本文转自:http://bbs.csc-china.com.cn/forum.php?mod=viewthread&tid=991966&extra=page%3D2
*******************************************
1、清空所有密钥对及PKI TRUSTPOINT
(config)#crypto key zeroize rsa
(config)#no crypto pki trustpoint XXX
*******************************************
2、外部链接
在花生壳官网申请顶级域名,包含txt记录,同时对顶级域名打开DDNS服务
设备配置:
!
ip ddns update method oray
HTTP
add http://xxx:xxx@ddns.oray.com/ph/update?hostname=www.kagamigawa.tech&&myip=
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
interface GigabitEthernet1
description WAN
no ip address
pppoe enable group global
cdp enable
pppoe-client dial-pool-number 1
!
interface Dialer1
description WAN
ip ddns update hostname www.kagamigawa.tech
ip ddns update oray host ddns.oray.com
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
ppp ipcp route default
!
测试下连通性:
C:\Users\Lenovo>ping www.kagamigawa.tech
正在 Ping www.kagamigawa.tech [49.118.72.197] 具有 32 字节的数据:
来自 49.118.72.197 的回复: 字节=32 时间=89ms TTL=242
没有问题继续
3、为域名申请SSL数字证书
在腾讯云中申请免费的数字签名证书
过程中需要进行DNS验证,回到花生壳中添加一条txt记录
下载已签发的数字证书
解压IIS文件夹中的xxx.pfx文件和keystorePass.txt到桌面然后上传到设备的bootflash:
4、安装及检查证书
(config)crypto pki import VPN pkcs12 bootflash:www.kagamigawa.tech.pfx password xxx
检查pki trustpoints
show crypto pki trustpoints
Trustpoint VPN:
Subject Name:
cn=TrustAsia TLS RSA CA
ou=Domain Validated SSL
o=TrustAsia Technologies
Inc.
c=CN
Serial Number (hex): 0580267F06F29553348E1C185A5EEE2E
Certificate configured.
检查根证书
show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 0580267F06F29553348E1C185A5EEE2E
Certificate Usage: Signature
Issuer:
cn=DigiCert Global Root CA
ou=www.digicert.com
o=DigiCert Inc
c=US
Subject:
cn=TrustAsia TLS RSA CA
ou=Domain Validated SSL
o=TrustAsia Technologies
Inc.
c=CN
CRL Distribution Points:
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
Validity Date:
start date: 20:28:26 CST Dec 8 2017
end date: 20:28:26 CST Dec 8 2027
Associated Trustpoints: VPN
Storage: nvram:DigiCertGlob#EE2ECA.cer
检查个人证书
show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex):
Certificate Usage: General Purpose
Issuer:
cn=TrustAsia TLS RSA CA
ou=Domain Validated SSL
o=TrustAsia Technologies
Inc.
c=CN
Subject:
Name: www.kagamigawa.tech
cn=www.kagamigawa.tech
Validity Date:
start date:
end date:
Associated Trustpoints: VPN
Storage: nvram:TrustAsiaTLS#2B90.cer
5、anyconnect 配置
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authentication enable default none
aaa authorization network sslvpn local
!
ip domain name uq
!
username xxx privilege 15 password 7 xxx
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy sslvpn-auth-policy
msie-proxy server 192.168.1.100:8118
pool sslvpn
dns 192.168.0.1
def-domain uq
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint VPN sign
ip interface Dialer1 port 4443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 100
!
ip local pool sslvpn 192.168.32.100 192.168.32.254
6、web管理页面挂证书
ip http secure-trustpoint VPN
评论