SSL VPN IP access configuration examples

 

·     Introduction

·     Prerequisites

·     Example: Configuring IP access with RADIUS authentication

·     Example: Configuring IP access with LDAP authentication

·     Example: Configuring IP access with local authentication and a self-signed certificate

·     Example: Configuring IP access with USB key certificate authentication

 

The following information provides SSL VPN IP access configuration examples.

 

This document is not restricted to specific software or hardware versions. Procedure and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of SSL VPN.

Network configuration

As shown in Figure 1, the device acts as an SSL VPN gateway that connects the public network and the private network. On the private network, a Windows Server 2008 R2 CA server and a RADIUS server that runs IMC PLAT 7.3 (E0504) are deployed. Users need secure access to the internal server (20.2.2.2/24) in IP access mode.

Perform the following tasks:

·     Request an SSL server certificate for the device from the CA server.

·     Configure the device to require that users pass certificate authentication for IP access.

·     Configure the device to use the RADIUS server to perform remote authentication and authorization for IP access users.

·     Configure the SSL VPN IP access service on the device to allow users to access the internal server in IP access mode.

Figure 1 Network diagram (RADIUS authentication)

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

·     The IP address pool configured for client address allocation must meet the following requirements:

¡     The address range of the address pool cannot be on the same subnet as the IP address used on the client host.

¡     The IP addresses in the address pool do not conflict with the IP addresses used on the device.

¡     The address range of the address pool cannot be on the same subnet as the IP address of the internal server.

·     The SSL VPN AC interface must be added to the correct security zone (Untrust, in this example).

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Trust security zone and set its IP address to 3.3.3.1/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/4 to the Trust security zone and set its IP address to 192.168.100.3/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

a.     Enter destination IP address 20.2.2.2.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.3.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 addresses 2.2.2.2, 3.3.3.1, and 192.168.100.3.

¡     Select destination IPv4 addresses 20.2.2.2, 3.3.3.2, and 192.168.100.247.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.0/24.

¡     Select destination IPv4 address 20.2.2.2/24.

¡     Use the default settings for other parameters.

# Click OK.

4.     Request a server certificate for the device:

a.     Create a certificate subject:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate Subject.

# Click Create.

# Create a certificate subject as shown in Figure 2, and the click OK.

Figure 2 Creating a certificate subject

 

b.     Create a PKI domain:

# On the Certificate page, click Create PKI domain.

# Create a PKI domain as shown in Figure 3, and then click OK.

Figure 3 Creating a PKI domain

 

c.     Create a certificate request:

# On the Certificate page, click Submit Cert Request.

# Configure the certificate request settings as shown in Figure 4.

Figure 4 Creating a certificate request

 

# Click OK.

The certificate request content will be displayed, as shown in Figure 5.

Figure 5 Certificate request content

 

# Copy the certificate request content and click OK.

d.     Request a server certificate from the CA:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 6, click Request a certificate.

Figure 6 Certificate service home page

 

# On the Request a Certificate page shown in Figure 7, click advanced certificate request.

Figure 7 Request a Certificate page

 

# Paste the previously copied certificate request content in the Base-64-encoded certificate request CMC or PKCS # 10 or PKCS # 7) field, as shown in Figure 8.

Figure 8 Pasting the certificate request content

 

# Click Submit.

After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 9, click View the status of a pending certificate request.

Figure 9 Certificate service home page

 

# Select the certificate request you want to view.

Figure 10 View the Status of a Pending Certificate Request page

 

The Certificate Issued page opens, indicating that the requested server certificate has been issued, as shown in Figure 11.

Figure 11 Certificate Issued page

 

# Click Download certificate to download the server certificate and save it locally.

5.     Download the CA certificate:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 12, click Download a CA certificate, certificate chain, or CRL.

Figure 12 Certificate service home page

 

# On the Download a CA certificate, certificate chain, or CRL page shown in Figure 13, click Download CA certificate.

Figure 13 Download a CA certificate, certificate chain, or CRL page

 

# Save the downloaded CA certificate locally.

6.     Import the CA certificate and server certificate to the PKI domain:

a.     Import the CA certificate:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate.

# Click Import certificate.

# Import the locally saved CA certificate, as shown in Figure 14, and then click OK.

Figure 14 Importing the CA certificate

 

b.     Import the server certificate:

# On the Certificate page, click Import certificate.

# Import the locally saved server certificate, as shown in Figure 15, and then click OK.

Figure 15 Importing the server certificate

 

7.     Configure an SSL server policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Server Policies.

# Click Create.

# Configure an SSL server policy as shown in Figure 16, and then click OK.

Figure 16 Creating an SSL server policy

 

8.     Configure an SSL client policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Client Policies.

# Click Create.

# Configure an SSL client policy as shown in Figure 17, and then click OK.

Figure 17 Creating an SSL client policy

 

9.     Configure a RADIUS scheme:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > Authentication > RADIUS.

# Click Create.

# Configure a RADIUS scheme named radius:

¡     Set the authentication server as shown in Figure 18.

