SSL VPN is the simplest and safest solution for remote users accessing sensitive company data. Compared with the complex IPSec VPN, SSL realizes the information remote communication through the simple and Easy-to-use method. SSL VPN is available for any machine that installs the browser, because SSL is embedded in the browser and does not require client software to be installed for each client as a traditional IPSec VPN.
First, the network structure
Router *2 (with 7200)
PC Machine *1 (using WIN-XP)
Second, SSL VPN Server configuration
1. Format Disk0
(Itchenyi) R1#format disk0:
format operation may take a while. Continue? [Confirm]
Format operation would destroy all data in "Disk0:". Continue? [Confirm]
Format:drive Communication & 1st Sector Write OK ...
Writing monlib sectors.
...............................................................................................................
Monlib Write Complete
Format:all system sectors written. OK ...
Format:total sectors in formatted partition:8003 format:total bytes in formatted partition:4097536 format:o
Peration completed successfully.
Format of Disk0 Complete
2, Upload software
(Itchenyi) R1#copy tftp disk0: Address
or name of remote host []? 192.168.1.100
Source filename []? sslclient-win-1.1.3.173.p KG
destination filename [sslclient-win-1.1.3.173.pkg]?
Accessing Tftp://192.168.1.100/sslclient-win-1.1.3.173.pkg
... Loading sslclient-win-1.1.3.173.pkg from 192.168.1.100 (via fastethernet1/0):!!
[OK-416354 bytes]
416354 bytes copied in 12.288 secs (33883 bytes/sec)
3. Install client Software
(Itchenyi) R1 (config) #WEBvpn Install svc disk0:/sslclient-win-1.1.3.173.pkg
sslvpn Package ssl-vpn-client:installed Successfully
4. Configure SSL VPN
(Itchenyi) R1 (config) #aaa New-model
(Itchenyi) R1 (config) #aaa Authentication login Default Local #为防止控制台超时而造成无法进入Exec
(Itchenyi) R1 (config) #aaa authentication login Webvpn Local
(Itchenyi) R1 (config) #ip local pool Ssl-add 11.1.1.10 11.1.1.20 #定义WebVPN本地认证用户名, password
(Itchenyi) R1 (config) #username Itchenyi password 123
(Itchenyi) R1 (config) #webvpn Gateway Vpngateway #定义WebVPN在哪个接口上进行监听, when iOS automatically generates self-signed certificates.
% generating 1024 bit RSA keys, keys would be non-exportable ... [OK]
(Itchenyi) R1 (config-webvpn-gateway) #ip address 192.168.1.1 port 443
(Itchenyi) R1 (config-webvpn-gateway) #inservice #启用webvpn Gateway Configuration
(Itchenyi) R1 (Config-webvpn-gateway) #webvpn context Webcontext #定义webvpn的相关配置, the equivalent of Asa Tunnel-group, where you can define
(Itchenyi) R1 (config-webvpn-context) #gateway Vpngateway #将context和gateway相关联
(Itchenyi) R1 (config-webvpn-context) #aaa authentication list Webvpn
(Itchenyi) R1 (config-webvpn-context) #inservice #启用webvpn context Configuration
(Itchenyi) R1 (config-webvpn-context) #policy Group Sslvpn-policy #进入sslvpn策略组
(Itchenyi) R1 (config-webvpn-group) #functions svc-enabled
(Itchenyi) R1 (config-webvpn-group) #svc address-pool ssl-add #分配svc使用的地址池
(Itchenyi) R1 (config-webvpn-group) #svc split include 192.168.10.0 255.255.255.0 #定义隧道分离的目标地址, if not configured, the default is 0.0.0.0
(Itchenyi) R1 (Config-webvpn-group) #exit
(Itchenyi) R1 (config-webvpn-context) #default-group-policy sslvpn-policy #当配置了多个policy Group, the policy groups that are used by default
Note: In iOS, if the address pool is not in a segment, then you need to create a and address pool in the same network segment of the loopback interface as a VPN client gateway, otherwise it will error the gateway indicating errors. You can also specify Virtual-host in the context, similar to the header of a file in IIS, allowing multiple hosts to map to the same IP address while the context can also set the style of the web landing box, such as Logo,title