本举例是在M9000-AI-E8的R9071版本上进行配置和验证的。
如下图所示,Device为SSL VPN网关设备,连接公网用户和企业私有网络。用户通过Device可以通过IP接入方式安全地访问私有网络内的Server。用户使用USB Key登录SSL VPN网关,Device采用证书认证方式对用户进行身份认证,认证通过后对用户进行授权。
图-1 IP接入USB Key证书认证配置组网图
设备支持使用缺省证书和非缺省证书作为其服务器证书,使用方法如下:
缺省证书:设备出厂自带的服务器证书即为缺省证书,使用缺省证书时无需引用SSL服务器端策略。
非缺省证书:用户自己申请的证书即为非缺省证书,使用非缺省证书时需要引用SSL服务器端策略。
由于缺省证书存在较多的安全隐患,故仅作为功能测试使用。实际组网环境中,请使用非缺省证书作为设备的服务器证书。
在开始下面的配置之前,假设已完成如下配置:
Device已获取到CA证书ca.cer和服务器证书server.pfx,USB Key中已安装证书,Device和USB Key安装的证书为同一CA机构颁发。
USB Key客户端证书中的指定字段(默认为CN字段)必须和该SSL VPN用户的用户名一致。
某些品牌的USB Key可能需要安装驱动才能使用,请做好准备。
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# 创建SSL VPN AC接口,用于转发IP接入流量。
[Device] interface sslvpn-ac 1
[Device-SSLVPN-AC1] ip address 10.1.1.100 24
[Device-SSLVPN-AC1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
# 请根据组网图中规划的信息,将接口加入对应的安全域。
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] import interface sslvpn-ac 1
[Device-security-zone-Untrust] quit
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/2
[Device-security-zone-Trust] quit
配置静态路由
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由,本举例假设到达Server的下一跳IP地址为2.2.2.3,到达Host的下一跳IP地址为1.1.1.3,实际使用中请以具体组网情况为准。
[Device] ip route-static 20.2.2.2 24 2.2.2.3
[Device] ip route-static 40.1.1.1 24 1.1.1.3
配置安全策略放行Untrust与Local安全域之间的流量,用于用户访问SSL VPN网关设备
# 配置名称为sslvpnlocalout1的安全策略规则,使SSL VPN网关可以向用户发送报文。
[Device] security-policy ip
[Device-security-policy-ip] rule name sslvpnlocalout1
[Device-security-policy-ip-1-sslvpnlocalout1] source-zone local
[Device-security-policy-ip-1-sslvpnlocalout1] destination-zone untrust
[Device-security-policy-ip-1-sslvpnlocalout1] source-ip-host 1.1.1.2
[Device-security-policy-ip-1-sslvpnlocalout1] destination-ip-host 40.1.1.1
[Device-security-policy-ip-1-sslvpnlocalout1] action pass
[Device-security-policy-ip-1-sslvpnlocalout1] quit
# 配置名称为sslvpnlocalin1的安全策略规则,使用户可以向SSL VPN网关发送报文。
[Device-security-policy-ip] rule name sslvpnlocalin1
[Device-security-policy-ip-2-sslvpnlocalin1] source-zone untrust
[Device-security-policy-ip-2-sslvpnlocalin1] destination-zone local
[Device-security-policy-ip-2-sslvpnlocalin1] source-ip-host 40.1.1.1
[Device-security-policy-ip-2-sslvpnlocalin1] destination-ip-host 1.1.1.2
[Device-security-policy-ip-2-sslvpnlocalin1] action pass
[Device-security-policy-ip-2-sslvpnlocalin1] quit
# 配置名称为sslvpnlocalout2的安全策略规则,使SSL VPN网关可以向Server发送报文。
[Device-security-policy-ip] rule name sslvpnlocalout2
[Device-security-policy-ip-3-sslvpnlocalout2] source-zone local
[Device-security-policy-ip-3-sslvpnlocalout2] destination-zone trust
[Device-security-policy-ip-3-sslvpnlocalout2] source-ip-host 2.2.2.2
[Device-security-policy-ip-3-sslvpnlocalout2] destination-ip-host 20.2.2.2
[Device-security-policy-ip-3-sslvpnlocalout2] action pass
[Device-security-policy-ip-3-sslvpnlocalout2] quit