¡     Set the global shared key for authentication to 123456.

Figure 18 Configuring a RADIUS scheme

 

# Configure the advanced settings for the RADIUS scheme in the Advanced settings area, as shown in Figure 19.

Figure 19 Configuring the advanced settings for the RADIUS scheme

 

# Click OK.

10.     At the CLI, create ISP domain sslvpn, specify RADIUS scheme radius for the authentication and authorization methods, and set the accounting method to none.

<Device> system-view

[Device] domain sslvpn

[Device-isp-sslvpn] authentication sslvpn radius-scheme radius

[Device-isp-sslvpn] authorization sslvpn radius-scheme radius

[Device-isp-sslvpn] accounting sslvpn none

[Device-isp-sslvpn] quit

11.     Create a user group:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click the User Group tab.

# Click Create.

# Create a user group named sslvpn_usergroup and specify SSL VPN resource group resourcegrp for the user group, as shown in Figure 20.

# Click OK.

Figure 20 Creating a user group

 

12.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 21, and then click OK.

Figure 21 Creating an SSL VPN gateway

 

13.     Create an SSL VPN AC interface:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

# Click Create.

# In the Create Interfaces dialog box that opens, enter 1 in the Interface number field and click OK.

# In the Modify Interface Settings dialog box, configure the basic settings for the SSL VPN AC interface as shown in Figure 22.

Figure 22 Configuring basic settings for the SSL VPN AC interface

 

# Click the IPv4 Address tab and configure the IPv4 address settings for the SSL VPN AC interface as shown in Figure 23.

# Click OK.

Figure 23 Configuring IPv4 address settings for the SSL VPN AC interface

 

14.     Create an address pool for IP access users:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > IP Access Address Pools.

# Click Create.

# Create an IP access address pool as shown in Figure 24, and then click OK.

Figure 24 Creating an IP access address pool

 

15.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 25.

Figure 25 Configuring basic settings for an SSL VPN context

 

# Click Next to configure authentication settings, as shown in Figure 26.

Figure 26 Configuring authentication settings

 

# Click Next to open the URI ACL page. On the URI ACL page, click Next.

# On the Access services page, select IP access and click Next.

# On the IP access page, configure the IP access service as follows:

a.     Configure the IP access parameters as shown in Figure 27 and click Next.

Figure 27 Configuring IP access parameters for the IP access service

 

b.     In the IP access resources area, configure route list rtlist with an included route entry for 20.2.2.0/24, as shown in Figure 28.

c.     Click Next.

Figure 28 Configuring IP access resources for the IP access service

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp, as shown in Figure 29. In this example, select route list rtlist as the accessible IP resources and use IPv4 ACL 3999 (which permits all traffic) for IP access request filtering.

Figure 29 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 30.

Figure 30 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 31.

Figure 31 Enabling the SSL VPN context

 

Configuring the RADIUS server

1.     Configure an access policy named resourcegrp:

# Log in to IMC.

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Policy.

# Click Add.

# Add an access policy as shown in Figure 32.

# Click OK.

Figure 32 Creating an access policy

 

2.     Configure an access service named sslvpnservice:

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Service.

# Click Add.

# Add an access service as shown in Figure 33. In this example, specify access policy resourcegrp as the default access policy.

# Click OK.

Figure 33 Creating an access service

 

3.     Configure an access device:

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Device Management > Access Device.

# Click Add.

# Add an access device as shown in Figure 34. In this example, set the shared key to 123456.

# Click OK.

Figure 34 Configuring an access device

 

4.     Configure an access user:

# Access the User > Add User page.

# Add a platform user as shown in Figure 35.

# Click OK.

Figure 35 Adding a platform user

 

# From the navigation pane, select Access User > All Access Users.

# Click Add.

# Add an access user and assign access service sslvpnservice to the user, as shown in Figure 36.

# Click OK.

Figure 36 Adding an access user

 

Configuring the host

1.     Configure the IP address and gateway address settings for the host and make sure it can reach the SSL VPN gateway and the CA server.

2.     Submit a client certificate request to the CA server:

a.     Enter http://192.168.100.247/certsrv in the browser address bar.

b.     On the certificate service home page shown in Figure 37, click Request a certificate.

Figure 37 Certificate service home page

 

c.     On the Request a Certificate page shown in Figure 38, click advanced certificate request.

Figure 38 Request a Certificate page

 

d.     Create a client certificate request, as shown in Figure 39.

Figure 39 Creating a client certificate request

 

e.     Click Submit.

3.     Install the client certificate on the host:

a.     After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

b.     On the certificate service home page shown in Figure 40, click View the status of a pending certificate request.

