[21전국] 3과제 AnyConnect VPN

물리서버

[21전국] 3과제 AnyConnect VPN

_눙이_ 2021. 11. 11. 16:05

CENT-SRV

※배포파일인 anyconnect.xml파일을 /var/www/html안에 acvpn.xml라는 파일로 복사

CENT-R

conf t

crypto key generate rsa general-keys label VPN-KEY mod 2048

crypto pki trustpoint VPN-TP

enrollment url http://203.230.10.1

usage ike

usage ssl-server

fqdn vpn.skills2021.kr

subject-name CN=vpn.skills2021.kr

rsakeypair VPN-KEY

revocation-check none

auto-enroll

eku request server-auth client-auth ipsec-end-system ipsec-tunnel ipsec-user

hash sha256

exit

crypto pki authenticate VPN-TP

[yes/no]: yes

crypto pki enroll VPN-TP

※암호: korea2021##

[yes/no]: yes

[no]: no

[yes/no]: yes
do copy tftp://2001:10:202:2::1/acvpn.xml flash:
※acvpn.xml으로 복사하어야 함

crypto vpn anyconnect profile ANYCONNECT flash:acvpn.xml

no crypto ikev2 http-url cert

no ip http server

no ip http secure-server

aaa new-model

ldap server LDAP

ipv4 172.16.0.1

base-dn ou=vpn,dc=skills2021,dc=kr

bind authenticate root-dn "cn=admin,dc=skills2021,dc=kr" password korea2021##

authentication bind-first
exit

aaa authentication login EAP group ldap local

aaa authorization network EAP local

ip local pool POOL 10.2.0.100 10.2.0.200

crypto ikev2 authorization policy AUTH

dns 172.16.0.1

pool POOL

netmask 255.255.255.0

exit

crypto ikev2 proposal VPN-PROPOSAL

encryption aes-cbc-256

integrity sha256

group 14

exit

crypto ikev2 policy VPN-POLICY

proposal VPN-PROPOSAL

exit

crypto ikev2 profile VPN-PROFILE

match identity remote key-id *$AnyConnectClient$*

pki trustpoint VPN-TP

authentication local rsa-sig

authentication remote anyconnect-eap aggregate

aaa authentication anyconnect-eap EAP[i]

aaa authorization group anyconnect-eap list EAP AUTH

aaa authorization user anyconnect-eap cached

anyconnect profile ANYCONNECT

virtual-template 10

dpd 60 2 on-demand

exit

crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac

mode tunnel

exit

crypto ipsec profile IPSEC-PROFILE

set transform-set VPN-TS

set ikev2-profile VPN-PROFILE

exit

int lo 100

ip add 10.2.0.254 255.255.255.0

exit

interface virtual-template 10 type tunnel

ip unnumbered lo 100

tunnel source gig0/0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-PROFILE

EX-FW
access-list OUT-TO-IN extended permit ip 10.2.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-group OUT-TO-IN in interface OUTSIDE

REMOTE에 VPN 클라이언트 구성

REMOTE
※배포파일인 anyconnect.xml을 remote에 복사해 놓는다.

※배포파일인 .anyconnect-win-4.8.03052-core-vpn-webdeploy-k9.zip를 압축해제하고 anyconnect VPN 클라이언트 프로그램 설치

※anyconnect.xml를 acpvn.xml로 바꾸고 C:\programdata\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

파일 경로 안에 복사한다.(C:\programdata는 숨겨져있는 폴더임)

※Anyconnect 클라이언트 프로그램 재시작

EX-FW

conf t

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

CENT-FW

conf t

access-list OUT-TO-IN extended permit ip 10.2.0.0 255.255.255.0 172.16.0.0 255.255.255.0

access-group OUT-TO-IN in interface outside