CENT-SRV
※배포파일인 anyconnect.xml파일을 /var/www/html안에 acvpn.xml라는 파일로 복사
CENT-R
conf t
crypto key generate rsa general-keys label VPN-KEY mod 2048
crypto pki trustpoint VPN-TP
enrollment url http://203.230.10.1
usage ike
usage ssl-server
fqdn vpn.skills2021.kr
subject-name CN=vpn.skills2021.kr
rsakeypair VPN-KEY
revocation-check none
auto-enroll
eku request server-auth client-auth ipsec-end-system ipsec-tunnel ipsec-user
hash sha256
exit
crypto pki authenticate VPN-TP
[yes/no]: yes
crypto pki enroll VPN-TP
※암호: korea2021##
[yes/no]: yes
[no]: no
[yes/no]: yes
do copy tftp://2001:10:202:2::1/acvpn.xml flash:
※acvpn.xml으로 복사하어야 함
crypto vpn anyconnect profile ANYCONNECT flash:acvpn.xml
no crypto ikev2 http-url cert
no ip http server
no ip http secure-server
aaa new-model
ldap server LDAP
ipv4 172.16.0.1
base-dn ou=vpn,dc=skills2021,dc=kr
bind authenticate root-dn "cn=admin,dc=skills2021,dc=kr" password korea2021##
authentication bind-first
exit
aaa authentication login EAP group ldap local
aaa authorization network EAP local
ip local pool POOL 10.2.0.100 10.2.0.200
crypto ikev2 authorization policy AUTH
dns 172.16.0.1
pool POOL
netmask 255.255.255.0
exit
crypto ikev2 proposal VPN-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
exit
crypto ikev2 policy VPN-POLICY
proposal VPN-PROPOSAL
exit
crypto ikev2 profile VPN-PROFILE
match identity remote key-id *$AnyConnectClient$*
pki trustpoint VPN-TP
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
aaa authentication anyconnect-eap EAP[i]
aaa authorization group anyconnect-eap list EAP AUTH
aaa authorization user anyconnect-eap cached
anyconnect profile ANYCONNECT
virtual-template 10
dpd 60 2 on-demand
exit
crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile IPSEC-PROFILE
set transform-set VPN-TS
set ikev2-profile VPN-PROFILE
exit
int lo 100
ip add 10.2.0.254 255.255.255.0
exit
interface virtual-template 10 type tunnel
ip unnumbered lo 100
tunnel source gig0/0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
EX-FW
access-list OUT-TO-IN extended permit ip 10.2.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-group OUT-TO-IN in interface OUTSIDE
REMOTE에 VPN 클라이언트 구성
REMOTE
※배포파일인 anyconnect.xml을 remote에 복사해 놓는다.
※배포파일인 .anyconnect-win-4.8.03052-core-vpn-webdeploy-k9.zip를 압축해제하고 anyconnect VPN 클라이언트 프로그램 설치
※anyconnect.xml를 acpvn.xml로 바꾸고 C:\programdata\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
파일 경로 안에 복사한다.(C:\programdata는 숨겨져있는 폴더임)
※Anyconnect 클라이언트 프로그램 재시작
EX-FW
conf t
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
CENT-FW
conf t
access-list OUT-TO-IN extended permit ip 10.2.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-group OUT-TO-IN in interface outside
'물리서버' 카테고리의 다른 글
[21전국] 3과제 Voice Mail & Console Authentication (0) | 2021.11.11 |
---|---|
[21전국] 3과제 Voice Networking (0) | 2021.11.11 |
[21전국] 3과제 Monitoring (0) | 2021.11.11 |
[21전국] 3과제 Dot1x Authentication (0) | 2021.11.11 |
[21전국] 3과제 WEB설정 (0) | 2021.11.11 |