Figure 40 Certificate service home page

 

The View the Status of a Pending Certificate Request page opens, as shown in Figure 41.

Figure 41 View the Status of a Pending Certificate Request page

 

c.     Click the client certificate whose status you want to view.

d.     On the Certificate Issued page shown in Figure 42, click Install this certificate to install the client certificate.

Figure 42 Installing the client certificate

 

If the host does not have a CA certificate, the page shown in Figure 43 opens. You must install the CA certificate first.

e.     Click install this CA certificate to install the CA certificate. Then, click Install this certificate to install the client certificate.

Figure 43 Installing the CA certificate and then the client certificate

 

After the client certificate is installed, the Certificate Installed page shown in Figure 44 opens.

Figure 44 Certificate Installed page

 

Verifying the configuration

1.     In the browser address bar of the host, enter https://1.1.1.2 and press Enter.

2.     On the Select a certificate page, select the client certificate for authentication, as shown in Figure 45.

Figure 45 Select a certificate page

 

3.     Click OK.

4.     On the Domain List page shown in Figure 46, select domainip to access the login page.

Figure 46 Domain list page

 

5.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 47 Login page

 

6.     Click START to start the IP client application.

If the host does not have an iNode client installed, the system installs the iNode client, and then starts and connects the iNode client to the SSL VPN gateway.

If the host already has an iNode client installed, the system starts the iNode client and connects it to the SSL VPN gateway directly.

Figure 49 shows that the iNode client is successfully connected to the SSL VPN gateway.

Figure 48 Connecting the iNode client to the SSL VPN gateway

 

Network configuration

As shown in Figure 50, the device acts as an SSL VPN gateway that connects the public network and the private network. On the private network, a CA server and an LDAP server are deployed and both servers run the Windows Server 2008 R2 operating system. Users need secure access to the internal server (20.2.2.2/24) in IP access mode.

Perform the following tasks:

·     Request an SSL server certificate for the device from the CA server.

·     Configure the device to require that users pass both password and certificate authentication for IP access.

·     Configure the device to use the LDAP server to perform remote authentication and authorization for IP access users.

·     Configure the SSL VPN IP access service on the device to allow users to access the internal server in IP access mode.

Figure 49 Network diagram (LDAP authentication)

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

·     The IP address pool configured for client address allocation must meet the following requirements:

¡     The address range of the address pool cannot be on the same subnet as the IP address used on the client host.

¡     The IP addresses in the address pool do not conflict with the IP addresses used on the device.

¡     The address range of the address pool cannot be on the same subnet as the IP address of the internal server.

·     The SSL VPN AC interface must be added to the correct security zone (Untrust, in this example).

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Trust security zone and set its IP address to 3.3.3.1/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/4 to the Trust security zone and set its IP address to 192.168.100.3/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

a.     Enter destination IP address 20.2.2.2.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.3.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 addresses 2.2.2.2, 3.3.3.1, and 192.168.100.3.

¡     Select destination IPv4 addresses 20.2.2.2, 3.3.3.2, and 192.168.100.247.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.0/24.

¡     Select destination IPv4 address 20.2.2.2/24.

¡     Use the default settings for other parameters.

# Click OK.

4.     Request a server certificate for the device:

a.     Create a certificate subject:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate Subject.

# Click Create.

# Create a certificate subject as shown in Figure 51, and the click OK.

Figure 50 Creating a certificate subject

 

b.     Create a PKI domain:

# On the Certificate page, click Create PKI domain.

# Create a PKI domain as shown in Figure 52, and then click OK.

Figure 51 Creating a PKI domain

 

c.     Create a certificate request:

# On the Certificate page, click Submit Cert Request.

# Configure the certificate request settings as shown in Figure 53.

Figure 52 Creating a certificate request

 

# Click OK.

The certificate request content will be displayed, as shown in Figure 54.

Figure 53 Certificate request content

 

# Copy the certificate request content and click OK.

d.     Request a server certificate from the CA:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 55, click Request a certificate.

Figure 54 Certificate service home page

 

# On the Request a Certificate page shown in Figure 56, click advanced certificate request.

Figure 55 Request a Certificate page

 

# Paste the previously copied certificate request content in the Base-64-encoded certificate request CMC or PKCS # 10 or PKCS # 7) field, as shown in Figure 57.

Figure 56 Pasting the certificate request content

 

# Click Submit.

After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 58, click View the status of a pending certificate request.

Figure 57 Certificate service home page

 

# Select the certificate request you want to view.

Figure 58 View the Status of a Pending Certificate Request page

 

The Certificate Issued page opens, indicating that the requested server certificate has been issued, as shown in Figure 60.

Figure 59 Certificate Issued page

 

# Click Download certificate to download the server certificate and save it locally.

5.     Download the CA certificate:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 61, click Download a CA certificate, certificate chain, or CRL.

