VPN с авторизацией по сертификатам

Ну наконец то!
Наконец я это сделал!
Опишу потом, пока конфиг


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2811
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNUSERS local
aaa authorization exec default local
aaa authorization network VPNGROUP local
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip domain name local
ip name-server 192.168.0.1
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki server CA_cisco
issuer-name CN=powerc OU=enginers C=RU
grant auto
lifetime certificate 1
!
crypto pki trustpoint CA_cisco
revocation-check crl
rsakeypair CA_cisco
!
crypto pki trustpoint CALOCAL
enrollment url http://192.168.0.101:80
serial-number
subject-name ou=enginers
revocation-check crl
rsakeypair VPN_remote
!
!
!
crypto pki certificate map CERTMAP1 10
subject-name co ou = enginers
!
crypto pki certificate chain CA_cisco
certificate ca 01
3082021D 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
22312030 1E060355 04031317 706F7765 7263204F 553D656E 67696E65 72732043
3D525530 1E170D31 30303531 31313330 3030305A 170D3133 30353130 31333030
30305A30 22312030 1E060355 04031317 706F7765 7263204F 553D656E 67696E65
72732043 3D525530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 C2DBEC98 BD4F8363 844778B8 E132FE34 FCEA5202 C3CD4441 F73B5885
D2F4E023 6B552280 66DCDEDA F4D49AD4 1BA3102B 5E47352C E7FD3A6A AE383C88
40DD8C05 640D0745 FF8ADDB9 D7BBE320 7C9B3D34 C3882758 13E7AF0A BD16FAF6
1EDE1F06 F6FCA819 4C691AA6 F7DC8723 B1F1FF72 45C52AEC A69A5E00 2C6CB91D
7DB5BFCF 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E
0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801447 32D8BAD1
28F195AD A765A780 656323D9 E6F3BE30 1D060355 1D0E0416 04144732 D8BAD128
F195ADA7 65A78065 6323D9E6 F3BE300D 06092A86 4886F70D 01010405 00038181
001E945B 3364FB2D F51E8EBB E113B23C A2BCEBAF 79075ACA BB349888 126802E2
A3B3D88E 8AEF2B99 5CE5F7A6 C7CDF2A9 B3EC59E1 C8FD9842 1ECCC94C D593F7B3
C742831B ED6115F9 6F4B220D 70A743BB 6BF6DB8E 9C7CFA3C 9FA9FCA7 7F452CFA
E78593FD 74709D2C 0E923432 15E22BCD 7B496F60 81C1FD46 62ED558A D6D28D0B 56
quit
crypto pki certificate chain CALOCAL
certificate 03
308201CF 30820138 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
22312030 1E060355 04031317 706F7765 7263204F 553D656E 67696E65 72732043
3D525530 1E170D31 30303531 31313332 3731335A 170D3130 30353132 31333237
31335A30 2C312A30 0E060355 04051307 35443142 30413730 1806092A 864886F7
0D010902 160B6332 3831312E 6C6F6361 6C305C30 0D06092A 864886F7 0D010101
0500034B 00304802 4100E549 60E494AC F81665C0 36C82324 BA9D2225 B160B42F
70F7624D 9D189F7A 5E96B187 3E309D92 6AEDC7D0 46E2D4AA 88377B71 B64A5753
0FBEE7B8 CFEA42B8 53290203 010001A3 4F304D30 0B060355 1D0F0404 030205A0
301F0603 551D2304 18301680 144732D8 BAD128F1 95ADA765 A7806563 23D9E6F3
BE301D06 03551D0E 04160414 9384B204 2A1E326E 70CB99A2 F4C05575 4309381F
300D0609 2A864886 F70D0101 04050003 818100A8 3276045A 3447ECCE 3E955246
A82D3344 EA0885DA 893581E1 5453CB2E 28BF5CF8 B0EE8896 577BBF49 662BE43F
76972054 FDE6C692 F6AB4990 9BC16C6E F0793B65 0FA91C5B 248CEEB0 2BCCC61C
0B439529 F970E03B AEF5DFB5 0B609B4B 281DFD99 E2A07ACB 78D6547D 185CEE7B
669B9078 E8B4BA67 AD1A293B 79A43272 B88333
quit
certificate ca 01
3082021D 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
22312030 1E060355 04031317 706F7765 7263204F 553D656E 67696E65 72732043
3D525530 1E170D31 30303531 31313330 3030305A 170D3133 30353130 31333030
30305A30 22312030 1E060355 04031317 706F7765 7263204F 553D656E 67696E65
72732043 3D525530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 C2DBEC98 BD4F8363 844778B8 E132FE34 FCEA5202 C3CD4441 F73B5885
D2F4E023 6B552280 66DCDEDA F4D49AD4 1BA3102B 5E47352C E7FD3A6A AE383C88
40DD8C05 640D0745 FF8ADDB9 D7BBE320 7C9B3D34 C3882758 13E7AF0A BD16FAF6
1EDE1F06 F6FCA819 4C691AA6 F7DC8723 B1F1FF72 45C52AEC A69A5E00 2C6CB91D
7DB5BFCF 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E
0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801447 32D8BAD1
28F195AD A765A780 656323D9 E6F3BE30 1D060355 1D0E0416 04144732 D8BAD128
F195ADA7 65A78065 6323D9E6 F3BE300D 06092A86 4886F70D 01010405 00038181
001E945B 3364FB2D F51E8EBB E113B23C A2BCEBAF 79075ACA BB349888 126802E2
A3B3D88E 8AEF2B99 5CE5F7A6 C7CDF2A9 B3EC59E1 C8FD9842 1ECCC94C D593F7B3
C742831B ED6115F9 6F4B220D 70A743BB 6BF6DB8E 9C7CFA3C 9FA9FCA7 7F452CFA
E78593FD 74709D2C 0E923432 15E22BCD 7B496F60 81C1FD46 62ED558A D6D28D0B 56
quit
username VPN password 0 vpn
!
!
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp identity dn
!
crypto isakmp client configuration group enginers_group
pool VPNPOOL
acl 100
save-password
netmask 255.255.255.0
crypto isakmp profile IPROF1
ca trust-point CALOCAL
match certificate CERTMAP1
client configuration group enginers_group
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set TSET
reverse-route
!
!
crypto map SMAP client authentication list VPNUSERS
crypto map SMAP isakmp authorization list VPNGROUP
crypto map SMAP isakmp-profile IPROF1
crypto map SMAP client configuration address respond
crypto map SMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.101 255.255.255.0
duplex auto
speed auto
crypto map SMAP
!
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto
!
ip local pool VPNPOOL 10.10.10.0 10.10.10.100
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
ntp clock-period 17179958
ntp server 193.233.1.69
!
end



В Cisco VPN client настраиваем так:
enroll certificat
url - http://ай пи нашего роутера:80/cgi-bin/pkiclient.exe
CN в нашем случае powerc
OU в нашем случае enginers
C - RU
жмем enroll
Затем создаем соединение и ставим галку - сертификат и выбираем наш, только что полученный!
Скоро опишу в подробностях

Комментарии

Популярные сообщения из этого блога

DHCP опция 121 - статические маршруты по DHCP

Сброс на заводские настройки, коммутатора Moxa EDS-518A