使用ACS 授權 Anyconnect3.0 DTLS和IK

發布時間：2020-02-26 17:08:56 來源：網絡閱讀：1653 作者：wenlf136 欄目：安全技術

實驗目的：

1 使用Anyconnect3.0 撥號DTLS

2 使用Anyconnect3.0 撥號IPSec ×××

3 使用ACS 給用戶下放group-policy

拓撲：

使用ACS 授權 Anyconnect3.0 DTLS和IK

ASA配置：

interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0

----------------------ASDM------------------------

asdm p_w_picpath disk0:/asdm-645-206.bin

http server enable 444
http 0.0.0.0 0.0.0.0 outside

-----------------------自簽發證書--------------------

crypto ca trustpoint ssl***ca
enrollment self
fqdn asa.ssl***.net
subject-name CN=asa.ssl***.net

crypto ca enroll ssl***ca noconfirm

----------------------SSL ×××----------------

web***
enable outside
anyconnect p_w_picpath disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect profiles ikev2group1 disk0:/ikev2group1.xml //此命令ASDM 自動產生，后面會給出ASDM 的配置。
anyconnect enable
tunnel-group-list enable

group-policy ssl***policy internal
group-policy ssl***policy attributes
***-tunnel-protocol ikev2 ssl-client
web***
anyconnect profiles value ikev2group1 type user//此命令同上
username root password N7HlIItY8AVJppkQ encrypted privilege 15
tunnel-group ssl***tunnel type remote-access
tunnel-group ssl***tunnel general-attributes
authentication-server-group aaa
tunnel-group ssl***tunnel web***-attributes
group-alias hr enable

------------------IPSEC ×××----------------------

crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ssl***ca

crypto ipsec ikev2 ipsec-proposal ikev2ipsec
protocol esp encryption 3des
protocol esp integrity sha-1
crypto dynamic-map dymap 100 set ikev2 ipsec-proposal ikev2ipsec
crypto map ssl***map 1000 ipsec-isakmp dynamic dymap
crypto map ssl***map interface outside

---------------ACS 下放地址池-----------------------

使用ACS 授權 Anyconnect3.0 DTLS和IK