Figure 60 Certificate service home page

 

# On the Download a CA certificate, certificate chain, or CRL page shown in Figure 62, click Download CA certificate.

Figure 61 Download a CA certificate, certificate chain, or CRL page

 

# Save the downloaded CA certificate locally.

6.     Import the CA certificate and server certificate to the PKI domain:

a.     Import the CA certificate:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate.

# Click Import certificate.

# Import the locally saved CA certificate, as shown in Figure 63, and then click OK.

Figure 62 Importing the CA certificate

 

b.     Import the server certificate:

# On the Certificate page, click Import certificate.

# Import the locally saved server certificate, as shown in Figure 64, and then click OK.

Figure 63 Importing the server certificate

 

7.     Configure an SSL server policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Server Policies.

# Click Create.

# Configure an SSL server policy as shown in Figure 65, and then click OK.

Figure 64 Creating an SSL server policy

 

8.     Configure an SSL client policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Client Policies.

# Click Create.

# Configure an SSL client policy as shown in Figure 66, and then click OK.

Figure 65 Creating an SSL client policy

 

9.     Configure LDAP settings at the CLI:

# Configure LDAP server ldap1.

<Device> system-view

[Device] ldap server ldap1

[Device-ldap-server-ldap1] login-dn cn=administrator,cn=users,dc=ldap,dc=com

[Device-ldap-server-ldap1] search-base-dn ou=sslvpn_usergroup,dc=ldap,dc=com

[Device-ldap-server-ldap1] ip 3.3.3.3

[Device-ldap-server-ldap1] login-password simple 123456

[Device-ldap-server-ldap1] quit

# Configure LDAP attribute map test.

[Device] ldap attribute-map test

[Device-ldap-attr-map-test] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group

[Device-ldap-attr-map-test] quit

# Configure LDAP scheme shm1.

[Device] ldap scheme shm1

[Device-ldap-shm1] authentication-server ldap1

[Device-ldap-shm1] authorization-server ldap1

[Device-ldap-shm1] attribute-map test

[Device-ldap-shm1] quit

# Configure ISP domain sslvpn.

[Device] domain sslvpn

[Device-isp-sslvpn] state active

[Device-isp-sslvpn] authentication sslvpn ldap-scheme shm1

[Device-isp-sslvpn] authorization sslvpn ldap-scheme shm1

[Device-isp-sslvpn] accounting sslvpn none

[Device-isp-sslvpn] quit

10.     Create a user group:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click the User Group tab.

# Click Create.

# Create a user group named sslvpn_usergroup and specify SSL VPN resource group resourcegrp for the user group, as shown in Figure 67.

# Click OK.

Figure 66 Creating a user group

 

11.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 68, and then click OK.

Figure 67 Creating an SSL VPN gateway

 

12.     Create an SSL VPN AC interface:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

# Click Create.

# In the Create Interfaces dialog box that opens, enter 1 in the Interface number field and click OK.

# In the Modify Interface Settings dialog box, configure the basic settings for the SSL VPN AC interface as shown in Figure 69.

Figure 68 Configuring basic settings for the SSL VPN AC interface

 

# Click the IPv4 Address tab and configure the IPv4 address settings for the SSL VPN AC interface as shown in Figure 70.

# Click OK.

Figure 69 Configuring IPv4 address settings for the SSL VPN AC interface

 

13.     Create an address pool for IP access users:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > IP Access Address Pools.

# Click Create.

# Create an IP access address pool as shown in Figure 71, and then click OK.

Figure 70 Creating an IP access address pool

 

14.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 72.

Figure 71 Configuring basic settings for an SSL VPN context

 

# Click Next to configure authentication settings for the SSL VPN context as shown in Figure 73.

Figure 72 Configuring authentication settings

 

# Click Next. On the URI ACL page that opens, click Next.

# On the Access services page, select IP access and click Next.

# On the IP access page, configure the IP access service as follows:

a.     Configure the IP access parameters as shown in Figure 74 and click Next.

Figure 73 Configuring IP access parameters for the IP access service

 

b.     In the IP access resources area, configure route list rtlist with an included route entry for 20.2.2.0/24, as shown in Figure 75.

c.     Click Next.

Figure 74 Configuring IP access resources for the IP access service

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp, as shown in Figure 76. In this example, select route list rtlist as the accessible IP resources and use IPv4 ACL 3999 (which permits all traffic) for IP access request filtering.

Figure 75 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 77.

Figure 76 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 78.

Figure 77 Enabling the SSL VPN context

 

Configuring the LDAP server

1.     Create user group sslvpn_usergroup:

# On the LDAP server, start the Server Manager by selecting Start > Administrative Tools > Server Manager.

# From the navigation pane, select Roles > Active Directory Domain Services > Active Directory Users and Computers.

# Right-click Users under the en.cert-dns.com node, and then select New > Group from the shortcut menus.

# Create user group sslvpn_usergroup as shown in Figure 79.

# Click OK.

Figure 78 Creating a user group

 

2.     Create user user1 and add the user to user group sslvpn_usergroup:

# On the LDAP server, start the Server Manager by selecting Start > Administrative Tools > Server Manager.

# From the navigation pane, select Roles > Active Directory Domain Services > Active Directory Users and Computers.

# Right-click the en.cert-dns.com node, and then select New > Organizational Unit from the shortcut menus.

# Create organizational unit sslvpn_usergroup, as shown in Figure 80.

# Click OK.

Figure 79 Creating an organizational unit

 

# Right-click sslvpn_usergroup, and then select New > User from the shortcut menus.

# Add user user1 as shown in Figure 81.

# Click Next.

Figure 80 Adding LDAP user user1

 

# On the page shown in Figure 82, enter password 123456, select options as needed, and click Next.

Figure 81 Setting the user's password

 

 

# Right-click user user1 and select Properties.

# In the dialog box that opens, click the Member Of tab and add user1 to user group sslvpn_usergroup, as show in Figure 83.

Figure 82 Modifying user properties

 

# Click OK.

Configuring the host

1.     Configure the IP address and gateway address settings for the host and make sure it can reach the SSL VPN gateway and the CA server.

2.     Submit a client certificate request to the CA server:

a.     Enter http://192.168.100.247/certsrv in the browser address bar.

b.     On the certificate service home page shown in Figure 84, click Request a certificate.

Figure 83 Certificate service home page

c.     On the Request a Certificate page shown in Figure 85, click advanced certificate request.

Figure 84 Request a Certificate page

d.     Create a client certificate request, as shown in Figure 86.

Figure 85 Creating a client certificate request

 

e.     Click Submit.

3.     Install the client certificate on the host:

a.     After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

b.     On the certificate service home page shown in Figure 87, click View the status of a pending certificate request.

Figure 86 Certificate service home page

 

The View the Status of a Pending Certificate Request page opens, as shown in Figure 88.

Figure 87 View the Status of a Pending Certificate Request page

 

c.     Click the client certificate whose status you want to view.

d.     On the Certificate Issued page shown in Figure 89, click Install this certificate to install the client certificate.

Figure 88 Installing the client certificate

 

If the host does not have a CA certificate, the page shown in Figure 90 opens. You must install the CA certificate first.

e.     Click install this CA certificate to install the CA certificate. Then, click Install this certificate to install the client certificate.

Figure 89 Installing the CA certificate and then the client certificate

 

After the client certificate is installed, the Certificate Installed page shown in Figure 91 opens.

Figure 90 Certificate Installed page

 

Verifying the configuration

1.     In the browser address bar of the host, enter https://1.1.1.2 and press Enter.

2.     On the Select a certificate page, select the client certificate for authentication, as shown in Figure 92.

Figure 91 Select a certificate page

 

3.     Click OK.

4.     On the Domain List page shown in Figure 93, select domainip to access the login page.

Figure 92 Domain list page

 

5.     Select domainip to access the login page.

6.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 93 Login page

 

7.     Click START to start the IP client application.

If the host does not have an iNode client installed, the system installs the iNode client, and then starts and connects the iNode client to the SSL VPN gateway.

If the host already has an iNode client installed, the system starts the iNode client and connects it to the SSL VPN gateway directly.

Figure 96 shows that the iNode client is successfully connected to the SSL VPN gateway.

Figure 94 Connecting the iNode client to the SSL VPN gateway

 

Network configuration

As shown in Figure 97, the device acts as an SSL VPN gateway that connects the public network and the private network. Users need secure access to the internal server in IP access mode.

The device uses a self-signed server certificate.

Perform the following tasks:

·     Configure the SSL VPN IP access service on the device to allow users to access the internal server in IP access mode.

·     Configure the device to perform local authentication and authorization for IP access users.

Figure 95 Network diagram (local authentication)

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

·     The IP address pool configured for client address allocation must meet the following requirements:

¡     The address range of the address pool cannot be on the same subnet as the IP address used on the client host.

¡     The IP addresses in the address pool do not conflict with the IP addresses used on the device.

¡     The address range of the address pool cannot be on the same subnet as the IP address of the internal server.

·     The SSL VPN AC interface must be added to the correct security zone (Untrust, in this example).

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Trust security zone and set its IP address to 3.3.3.1/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

a.     Enter destination IP address 20.2.2.2.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.3.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 2.2.2.2.

¡     Select destination IPv4 address 20.2.2.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.0/24.

¡     Select destination IPv4 address 20.2.2.0/24.

¡     Use the default settings for other parameters.

# Click OK.

4.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 98, and then click OK.

Figure 96 Creating an SSL VPN gateway

 

5.     Create an SSL VPN AC interface:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

# Click Create.

# In the Create Interfaces dialog box that opens, enter 1 in the Interface number field and click OK.

# In the Modify Interface Settings dialog box, configure the basic settings for the SSL VPN AC interface as shown in Figure 99.

Figure 97 Configuring basic settings for the SSL VPN AC interface

 

# Click the IPv4 Address tab and configure the IPv4 address settings for the SSL VPN AC interface as shown in Figure 100.

# Click OK.

Figure 98 Configuring IPv4 address settings for the SSL VPN AC interface

 

6.     Create an address pool for IP access users:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > IP Access Address Pools.

# Click Create.

# Create an IP access address pool as shown in Figure 101, and then click OK.

Figure 99 Creating an IP access address pool

 

7.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 102, and then click Next.

Figure 100 Configuring basic settings for an SSL VPN context

 

# Click Next to configure authentication settings for the SSL VPN context as shown in Figure 103.

Figure 101 Configuring authentication settings

 

# Click Next. On the URI ACL page that opens, click Next.

# On the Access services page, select IP access and click Next.

# On the IP access page, configure the IP access service as follows:

a.     Configure the IP access parameters as shown in Figure 104 and click Next.

Figure 102 Configuring IP access parameters for the IP access service

 

b.     In the IP access resources area, configure route list rtlist with an included route entry for 20.2.2.0/24, as shown in Figure 105.

c.     Click Next.

Figure 103 Configuring IP access resources for the IP access service

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp, as shown in Figure 106. In this example, select route list rtlist as the accessible IP resources and use IPv4 ACL 3999 (which permits all traffic) for IP access request filtering.

Figure 104 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 107.

Figure 105 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 108.

Figure 106 Enabling the SSL VPN context

 

8.     Create an SSL VPN user:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click Create.

# Create an SSL VPN user:

a.     Set the username to user1 and password to 123456, and select SSL VPN as the available service, as shown in Figure 109.

Figure 107 Creating an SSL VPN user

 

b.     In the Authorization Attributes area, authorize the user to use SSL VPN resource group resourcegrp, as shown in Figure 110.

Figure 108 Setting the authorization attributes for the SSL VPN user

 

c.     Click OK.

Configuring the host

# Configure the IP address and gateway address settings for the host and make sure it can reach the SSL VPN gateway.

Verifying the configuration

1.     In the browser address bar of the host, enter https://1.1.1.2 and press Enter to open the domain list page.

Figure 109 Domain list page

 

2.     Select domainip to access the login page.

3.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 110 Login page

 

4.     Click START to start the IP client application.

If the host does not have an iNode client installed, the system installs the iNode client and connects the iNode client to the SSL VPN gateway.

If the host already has an iNode client installed, the system starts the iNode client and connects it to the SSL VPN gateway directly.

Figure 114 shows that the iNode client is successfully connected to the SSL VPN gateway.

Figure 111 Connecting the iNode client to the SSL VPN gateway

 

Network configuration

As shown in Figure 115, the device acts as an SSL VPN gateway that connects the public network and the private network. Users need secure access to the internal server in IP access mode.

The device uses a RADIUS server to perform remote authentication and authorization for IP access users.

To enhance security, configure the device to authenticate the client certificate. The client certificate is provided by a USB key.

To enhance security, the device uses a CA-signed server certificate instead of a self-signed server certificate.

Figure 112 Network diagram (USB key authentication)

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

·     The IP address pool configured for client address allocation must meet the following requirements:

¡     The address range of the address pool cannot be on the same subnet as the IP address used on the client host.

¡     The IP addresses in the address pool do not conflict with the IP addresses used on the device.

¡     The address range of the address pool cannot be on the same subnet as the IP address of the internal server.

·     The SSL VPN AC interface must be added to the correct security zone (Untrust, in this example).

·     Install the driver for the USB key to ensure availability of the USB key.

·     The specified attribute (CN attribute by default) in the client certificate of the USB key is the same as the username of the SSL VPN user.

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Trust security zone and set its IP address to 3.3.3.1/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/4 to the Trust security zone and set its IP address to 192.168.100.3/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

f.     Enter destination IP address 20.2.2.2.

g.     Enter mask length 24.

h.     Enter next hop address 2.2.2.3.

i.     Use the default settings for other parameters.

j.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 addresses 2.2.2.2, 3.3.3.1, and 192.168.100.3.

¡     Select destination IPv4 address 20.2.2.2, 3.3.3.2, and 192.168.100.247.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.0/24.

¡     Select destination IPv4 address 20.2.2.0/24.

¡     Use the default settings for other parameters.

# Click OK.

4.     Request a server certificate for the device:

a.     Create a certificate subject:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate Subject.

# Click Create.

# Create a certificate subject as shown in Figure 116, and the click OK.

Figure 113 Creating a certificate subject

 

b.     Create a PKI domain:

# On the Certificate page, click Create PKI domain.

# Create a PKI domain as shown in Figure 117, and then click OK.

Figure 114 Creating a PKI domain

 

c.     Create a certificate request:

# On the Certificate page, click Submit Cert Request.

# Configure the certificate request settings as shown in Figure 118.

Figure 115 Creating a certificate request

 

# Click OK.

The certificate request content will be displayed, as shown in Figure 119.

Figure 116 Certificate request content

 

# Copy the certificate request content and click OK.

d.     Request a server certificate from the CA (Windows Server 2008 R2 in this example):

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 120, click Request a certificate.

Figure 117 Certificate service home page

 

# On the Request a Certificate page shown in Figure 121, click advanced certificate request.

Figure 118 Request a Certificate page

 

# Paste the previously copied certificate request content in the Base-64-encoded certificate request CMC or PKCS # 10 or PKCS # 7) field, as shown in Figure 122.

Figure 119 Pasting the certificate request content

 

# Click Submit.

After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 58, click View the status of a pending certificate request.

Figure 120 Certificate service home page

 

# Select the certificate request you want to view.

Figure 121 View the Status of a Pending Certificate Request

 

The Certificate Issued page opens, indicating that the requested server certificate has been issued, as shown in Figure 125.

Figure 122 Certificate Issued page

 

# Click Download certificate to download the server certificate and save it locally.

5.     Download the CA certificate:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 126, click Download a CA certificate, certificate chain, or CRL.

Figure 123 Certificate service home page

 

# On the Download a CA certificate, certificate chain, or CRL page shown in Figure 127, click Download CA certificate.

Figure 124 Download a CA certificate, certificate chain, or CRL page

 

# Save the downloaded CA certificate locally.

6.     Import the CA certificate and server certificate to the PKI domain:

a.     Import the CA certificate:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate.

# Click Import certificate.

# Import the locally saved CA certificate, as shown in Figure 128, and then click OK.

Figure 125 Importing the CA certificate

 

b.     Import the server certificate:

# On the Certificate page, click Import certificate.

# Import the locally saved server certificate, as shown in Figure 129, and then click OK.

Figure 126 Importing the server certificate

 

7.     Configure an SSL server policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Server Policies.

# Click Create.

# Configure an SSL server policy as shown in Figure 130, and then click OK.

Figure 127 Creating an SSL server policy

 

8.     Configure an SSL client policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Client Policies.

# Click Create.

# Configure an SSL client policy as shown in Figure 131, and then click OK.

Figure 128 Creating an SSL client policy

 

9.     Configure a RADIUS scheme:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > Authentication > RADIUS.

# Click Create.

# Configure a RADIUS scheme named radius:

¡     Set the authentication server as shown in Figure 132.

¡     Set the global shared key for authentication to 123456.

Figure 129 Configuring a RADIUS scheme

 

# Configure the advanced settings for the RADIUS scheme in the Advanced settings area, as shown in Figure 133.

Figure 130 Configuring the advanced settings for the RADIUS scheme

 

# Click OK.

10.     Configure an ISP domain:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > Authentication > ISP Domains.

# Click Create.

# Configure an ISP domain named for SSL VPN.

¡     Specify the domain name as sslvpn.

¡     Select the access type SSL VPN.

¡     Select RADIUS for authentication and authorization methods and select a RADIUS scheme.

¡     Select None for the accounting method.

Figure 131 Configuring an ISP domain

 

Figure 132 Configuring an ISP domain

 

11.     Create a user group:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click the User Group tab.

# Click Create.

# Create a user group named sslvpn_usergroup and specify SSL VPN resource group resourcegrp for the user group, as shown in Figure 136.

# Click OK.

Figure 133 Creating a user group

 

12.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 137, and then click OK.

Figure 134 Creating an SSL VPN gateway

 

13.     Create an SSL VPN AC interface:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN AC Interfaces.

# Click Create.

# In the Create Interfaces dialog box that opens, enter 1 in the Interface number field and click OK.

# In the Modify Interface Settings dialog box, configure the basic settings for the SSL VPN AC interface as shown in Figure 138.

Figure 135 Configuring basic settings for the SSL VPN AC interface

 

# Click the IPv4 Address tab and configure the IPv4 address settings for the SSL VPN AC interface as shown in Figure 139.

# Click OK.

Figure 136 Configuring IPv4 address settings for the SSL VPN AC interface

 

14.     Create an address pool for IP access users:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > IP Access Address Pools.

# Click Create.

# Create an IP access address pool as shown in Figure 140, and then click OK.

Figure 137 Creating an IP access address pool

 

15.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 141.

Figure 138 Configuring basic settings for an SSL VPN context

 

# Click Next to configure authentication settings for the SSL VPN context as shown in Figure 142.

Figure 139 Configuring authentication settings

 

# Click Next. On the URI ACL page that opens, click Next.

# On the Access services page, select IP access and click Next.

# On the IP access page, configure the IP access service as follows:

a.     Configure the IP access parameters as shown in Figure 143 and click Next.

Figure 140 Configuring IP access parameters for the IP access service

 

b.     In the IP access resources area, configure route list rtlist with an included route entry for 20.2.2.0/24, as shown in Figure 144.

c.     Click Next.

Figure 141 Configuring IP access resources for the IP access service

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp, as shown in Figure 145. In this example, select route list rtlist as the accessible IP resources and use IPv4 ACL 3999 (which permits all traffic) for IP access request filtering.

Figure 142 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 146.

Figure 143 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 147.

Figure 144 Enabling the SSL VPN context

 

Configuring the RADIUS server

In this example, the IMC version is iMC PLAT 7.3 (E0504).

1.     Configure an access policy named resourcegrp:

# Log in to IMC.

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Policy.

# Click Add.

# Add an access policy as shown in Figure 148.

# Click OK.

Figure 145 Creating an access policy

 

2.     Configure an access service named sslvpnservice:

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Service.

# Click Add.

# Add an access service as shown in Figure 149. In this example, specify access policy resourcegrp as the default access policy.

# Click OK.

Figure 146 Creating an access service

 

3.     Configure an access device:

# On the top navigation bar, click User.

# From the navigation pane, select User Access Policy > Access Device Management > Access Device.

# Click Add.

# Add an access device as shown in Figure 150. In this example, set the shared key to 123456.

# Click OK.

Figure 147 Configuring an access device

 

4.     Configure an access user:

# Access the User > Add User page.

# Add a platform user as shown in Figure 151.

# Click OK.

Figure 148 Adding a platform user

 

# From the navigation pane, select Access User > All Access Users.

# Click Add.

# Add an access user and assign access service sslvpnservice to the user, as shown in Figure 152.

# Click OK.

Figure 149 Adding an access user

 

Configuring the server

Make sure the server has a route to subnet 10.1.1.0/24.

Verifying the configuration

1.     Install the USB key on the host.

Obtain the USB key from the administrator, and install the USB key on the host. For information about how to make a USB key, see the appendix in the following section.

2.     Log in to the SSL VPN gateway from the host:

# In the browser address bar of the host, enter https://1.1.1.2:4430/ and press Enter.

# On the Select a certificate page, select the client certificate for authentication, as shown in Figure 153.

Figure 150 Select a certificate page

 

3.     Click OK.

4.     On the page that opens, enter username sslvpnuser and password 123456TESTplat&!, and then click Login as shown in Figure 154.

Figure 151 SSL VPN login page

 

5.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 152 Login page

 

6.     Click START to start the IP client application.

# Launch the installed IP client and configure it as follows:

Figure 153 Connecting the iNode client to the SSL VPN gateway

 

# Click the icon next the Password box. In the dialog box that opens, select the client certificate in the USB key, and then click OK.

Figure 154 Selecting the client certificate

 

# Click Connect on the iNode client. You log in to the SSL VPN gateway successfully.

Figure 155 Logging into the SSL VPN gateway successfully

 

# After the SSL VPN user logs in, the user can ping the server IP address 20.2.2.2 from the host.

C:\>ping 20.2.2.2

Pinging 20.2.2.2 with 32 bytes of data:

Reply from 20.2.2.2: bytes=32 time=31ms TTL=254

Reply from 20.2.2.2: bytes=32 time=18ms TTL=254

Reply from 20.2.2.2: bytes=32 time=15ms TTL=254

Reply from 20.2.2.2: bytes=32 time=16ms TTL=254

 

Ping statistics for 20.2.2.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 15ms, Maximum = 31ms, Average = 20ms

Appendix—Making a USB key

Make a USB key in the following procedure:

1.     Configure an IP address and gateway on the administrator's PC to ensure the PC can reach the CA server. This example uses Windows 2008 server as the CA server.

Figure 156 Network diagram

 

2.     Request the USB key client certificate:

# Enter http://192.168.100.247/certsrv in the address bar of a browser to open the certificate service page.

Figure 157 Certificate services

 

# Click Request a certificate. The certificate request page opens.

Figure 158 Requesting a certificate

 

# Click advanced certificate request. On the page that opens, select Create and submit a request to this CA to request a client certificate.

# Configure the client certificate request parameters, and then click Submit at the bottom of the page.

# In the dialog box that opens, enter the USB key password, and then log in.

# Click Install this certificate to install the client certificate to the USB key.

Figure 159 Installing the client certificate to the USB key

 

# After a possible conflict warning about installing a certificate, click Yes to install the client certificate into the USB key.

The USB key is made successfully.