SSL VPN

Latest reply: Jun 22, 2014 20:29:26 2890 3 0 0

Hi Guy, do you have any configuration example of a SSL VPN using eNSP?

I am reading the Documentation Center but examples there mention an CA Server to use PKI.

I am looking for an example that I can use with eNSP.


Thanks.

  • x
  • convention:

MauroLatam
Created Jun 22, 2014 20:29:26 Helpful(0) Helpful(0)

well. actually I am trying to use a router as a SSL gateway.

All in eNSP.


Thanks.



  • x
  • convention:

Sophoni
Created Jun 9, 2014 02:47:51 Helpful(0) Helpful(0)

eNSP supporting edumon is not well .

 

Example for Configuring the CA Certificate

This describes a typical example for configuring a CA certificate. Through the example, you can know the typical networking and configuration method of a CA certificate.

Networking Requirements

The service requirements are as follows:

  • Create a virtual gateway named test. The user can access the intranet resource through the virtual gateway. The IP address of the virtual gateway is 172.16.250.2/24.

  • The address range where intranet resources reside is 172.16.10.0/24.

  • The IP addresses of the intranet DNS server are 172.16.10.10/24 and 172.16.100.10/24, and the domain name is internal.com.

  • The virtual gateway adopts the certificate-challenge authentication mode. Both the assistant authentication mode and authorization mode are VPNDB.

  • When the CRL detection for a CA certificate is performed, ensure that the user does not use a revoked certificate to log in to the virtual gateway.

  • The CRL is updated through HTTP. The address of the primary CDP is http://abc.com:839/ca_1.crl, and that of the secondary CDP is http://abc.com:839/ca_2.crl.

  • Suppose that the cn sub-field of the subject field is certuser on the client certificate.

Networking Diagram

Figure 1 Networking diagram of the example for configuring the certificate
SSL VPN-1489977-1

Item

Data

Description

(1)

Interface number: GigabitEthernet 0/0/1

IP address: 172.16.10.1/24

-

(2)

Interface number: GigabitEthernet 0/0/2

IP address: 172.16.250.2/24

-

IP address of virtual gateway

172.16.250.2/24

-

IP address and domain name of the DNS server

Primary DNS server: 172.16.10.10/24

Secondary DNS server: 172.16.100.10/24

Domain name of the DNS server: internal.com

-

Method of checking the validity of the CA certificate

CRL detection

-

Obtaining method of the CDP

Manually configured CDP

-

URL addresses of the primary and secondary CDP

Primary CDP: http://abc.com:839/ca_1.crl

Secondary CDP: http://abc.com:839/ca_2.crl

-

Authentication mode adopted by the virtual gateway

Authentication mode: certificate challenge

Assistant authentication mode: VPNDB

The authorization mode is VPNDB

User name and password for accessing the virtual gateway

User name: certuser

Password: 123456

-

Procedure

  1. Add interfaces to corresponding security zones and configure interzone packet filtering to ensure normal network communication. Details are omitted.

    Please configure the interzone packet filtering in the outbound direction between interzones that the GigabitEthernet 0/0/1 is added to and Local interzone, and configure the interzone packet filtering in the inbound direction between interzones that the GigabitEthernet 0/0/2 is added to and Local interzone.


  2. Set the IP address of GigabitEthernet 0/0/1.

    <Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/1 [Eudemon-GigabitEthernet0/0/1] ip address 172.16.10.1 255.255.255.0 [Eudemon-GigabitEthernet0/0/1] quit


  3. Set the IP address of GigabitEthernet 0/0/2.

    [Eudemon] interface GigabitEthernet 0/0/2 [Eudemon-GigabitEthernet0/0/2] ip address 172.16.250.2 255.255.255.0 [Eudemon-GigabitEthernet0/0/2] quit


  4. Add a virtual gateway named test.

    [Eudemon] v-gateway test 172.16.250.2 private www.test.com


  5. Configure the DNS server.

    [Eudemon-test] basic [Eudemon-test-basic] dns-server 172.16.10.10 172.16.100.10 [Eudemon-test-basic] dns-domain internal.com [Eudemon-test-basic] quit [Eudemon-test] quit [Eudemon] quit


  6. Configure the CA certificate information.

    SSL VPN-1489977-2 NOTE:

    Suppose that the IP address of the user PC logging in to the virtual gateway is 172.16.250.1/24, and enable the FTP service on the PC.

    <Eudemon> ftp 172.16.250.1 [ftp] get cert1.crt cert1.crt [ftp] quit <Eudemon> system-view [Eudemon] v-gateway test [Eudemon-test] basic [Eudemon-test-basic] certificate-ca certificate-file cert1.crt enable


  7. Configure the certificate, so that the CRL detection is implemented to check the validity of the certificate.

    [Eudemon-test-basic] certificate-ca cert1 check crl


  8. Configure the obtaining mode of the CDP as the manual mode.

    [Eudemon-test-basic] certificate-ca cert1 cdp manual url http://abc.com:839/ca_1.crl [Eudemon-test-basic] certificate-ca cert1 cdp manual url http://abc.com:839/ca_2.crl secondary


  9. Enable CDP.

    [Eudemon-test-basic] certificate-ca cert1 cdp enable 


  10. Update the CRL information manually.

    [Eudemon-test-basic] certificate-ca cert1 update-crl [Eudemon-test-basic] quit [Eudemon-test] quit


  11. Configure the certificate-challenge authentication.

    [Eudemon] aaa [Eudemon-aaa] authentication-scheme test.scm [Eudemon-aaa-authen-test.scm] authentication-mode cert-challenge vpndb [Eudemon-aaa-authen-test.scm] quit [Eudemon-aaa] authorization-scheme test.scm [Eudemon-aaa-author-test.scm] authorization-mode vpndb [Eudemon-aaa-author-test.scm] quit [Eudemon-aaa] quit [Eudemon] v-gateway test [Eudemon-test] security [Eudemon-test-security] client-cert-require enable [Eudemon-test-security] certification cert-challenge cert-field user-filter subject cn [Eudemon-test-security] quit


  12. Configure the user.

    [Eudemon-test] vpndb [Eudemon-test-vpndb] user certuser 123456 123456


  13. Save configurations.

    [Eudemon-test-vpndb] quit [Eudemon-test] quit [Eudemon] quit <Eudemon> save


Verifying the configuration

SSL VPN-1489977-3 NOTE:

Before verifying the configuration results, you need to install the client certificate issued by the CA on the PC in case that the user cannot log in to the virtual gateway.

  1. Enter https://172.16.250.2 in the browser. The login page of the Web client is displayed.
  2. Enter the user name certuser and its password. After the client certificate authentication succeeds, you can log in to the Web client homepage.
  3. Select the installed client certificate in the displayed window, and click OK.
  4. The user passes the certificate authentication and logs in to the Web client homepage successfully.

 

  • x
  • convention:

Sophoni
Created Jun 9, 2014 02:48:16 Helpful(0) Helpful(0)

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login