的用户,密码为ldap!123456,所属组织单位为sslvpn_usergroup,隶属于用户组users。
· Device已获取到CA证书ca.cer和服务器证书server.pfx,若SSL VPN网关不引用SSL 服务端策略,则使用设备缺省证书。
新建组织单位sslvpn_usergroup
在LDAP服务器上,选择[开始/管理工具]中的[Active Directory用户和计算机],打开Active Directory用户和计算机界面;
在Active Directory用户和计算机界面的左侧导航树中,右键单击ldap.com,选择[新建/组织单位],打开[新建对象-组织单位]对话框;
在对话框中输入组织单位名称sslvpn_usergroup,并单击<确定>按钮。
图-2 新建组织单位sslvpn_usergroup
新建用户sslvpn所属组织单位为sslvpn_usergroup
在Active Directory用户和计算机界面的左侧导航树中,右键单击sslvpn_usergroup,选择[新建/用户],打开[新建对象-用户]对话框;
在对话框中输入姓名和用户登录名为sslvpn,并单击<下一步>按钮。
图-3 新建用户sslvpn
在弹出的对话框的“密码”区域框内输入用户密码ldap!123456,并单击<下一步>按钮。用户账户的其它属性(密码的更改方式、密码的生存方式、是否禁用账户)请根据实际情况选择配置,图中仅为示例。
图-4 设置用户密码
单击<完成>按钮,创建新用户sslvpn。
将用户sslvpn加入Users组。
在Active Directory用户和计算机界面的左侧导航树中,单击sslvpn_usergroup,在右侧信息框中右键单击用户sslvpn,选择“属性”项;
在弹出的[sslvpn属性]对话框中选择“隶属于”页签,并单击<添加(D)...>按钮。
图-5 修改用户属性
在弹出的[选择组]对话框中的可编辑区域框中输入对象名称“Users”,单击<确定>,完成用户sslvpn添加到Users组。
图-6 添加用户sslvpn到用户组Users
在开始下面的配置之前,假设已完成如下配置:
· Device已获取到CA证书ca.cer和服务器证书server.pfx,若SSL VPN网关不引用SSL 服务端策略,则使用设备缺省证书。
· Server上存在到达网段10.1.1.0/24的路由。
· LDAP server已经部署完成,能够对用户进行认证和授权。
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
创建SSL VPN AC接口,用于转发IP接入流量
# 创建SSL VPN AC接口1,配置该接口的IP地址为10.1.1.100/24。
[Device] interface sslvpn-ac 1
[Device-SSLVPN-AC1] ip address 10.1.1.100 24
[Device-SSLVPN-AC1] quit
配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达Server的下一跳IP地址为2.2.2.3,到达User的下一跳IP地址为1.1.1.3实际使用中请以具体组网情况为准,具体配置步骤如下。
[Device] ip route-static 20.2.2.2 24 2.2.2.3
[Device] ip route-static 40.1.1.1 24 1.1.1.3
配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] import interface sslvpn-ac 1
[Device-security-zone-Untrust] quit
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/2
[Device-security-zone-Trust] import interface gigabitethernet 1/0/3
[Device-security-zone-Trust] quit
配置安全策略放行Untrust与Local安全域之间的流量,用于用户访问SSL VPN网关设备。
# 配置名称为sslvpnlocalout1的安全策规则,使Device可以向用户发送报文,具体配置步骤如下。
[Device] security-policy ip
[Device-security-policy-ip] rule name sslvpnlocalout1
[Device-security-policy-ip-1-sslvpnlocalout1] source-zone local
[Device-security-policy-ip-1-sslvpnlocalout1] destination-zone untrust
[Device-security-policy-ip-1-sslvpnlocalout1] source-ip-host 1.1.1.2
[Device-security-policy-ip-1-sslvpnlocalout1] source-ip-host 10.1.1.100
[Device-security-policy-ip-1-sslvpnlocalout1] destination-ip-host 40.1.1.1
[Device-security-policy-ip-1-sslvpnlocalout1] destination-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-1-sslvpnlocalout1] action pass
[Device-security-policy-ip-1-sslvpnlocalout1] quit
# 配置名称为sslvpnlocalin1的安全策略规则,使用户可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name sslvpnlocalin1
[Device-security-policy-ip-2-sslvpnlocalin1] source-zone untrust
[Device-security-policy-ip-2-sslvpnlocalin1] destination-zone local
[Device-security-policy-ip-2-sslvpnlocalin1] source-ip-host 40.1.1.1
[Device-security-policy-ip-2-sslvpnlocalin1] source-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-2-sslvpnlocalin1] destination-ip-host 1.1.1.2
[Device-security-policy-ip-2-sslvpnlocalin1] destination-ip-host 10.1.1.100
[Device-security-policy-ip-2-sslvpnlocalin1] action pass
[Device-security-policy-ip-2-sslvpnlocalin1] quit
