Home automation continued: SSL vpn on cisco ios router

Hello

Because I have a nice library of books and music on my PC, I thought I could set up a secure remote access to it using my Cisco router. How does it work? SSL creates a crypto tunnel between your PC (vpn client) and the remote router.

What do we need:

  • the anyconnect .pkg file (you need access to Cisco download center to get it)
  • a ISR G2 router
  • a PC
  • some patience

 

  1. Generate the crypto keys with the label SSLVPN (crypto key generate rsa label SSLVPN).
  2. Copy the anyconnect .pkg file to the flash, install it using the webvpn install command, the rest is below. Obviously, wherever you need to replace XXXX or x.x.x.x with your config (e.g. in webvpn ip address or username/password)

!!!this enables aaa new commands and creates two policies, one default, one with the name sslvpn
aaa new-model
aaa authentication login default local
aaa authentication login sslvpn local

!!! you need a trustpoint to be able to get a certificate from yourself !!!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
serial-number
subject-name CN=myrouter-cert
revocation-check crl
rsakeypair SSLVPN

ip domain name HOMELAN
username xxx privilege 15 secret 4 xxxxx
username xxx privilege 15 secret 4 xxxxx

!!! i get a public address from my Dovado router in bridge mode!!!
interface GigabitEthernet0
ip address dhcp
duplex auto
speed auto
! this is my first home subnet
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
! this is my second home subnet
interface Vlan20
ip address 192.168.2.2 255.255.255.0
!!! the local pool is for sslvpn users who connect!!!
ip local pool webvpn-pool 192.168.1.70 192.168.1.80

no ip http server
no ip http secure-server

!!! gateway settings!!!
webvpn gateway Cisco-Webvpn-Gateway
ip address x.x.x.x port 443
http-redirect port 80
ssl encryption 3des-sha1
ssl trustpoint my-trustpoint
inservice
! this installs the .pkg anyconnect file!!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.14018-k9.pkg sequence 1
! this creates a context for the sslvpn user and refers to the gateway we created before!
webvpn context SSLVPN_Context
ssl authenticate verify all
!
login-message „welcome”
!
policy group SSLVPN_DefaultPolicy
functions svc-enabled
svc address-pool „webvpn-pool” netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSLVPN_DefaultPolicy
aaa authentication list sslvpn
gateway Cisco-Webvpn-Gateway
inservice
!

You can connect either with Cisco anyconnect client (tunnel mode) or using your browser (thin client). Next time I will describe both methods.

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s