# 配置名称为sslvpnlocalin2的安全策略规则,使Server可以向SSL VPN网关发送报文。
[Device-security-policy-ip] rule name sslvpnlocalin2
[Device-security-policy-ip-4-sslvpnlocalin2] source-zone trust
[Device-security-policy-ip-4-sslvpnlocalin2] destination-zone local
[Device-security-policy-ip-4-sslvpnlocalin2] source-ip-host 20.2.2.2
[Device-security-policy-ip-4-sslvpnlocalin2] destination-ip-host 2.2.2.2
[Device-security-policy-ip-4-sslvpnlocalin2] action pass
[Device-security-policy-ip-4-sslvpnlocalin2] quit
# 配置名称为untrust-trust的安全策略规则,使用户可以通过SSL VPN AC接口访问Server。
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-5-untrust-trust] source-zone untrust
[Device-security-policy-ip-5-untrust-trust] destination-zone trust
[Device-security-policy-ip-5-untrust-trust] source-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-5-untrust-trust] destination-ip-host 20.2.2.2
[Device-security-policy-ip-5-untrust-trust] action pass
[Device-security-policy-ip-5-untrust-trust] quit
# 配置名称为trust-untrust的安全策略规则,使Server可以通过SSL VPN AC接口向用户发送报文。
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-6-trust-untrust] source-zone trust
[Device-security-policy-ip-6-trust-untrust] destination-zone untrust
[Device-security-policy-ip-6-trust-untrust] source-ip-host 20.2.2.2
[Device-security-policy-ip-6-trust-untrust] destination-ip-subnet 10.1.1.0 24
[Device-security-policy-ip-6-trust-untrust] action pass
[Device-security-policy-ip-6-trust-untrust] quit
[Device-security-policy-ip] quit
为设备配置证书,用于SSL VPN客户端验证SSL VPN网关的身份
# 配置PKI域,设置证书申请所需的相关参数。
[Device] pki domain sslvpn
[Device-pki-domain-sslvpn] public-key rsa general name sslvpn
[Device-pki-domain-sslvpn] undo crl check enable
[Device-pki-domain-sslvpn] quit
[Device] pki import domain sslvpn der ca filename ca.cer
[Device] pki import domain sslvpn p12 local filename server.pfx
# 配置SSL服务器端策略,引用PKI域,并开启验证客户端功能。
[Device] ssl server-policy ssl
[Device-ssl-server-policy-ssl] pki-domain sslvpn
[Device-ssl-server-policy-ssl] client-verify enable
[Device-ssl-server-policy-ssl] quit
配置SSL VPN业务,为用户提供SSL VPN接入服务
# 配置SSL VPN网关,为用户提供登录SSL VPN网关的入口。
[Device] sslvpn gateway gw
[Device-sslvpn-gateway-gw] ip address 1.1.1.2 port 4430
[Device-sslvpn-gateway-gw] ssl server-policy ssl
[Device-sslvpn-gateway-gw] service enable
[Device-sslvpn-gateway-gw] quit
# 创建SSL VPN客户端地址池,用于为IP接入客户端分配IP地址。
[Device] sslvpn ip address-pool sslvpnpool 10.1.1.1 10.1.1.10
# 创建ACL,用于对IP接入流量进行过滤。
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 10.1.1.0 0.0.0.255 destination 20.2.2.0 0.0.0.255
[Device-acl-ipv4-adv-3000] quit
# 配置SSL VPN访问实例,使用证书认证方式验证用户身份,并为用户提供SSL VPN IP接入服务。
[Device] sslvpn context ctxip
[Device-sslvpn-context-ctxip] gateway gw
[Device-sslvpn-context-ctxip] certificate-authentication enable
[Device-sslvpn-context-ctxip] ip-tunnel interface sslvpn-ac 1
[Device-sslvpn-context-ctxip] ip-route-list rtlist
[Device-sslvpn-context-ctxip-route-list-rtlist] include 20.2.2.0 24
[Device-sslvpn-context-ctxip-route-list-rtlist] quit
[Device-sslvpn-context-ctxip] ip-tunnel address-pool sslvpnpool mask 24
[Device-sslvpn-context-ctxip] policy-group resourcegrp
[Device-sslvpn-context-ctxip-policy-group-resourcegrp] ip-tunnel access-route ip-route-list rtlist
[Device-sslvpn-context-ctxip-policy-group-resourcegrp] filter ip-tunnel acl 3000
[Device-sslvpn-context-ctxip-policy-group-resourcegrp] quit
[Device-sslvpn-context-ctxip] service enable
[Device-sslvpn-context-ctxip] quit
配置SSL VPN用户,用于访问SSL VPN网关
# 创建本地SSL VPN用户sslvpnuser,密码为123456TESTplat&!,用户角色为network-operator,授权用户的SSL VPN策略组为resourcegrp。
[Device] local-user sslvpnuser class network
[Device-luser-network-sslvpnuser] password simple 123456
[Device-luser-network-sslvpnuser] service-type sslvpn
[Device-luser-network-sslvpnuser] authorization-attribute sslvpn-policy-group resourcegrp
[Device-luser-network-sslvpnuser] authorization-attribute user-role network-operator
[Device-luser-network-sslvpnuser] quit
Server上需要配置到达网段10.1.1.0/24的路由。
在Device上查看SSL VPN的相关信息
# 在Device上查看SSL VPN网关状态,可见SSL VPN网关gw处于Up状态。
[Device] display sslvpn gateway
Gateway name: gw
Operation state: Up
IP: 1.1.1.2 Port: 4430
Front VPN instance: Not configured
# 在Device上查看SSL VPN访问实例状态,可见SSL VPN访问实例ctxip处于Up状态。
[Device] display sslvpn context
Context name: ctxip
Operation state: Up
AAA domain: Not specified
Certificate authentication: Enabled
Password authentication: Enabled
Authentication use: All
SMS auth type: Not configured
Urlmasking: Disabled
Code verification: Disabled
Default policy group: Not configured
Associated SSL VPN gateway: gw
Maximum users allowed: 1048575
VPN instance: Not configured
Idle timeout: 30 min
Authentication server-type: aaa
Password changing: Enabled
# 用户登录成功之后,可以在Device上看到SSL VPN用户sslvpnuser的会话信息。
[Device] display sslvpn session user sslvpnuser
User : sslvpnuser
Context : ctxip
Policy group : resourcegrp
Idle timeout : 30 min
Created at : 16:38:48 UTC Wed 07/26/2017
Lastest : 16:47:41 UTC Wed 07/26/2017
User IPv4 address : 172.16.1.16
Allocated IP : 10.1.1.1
Session ID : 14
Web browser/OS : Windows
在Host上安装USB Key
从管理员处获取制作好的USB Key安装到Host,USB Key的制作方法请参见本文附录。
在Host上登录SSL VPN网关
# 在Host的浏览器地址栏输入https://1.1.1.2:4430/,回车确认之后会弹出证书选择界面,如下图所示。
图-2 证书选择界面
# 选择证书,单击<确定>按钮,跳转到登录页面,输入用户sslvpnuser和密码123456TESTplat&!,如下图所示。
图-3 登录页面
# 单击<登录>按钮,可以成功登录SSL VPN网关。在网页的应用程序栏中选择“启动IP客户端应用程序”。
# 单击<启动>按钮,下载IP接入客户端软件Svpnclient并安装,安装完成后,启动iNode客户端,输入如下图所示的参数。
图-4 iNode客户端
# 单击密码输入框右侧的<选择客户端证书>按钮,选择USBKey中的客户端证书,单击<确定>按钮,如下图所示。
图-5 选择证书
# 单击图1-23的<连接>按钮,成功登录SSL VPN客户端,如下图所示。
图-6 成功登录SSL VPN网关
# SSL VPN用户sslvpnuser登录成功后,SSL VPN用户可以在Host上Ping通服务器地址20.2.2.2。
C:\>ping 20.2.2.2
Pinging 20.2.2.2 with 32 bytes of data:
Reply from 20.2.2.2: bytes=32 time=31ms TTL=254
Reply from 20.2.2.2: bytes=32 time=18ms TTL=254
Reply from 20.2.2.2: bytes=32 time=15ms TTL=254
Reply from 20.2.2.2: bytes=32 time=16ms TTL=254
Ping statistics for 20.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 31ms, Average = 20ms
在管理员PC上制作USB Key的流程如下:
配置管理员PC的IP地址、网关,保证PC到达CA服务器的路由可达。本文以Windows 2008 server作为CA服务器举例,组网图如下图所示。
图-7 制作USB Key组网图
申请USBKey客户端证书。
# 在浏览器地址栏输入https://192.168.100.247/certsrv,进入证书申请页面,如下图所示。
图-8 证书申请页面
# 单击<申请证书>按钮,跳转页面如下图所示。
图-9 证书申请页面
# 单击<高级证书申请>按钮,在跳转的页面选择<创建并向此CA提交一个申请>,申请客户端证书,参数配置如下图所示。
图-10 申请客户端证书
# 其余选用默认配置,单击页面最下方的<提交>按钮,提交客户端证书申请。
# 提交成功之后,页面会弹出输入框,请按提示输入USB Key的用户密码,并单击<登录>按钮,如下图所示。
图-11 安装客户端证书到USB Key
# 单击<安装此证书>,潜在的脚本冲突单击<是>,客户端证书会直接安装到USBKey中,如下图所示。
图-12 USB Key客户端证书
至此,USB Key制作完毕。
#
interface GigabitEthernet1/0/1
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0
#
interface SSLVPN-AC1
ip address 10.1.1.100 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface SSLVPN-AC1
#
ip route-static 20.2.2.0 24 2.2.2.3
ip route-static 40.1.1.0 24 1.1.1.3
#
acl advanced 3000
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 20.2.2.0 0.0.0.255
#
local-user sslvpnuser class network
password simple 123456
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group resourcegrp
#
pki domain sslvpn
public-key rsa general name sslvpn
undo crl check enable
#
pki import domain sslvpn der ca filename ca.cer
pki import domain sslvpn p12 local filename server.pfx
#
ssl server-policy ssl
pki-domain sslvpn
client-verify enable
#
sslvpn ip address-pool sslvpnpool 10.1.1.1 10.1.1.10
#
sslvpn gateway gw
ip address 1.1.1.2 port 4430
ssl server-policy ssl
service enable
#
sslvpn context ctxip
gateway gw
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpnpool mask 255.255.255.0
ip-route-list rtlist
include 20.2.2.0 255.255.255.0
policy-group resourcegrp
filter ip-tunnel acl 3000
ip-tunnel access-route ip-route-list rtlist
certificate-authentication enable
service enable
#
security-policy ip
rule 0 name sslvpnlocalout1
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.2
destination-ip-host 40.1.1.1
rule 1 name sslvpnlocalin1
action pass
source-zone untrust
destination-zone local
source-ip-host 40.1.1.1
destination-ip-host 1.1.1.2
rule 2 name sslvpnlocalout2
action pass
source-zone local
destination-zone trust
source-ip-host 2.2.2.2
destination-ip-host 20.2.2.2
rule 3 name sslvpnlocalin2
action pass
source-zone trust
destination-zone local
source-ip-host 20.2.2.2
destination-ip-host 2.2.2.2
rule 4 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 10.1.1.0 255.255.255.0
destination-ip-host 20.2.2.2
rule 5 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-host 20.2.2.2
destination-ip-subnet 10.1.1.0 255.255.255.0