Latest reply: Jun 22, 2014 20:29:26 2905 3 0 0

Hi Guy, do you have any configuration example of a SSL VPN using eNSP?

I am reading the Documentation Center but examples there mention an CA Server to use PKI.

I am looking for an example that I can use with eNSP.


  • x
  • convention:

Created Jun 22, 2014 20:29:26 Helpful(0) Helpful(0)

well. actually I am trying to use a router as a SSL gateway.

All in eNSP.


  • x
  • convention:

Created Jun 9, 2014 02:47:51 Helpful(0) Helpful(0)

eNSP supporting edumon is not well .


Example for Configuring the CA Certificate

This describes a typical example for configuring a CA certificate. Through the example, you can know the typical networking and configuration method of a CA certificate.

Networking Requirements

The service requirements are as follows:

  • Create a virtual gateway named test. The user can access the intranet resource through the virtual gateway. The IP address of the virtual gateway is

  • The address range where intranet resources reside is

  • The IP addresses of the intranet DNS server are and, and the domain name is

  • The virtual gateway adopts the certificate-challenge authentication mode. Both the assistant authentication mode and authorization mode are VPNDB.

  • When the CRL detection for a CA certificate is performed, ensure that the user does not use a revoked certificate to log in to the virtual gateway.

  • The CRL is updated through HTTP. The address of the primary CDP is, and that of the secondary CDP is

  • Suppose that the cn sub-field of the subject field is certuser on the client certificate.

Networking Diagram

Figure 1 Networking diagram of the example for configuring the certificate
SSL VPN-1489977-1





Interface number: GigabitEthernet 0/0/1

IP address:



Interface number: GigabitEthernet 0/0/2

IP address:


IP address of virtual gateway


IP address and domain name of the DNS server

Primary DNS server:

Secondary DNS server:

Domain name of the DNS server:


Method of checking the validity of the CA certificate

CRL detection


Obtaining method of the CDP

Manually configured CDP


URL addresses of the primary and secondary CDP

Primary CDP:

Secondary CDP:


Authentication mode adopted by the virtual gateway

Authentication mode: certificate challenge

Assistant authentication mode: VPNDB

The authorization mode is VPNDB

User name and password for accessing the virtual gateway

User name: certuser

Password: 123456



  1. Add interfaces to corresponding security zones and configure interzone packet filtering to ensure normal network communication. Details are omitted.

    Please configure the interzone packet filtering in the outbound direction between interzones that the GigabitEthernet 0/0/1 is added to and Local interzone, and configure the interzone packet filtering in the inbound direction between interzones that the GigabitEthernet 0/0/2 is added to and Local interzone.

  2. Set the IP address of GigabitEthernet 0/0/1.

    <Eudemon> system-view [Eudemon] interface GigabitEthernet 0/0/1 [Eudemon-GigabitEthernet0/0/1] ip address [Eudemon-GigabitEthernet0/0/1] quit

  3. Set the IP address of GigabitEthernet 0/0/2.

    [Eudemon] interface GigabitEthernet 0/0/2 [Eudemon-GigabitEthernet0/0/2] ip address [Eudemon-GigabitEthernet0/0/2] quit

  4. Add a virtual gateway named test.

    [Eudemon] v-gateway test private

  5. Configure the DNS server.

    [Eudemon-test] basic [Eudemon-test-basic] dns-server [Eudemon-test-basic] dns-domain [Eudemon-test-basic] quit [Eudemon-test] quit [Eudemon] quit

  6. Configure the CA certificate information.

    SSL VPN-1489977-2 NOTE:

    Suppose that the IP address of the user PC logging in to the virtual gateway is, and enable the FTP service on the PC.

    <Eudemon> ftp [ftp] get cert1.crt cert1.crt [ftp] quit <Eudemon> system-view [Eudemon] v-gateway test [Eudemon-test] basic [Eudemon-test-basic] certificate-ca certificate-file cert1.crt enable

  7. Configure the certificate, so that the CRL detection is implemented to check the validity of the certificate.

    [Eudemon-test-basic] certificate-ca cert1 check crl

  8. Configure the obtaining mode of the CDP as the manual mode.

    [Eudemon-test-basic] certificate-ca cert1 cdp manual url [Eudemon-test-basic] certificate-ca cert1 cdp manual url secondary

  9. Enable CDP.

    [Eudemon-test-basic] certificate-ca cert1 cdp enable 

  10. Update the CRL information manually.

    [Eudemon-test-basic] certificate-ca cert1 update-crl [Eudemon-test-basic] quit [Eudemon-test] quit

  11. Configure the certificate-challenge authentication.

    [Eudemon] aaa [Eudemon-aaa] authentication-scheme test.scm [Eudemon-aaa-authen-test.scm] authentication-mode cert-challenge vpndb [Eudemon-aaa-authen-test.scm] quit [Eudemon-aaa] authorization-scheme test.scm [Eudemon-aaa-author-test.scm] authorization-mode vpndb [Eudemon-aaa-author-test.scm] quit [Eudemon-aaa] quit [Eudemon] v-gateway test [Eudemon-test] security [Eudemon-test-security] client-cert-require enable [Eudemon-test-security] certification cert-challenge cert-field user-filter subject cn [Eudemon-test-security] quit

  12. Configure the user.

    [Eudemon-test] vpndb [Eudemon-test-vpndb] user certuser 123456 123456

  13. Save configurations.

    [Eudemon-test-vpndb] quit [Eudemon-test] quit [Eudemon] quit <Eudemon> save

Verifying the configuration

SSL VPN-1489977-3 NOTE:

Before verifying the configuration results, you need to install the client certificate issued by the CA on the PC in case that the user cannot log in to the virtual gateway.

  1. Enter in the browser. The login page of the Web client is displayed.
  2. Enter the user name certuser and its password. After the client certificate authentication succeeds, you can log in to the Web client homepage.
  3. Select the installed client certificate in the displayed window, and click OK.
  4. The user passes the certificate authentication and logs in to the Web client homepage successfully.


  • x
  • convention:

Created Jun 9, 2014 02:48:16 Helpful(0) Helpful(0)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits