[计算机]MSRSSLVPN配置案例.doc

命令行配置:H3Cdis cu# version 5.20, ESS 1713L04, Standard# sysname H3C# ftp server enable# ipsec cpu-backup enable# domain default enable system#vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#pki entity ssl common-name ssl organization-unit h3c-800 organization h3c locality beijing state beijing country cn#pki domain ssl ca identifier ssl certificate request from ra certificate request entity ssl crl check disable#user-group system#local-user admin password cipher .USE=B,53Q=QMAF41! authorization-attribute level 3 service-type telnet service-type ftp#ssl server-policy sslvpn pki-domain ssl#interface Aux0 async mode flow link-protocol ppp#interface GigabitEthernet0/0 port link-mode route description 69/23 ip address dhcp-alloc#interface GigabitEthernet0/1 port link-mode route ip address #interface GigabitEthernet7/0 port link-mode bridge#interface Encrypt11/0# ssl-vpn server-policy sslvpn ssl-vpn enable#user-interface con 0user-interface aux 0user-interface vty 0 4#returnH3C将sslvpn_ca.crt和sslvpn_local.pfx上传到路由器Flash中H3Cpki import-certificate ca domain ssl der filename sslvpn_ca.crt The trusted CAs finger print is: MD5 fingerprint:FB52 90D5 822C 2BAC DB50 2499 7B88 4B59 SHA1 fingerprint:6FFB E756 DC46 0739 A2F5 48CB 0D8A B186 0258 2888 Is the finger print correct?(Y/N):y%Jan 14 11:33:07:637 2009 H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain ssl is trusted.Import CA certificate successfully.%Jan 14 11:33:07:649 2009 H3C PKI/4/Update_CA_Cert:Update CA certificates of the Domain ssl successfully.%Jan 14 11:33:07:649 2009 H3C PKI/4/Import_CA_Cert:Import CA certificates of the domain ssl successfully.H3Cpki import-certificate local domain ssl p12 filename sslvpn_local.pfx Please input challenge password:(在此输入导入时保护密码123456)The trusted CAs finger print is: MD5 fingerprint:FB52 90D5 822C 2BAC DB50 2499 7B88 4B59 SHA1 fingerprint:6FFB E756 DC46 0739 A2F5 48CB 0D8A B186 0258 2888 Is the finger print correct?(Y/N):y%Jan 14 11:33:40:951 2009 H3C PKI/4/Verify_CA_Root_Cert:CA root certificate of the domain ssl is trusted.Import CA certificate successfully.%Jan 14 11:33:40:970 2009 H3C PKI/4/Update_CA_Cert:Update CA certificates of the Domain ssl successfully.%Jan 14 11:33:40:971 2009 H3C PKI/4/Import_CA_Cert:Import CA certificates of the domain ssl successfully.%Jan 14 11:33:40:971 2009 H3C PKI/4/Verify_Cert:Verify certificate CN=sslvpn,OU=secpath,O=h3c,C=cn,emailAddress= of the domain ssl successfully.Import local certificate successfully.Import key pair successfully.%Jan 14 11:33:40:983 2009 H3C PKI/4/Import_Local_Cert:Import local certificate of the domain ssl successfully.%Jan 14 11:33:41:83 2009 H3C PKI/4/Import_Local_Key:Import local private key of the domain ssl successfully.display pki certificate ca domain ssl Certificate: Data: Version: 1 (0x0) Serial Number: C0EA4AD6 1850674D 6C010253 B45D6480 Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress= C=cn O=qw OU=qw CN=qw Validity Not Before: May 24 08:45:43 2007 GMT Not After : May 24 09:22:55 2010 GMT Subject: emailAddress= C=cn O=qw OU=qw CN=qw Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00E5AAF9 BCD312A0 EC86AF46 474567B3 49FF686A 8B012744 33D6BE0B 1F74C4CE 3411EA58 F4D6451C F98395A1 87AC4D05 47A92D5F EECECFE8 000CEC66 47A12A53 0613920C EFDE8150 A599A65C CA2E47C3 FAEC8E3D 68CAD2FD 2C43A70A 445992BB BD9A4D76 87A042AD A087866E 9331DCE7 3D361C2B 6EBE15CC 9183624A CD8B1502 C1 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 947CDCB4 6C331375 94F0F43C 2A1E6892 48646990 4D8FDE98 C624C754 1F2F39EC 40D9AF8D 85AF7E4E B796A335 5A86BA01 91D4D9F6 A1537F8C 45D285D5 8D97A397 0FB1A7A2 9602E88F A7627F73 358FAE8F 856D735D 345A7DD6 10D72B39 166ACB3E 4C2A5A6C C997E193 6AB1AAA3 4696C0D3 B4055257 C646CB4B 615770C4 039D8BC2 display pki certificate local domain ssl Certificate: Data: Version: 3 (0x2) Serial Number: ACC6F7FD D04467E0 CCDD89BE C631FD8B Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress= C=cn O=qw OU=qw CN=qw Validity Not Before: Sep 7 04:05:07 2007 GMT Not After : May 21 09:29:07 2010 GMT Subject: emailAddress= C=cn O=h3c OU=secpath CN=sslvpn Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00E1D684 18602E24 93830EDC 75758325 E8F64FD4 FCD08B6D 317372EA DFC72389 C6E71D83 BCC9C682 EEE889E8 B085520A 887A6484 8C8B7872 92C04E83 C584A2A3 B7D6AB28 D00E5DC9 2F17F082 7A85085D B091D1AB 79D8A3F8 0D9AB36C A4DF40BE FF9655FF 5B141729 F1273760 1B8ED3CD 160B21BD 8A46DBD1 113067A7 1F0F7F2F 9D Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:39553C9D 9A1A1BB4 8B1356BE 5176FE0D 0FEEAA72 X509v3 Key Usage: critical Digital Signature X509v3 Subject Alternative Name: email: X509v3 Subject Key Identifier: CBB30C6A 7B309719 E228A17F 14DBB1CF 8578A8DA X509v3 CRL Distribution Points: DirName:CN=qw,OU=qw,O=qw,C=cn,emailAddress= Signature Algorithm: sha1WithRSAEncryption 15E1F535 AA393891 58FD4E41 DBD9E918 3E8DD368 52AADDB5 FCC4418A 0B1DAAD4 106FA851 F598BF2A B98E5A37 460FB194 BC34210B AC5303AF F3448F15 BEED65C0 D1C41F63 FC918A03 73142882 E4A2C92C 8E4871FE E27C841D 26627790 B6C898E6 7A5C725F 15C0E3B2 DD7DBB8A 46F9FFB3 BE42C5EB DB10CC6A A64C6F05 A69CDBD6 访问SSL VPN服务器,登录地址:https:/X.X.X.X/svpn/cn/index.htm缺省超级管理员帐号/密码:administratorlocal.root/administrator在该界面下创建域和域管理员.使用域管理员登录后创建资源和用户.以上配置流程和防火墙SSL VPN配置相同不再赘述.dirDirectory of cfa0:/ 0 -rw- 17357716 Jan 13 2009 15:13:52 msr50-cmw520-e1713l04-si.bin 1 drw- - Jan 13 2009 15:14:48 logfile 2 -rw- 553 Jan 14 2009 10:49:06 sslvpn_ca.crt 3 -rw- 2668 Jan 14 2009 10:49:12 sslvpn_local.pfx 4 -rw- 200 Jan 14 2009 11:55:54 svpn.cfg 5 -rw- 806 Jan 14 2009 11:33:40 ssl_ca.cer 6 -rw- 13366 Jan 14 2009