# 配置名称为sslvpnlocalout2的安全策规则,使Device可以向Server发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name sslvpnlocalout2
[Device-security-policy-ip-3-sslvpnlocalout2] source-zone local
[Device-security-policy-ip-3-sslvpnlocalout2] destination-zone trust
[Device-security-policy-ip-3-sslvpnlocalout2] source-ip-host 2.2.2.2
[Device-security-policy-ip-3-sslvpnlocalout2] source-ip-host 3.3.3.1
[Device-security-policy-ip-3-sslvpnlocalout2] destination-ip-host 20.2.2.2
[Device-security-policy-ip-3-sslvpnlocalout2] destination-ip-host 3.3.3.2
[Device-security-policy-ip-3-sslvpnlocalout2] action pass
[Device-security-policy-ip-3-sslvpnlocalout2] quit
# 配置名称为sslvpnlocalin2的安全策略规则,使Server可以向Device发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name sslvpnlocalin2
[Device-security-policy-ip-4-sslvpnlocalin2] source-zone trust
[Device-security-policy-ip-4-sslvpnlocalin2] destination-zone local
[Device-security-policy-ip-4-sslvpnlocalin2] source-ip-host 20.2.2.2
[Device-security-policy-ip-4-sslvpnlocalin2] source-ip-host 3.3.3.2
[Device-security-policy-ip-4-sslvpnlocalin2] destination-ip-host 2.2.2.2
[Device-security-policy-ip-4-sslvpnlocalin2] destination-ip-host 3.3.3.1
[Device-security-policy-ip-4-sslvpnlocalin2] action pass
[Device-security-policy-ip-4-sslvpnlocalin2] quit
# 配置名称为untrust-trust的安全策规则,使用户可以通过SSL VPN AC接口访问Server,具体配置步骤如下。
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-5-untrust-trust] source-zone untrust
[Device-security-policy-ip-5-untrust-trust] destination-zone trust
[Device-security-policy-ip-5-untrust-trust] source-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-5-untrust-trust] destination-ip-host 20.2.2.2
[Device-security-policy-ip-5-untrust-trust] action pass
[Device-security-policy-ip-5-untrust-trust] quit
# 配置名称为trust-untrust的安全策略规则,使Server可以通过SSL VPN AC接口向用户发送报文,具体配置步骤如下。
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-6-trust-untrust] source-zone trust
[Device-security-policy-ip-6-trust-untrust] destination-zone untrust
[Device-security-policy-ip-6-trust-untrust] source-ip-host 20.2.2.2
[Device-security-policy-ip-6-trust-untrust] destination-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-6-trust-untrust] action pass
[Device-security-policy-ip-6-trust-untrust] quit
[Device-security-policy-ip] quit
配置PKI域,设置证书申请所需的相关参数
[Device] pki domain sslvpn
[Device-pki-domain-sslvpn] public-key rsa general name sslvpn
[Device-pki-domain-sslvpn] undo crl check enable
[Device-pki-domain-sslvpn] quit
[Device] pki import domain sslvpn der ca filename ca.cer
[Device] pki import domain sslvpn p12 local filename server.pfx
配置SSL服务器端策略,引用PKI域
[Device] ssl server-policy ssl
[Device-ssl-server-policy-ssl] pki-domain sslvpn
[Device-ssl-server-policy-ssl] quit
配置SSL VPN网关,为用户提供访问SSL VPN网关的入口
# 配置SSL VPN网关gw的IP地址为1.1.1.2,端口号为2000,并引用SSL服务器端策略ssl。
[Device] sslvpn gateway gw
[Device-sslvpn-gateway-gw] ip address 1.1.1.2 port 2000
[Device-sslvpn-gateway-gw] ssl server-policy ssl
[Device-sslvpn-gateway-gw] service enable
[Device-sslvpn-gateway-gw] quit
创建SSL VPN客户端地址池,用于为IP接入客户端分配IP地址
# 创建地址池ippool,指定IP地址范围为10.1.1.1~10.1.1.10。
[Device] sslvpn ip address-pool ippool 10.1.1.1 10.1.1.10
配置LDAP,用于认证SSL VPN用户
[Device] ldap server ldap1
[Device-ldap-server-ldap1] ip 3.3.3.2
[Device-ldap-server-ldap1] login-dn cn=admin,cn=users,dc=ldap,dc=com
[Device-ldap-server-ldap1] login-password simple admin!123456
[Device-ldap-server-ldap1] search-base-dn dc=ldap,dc=com
[Device-ldap-server-ldap1] quit
[Device] ldap attribute-map test
[Device-ldap-attr-map-test] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
[Device-ldap-attr-map-test] quit
[Device] ldap scheme shml
[Device-ldap-shml] authentication-server ldap1
[Device-ldap-shml] authorization-server ldap1
[Device-ldap-shml] attribute-map test
[Device-ldap-shml] quit
配置ISP域,通过ISP域对SSL VPN用户进行认证
# 创建ISP域bbb,为SSL VPN用户配置AAA认证方法为LDAP认证、LDAP授权、不计费。
[Device] domain bbb
[Device-isp-bbb] authentication sslvpn ldap-scheme shml
[Device-isp-bbb] authorization sslvpn ldap-scheme shml
[Device-isp-bbb] accounting sslvpn none
[Device-isp-bbb] quit
配置SSL VPN访问实例,为用户提供不同的SSL VPN服务
# 配置SSL VPN访问实例ctx引用SSL VPN网关gw。
[Device] sslvpn context ctx
[Device-sslvpn-context-ctx] gateway gw
[Device-sslvpn-context-ctx] aaa domain bbb
[Device-sslvpn-context-ctx] ip-route-list rtlist
[Device-sslvpn-context-ctx-route-list-rtlist] include 20.2.2.0 255.255.255.0
[Device-sslvpn-context-ctx-route-list-rtlist] quit
[Device-sslvpn-context-ctx] uri-acl uriacl
[Device-sslvpn-context-ctx-uri-acl-uriacl] rule 1 permit uri icmp://20.2.2.0
[Device-sslvpn-context-ctx-uri-acl-uriacl] quit
[Device-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 1
[Device-sslvpn-context-ctx] ip-tunnel address-pool ippool mask 255.255.255.0
[Device-sslvpn-context-ctx] policy-group pgroup
[Device-sslvpn-context-ctx-policy-group-pgroup] ip-tunnel access-route ip-route-list rtlist
[Device-sslvpn-context-ctx-policy-group-pgroup] filter ip-tunnel uri-acl uriacl
[Device-sslvpn-context-ctx-policy-group-pgroup] quit
[Device-sslvpn-context-ctx] service enable
[Device-sslvpn-context-ctx] quit
配置本地用户组,基于用户组对用户进行授权
# 创建本地用户组users,指定授权SSL VPN策略组为pgroup。
[Device] user-group users
[Device-ugroup-users] authorization-attribute sslvpn-policy-group pgroup
[Device-ugroup-users] quit
# 在Device上查看SSL VPN网关状态,可见SSL VPN网关gw处于Up状态。
[Device] display sslvpn gateway
Gateway name: gw
Operation state: Up
IP: 1.1.1.2 Port: 2000
SSL server policy configured: ssl
SSL server policy in use: ssl
Front VPN instance: Not configured
# 在Device上查看SSL VPN访问实例状态,可见SSL VPN访问实例ctx处于Up状态。
[Device] display sslvpn context
Context name: ctx
Operation state: Up
AAA domain: domain1
Certificate authentication: Disabled
Password authentication:Enabled
Authentication use: All
SMS auth type: Not configured
Urlmasking: Disabled
Code verification: Disabled
Default policy group: Not configured
Associated SSL VPN gateway: gw
SSL client policy configured: ssl
SSL client policy in use: ssl
Maximum users allowed: 1048575
VPN instance: Not configured
Idle timeout: 30 min
Authentication server-type: aaa
Password changing: Enabled
# 用户在PC上启动IP接入客户端软件,输入访问地址1.1.1.2、端口号2000、用户名sslvpn、密码123456,登录成功。
# 在Device上可以看到用户会话信息。
[Device] display sslvpn session context ctx
SSL VPN context: ctx
Users: 1
Username Connections Idle time Created User IP
sslvpn 6 0/00:02:05 0/00:03:14 40.1.1.1
# 在PC上查看IPv4路由表,其中40.1.1.1/24为本地网卡地址,10.1.1.1/24为SSL VPN网关设备分配给用户的地址,20.2.2.0/24为到达内部服务器Server的路由。
>route -4 print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.1.1.0 255.255.255.0 On-link 10.1.1.1 276
10.1.1.1 255.255.255.255 On-link 10.1.1.1 276
10.1.1.255 255.255.255.255 On-link 10.1.1.1 276
20.2.2.0 255.255.255.0 On-link 10.1.1.1 276
20.2.2.255 255.255.255.255 On-link 10.1.1.1 276
40.1.1.0 255.255.255.0 On-link 40.1.1.1 276
40.1.1.1 255.255.255.255 On-link 40.1.1.1 276
40.1.1.255 255.255.255.255 On-link 40.1.1.1 276
===========================================================================
# 在PC上可以Ping通服务器地址20.2.2.2。
C:\>ping 20.2.2.2
Pinging 20.2.2.2 with 32 bytes of data:
Reply from 20.2.2.2: bytes=32 time=197ms TTL=254
Reply from 20.2.2.2: bytes=32 time=1ms TTL=254
Reply from 20.2.2.2: bytes=32 time=1ms TTL=254
Reply from 20.2.2.2: bytes=32 time=186ms TTL=254
Ping statistics for 20.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 197ms, Average = 96ms
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 3.3.3.1 255.255.255.0
#
interface SSLVPN-AC1
ip address 10.1.1.100 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface SSLVPN-AC1
#
ip route-static 20.2.2.0 24 2.2.2.3
ip route-static 40.1.1.0 24 1.1.1.3
#
ldap server ldap1
login-dn cn=admin,cn=users,dc=ldap,dc=com
search-base-dn dc=ldap,dc=com
ip 3.3.3.2
login-password simple admin!123456
#
ldap scheme shml
authentication-server ldap1
authorization-server ldap1
attribute-map test
#
ldap attribute-map test
map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
#
domain bbb
authentication sslvpn ldap-scheme shml
authorization sslvpn ldap-scheme shml
accounting sslvpn none
#
user-group users
authorization-attribute sslvpn-policy-group pgroup
#
pki domain sslvpn
public-key rsa general name sslvpn
undo crl check enable
#
pki import domain sslvpn der ca filename ca.cer
pki import domain sslvpn p12 local filename server.pfx
#
ssl server-policy ssl
pki-domain sslvpn
#
sslvpn ip address-pool ippool 10.1.1.1 10.1.1.10
#
sslvpn gateway gw
ip address 1.1.1.2 port 2000
ssl server-policy ssl
service enable
#
sslvpn context ctx
gateway gw
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool ippool mask 255.255.255.0
uri-acl uriacl
rule 1 permit uri icmp://20.2.2.0
ip-route-list rtlist
include 20.2.2.0 255.255.255.0
policy-group pgroup
filter ip-tunnel uri-acl uriacl
ip-tunnel access-route ip-route-list rtlist
aaa domain bbb
service enable
#
security-policy ip
rule 0 name sslvpnlocalout1
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.2
source-ip-host 10.1.1.100
destination-ip-host 40.1.1.1
destination-ip-subnet 10.1.1.0 255.255.255.0
rule 1 name sslvpnlocalin1
action pass
source-zone untrust
destination-zone local
source-ip-host 40.1.1.1
source-ip-subnet 10.1.1.0 255.255.255.0
destination-ip-host 1.1.1.2
destination-ip-host 10.1.1.100
rule 2 name sslvpnlocalout2
action pass
source-zone local
destination-zone trust
source-ip-host 2.2.2.2
source-ip-host 3.3.3.1
destination-ip-host 3.3.3.2
destination-ip-host 20.2.2.2
rule 3 name sslvpnlocalin2
action pass
source-zone trust
destination-zone local
source-ip-host 3.3.3.2
source-ip-host 20.2.2.2
destination-ip-host 2.2.2.2
destination-ip-host 3.3.3.1
rule 4 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 255.255.255.0
destination-ip-host 20.2.2.2
rule 5 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-host 20.2.2.2
destination-ip-subnet 10.1.1.0 255.255.255.0