L'icône rouge permet de télécharger chaque page du wiki visitée au format PDF et la grise au format ODT →

Différences

Ci-dessous, les différences entre deux révisions de la page.

--- atelier:chantier:vpn-ikev2-anyconnect-with-freeradius [25/05/2018 10:48]
bapt6 créée
+++ atelier:chantier:vpn-ikev2-anyconnect-with-freeradius [25/05/2018 11:44] (Version actuelle)
bapt6 [Crypto Configuration]
@@ Ligne 1: / Ligne 1: @@
-====== Titre de Votre Tuto ======
+====== vpn ikev2 anyconnect with freeradius  ======
 ===== Introduction =====
-===== Installation =====
+===== Configuring and deploying Cisco IOS certificate server =====
-===== Utilisation =====
+<code user>conf t</code>
+First define the new CA.
+<code root>
+ip http server
+crypto pki server ca-server
+ database level names
+ no database archive
+ hash sha512
+ lifetime certificate 3650
+ lifetime ca-certificate 7305 23 59
+ eku server-auth client-auth
+ auto-rollover 365
+ database url flash:ca
+ exit
+</code>
+Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients.
+<code root>
+crypto key generate rsa general modulus 2048 exportable label ca-server
+do crypto pki server ca-server start
+crypto key generate rsa general modulus 2048 exportable label router
+crypto pki trustpoint router
+ enrollment url http://<ip address>:80
+ ip-address <ip address>
+ fqdn <DNS entry pointing to router>
+ subject-name CN=<site name>,OU=user-vpn,O=<company name>
+ revocation-check crl
+ rsakeypair router
+ auto-enroll regenerate
+ hash sha512
+ exit
+crypto pki authenticate router
+crypto pki enroll router
+</code>
+The certificate server should now have a pending request.
+<code root>
+do show crypto pki server ca-server requests
+do crypto pki server ca-server grant <request number>
+</code>
+The request number is often 1
+===== Client Related Configuration =====
+<code root>
+crypto key generate rsa general modulus 2048 exportable label anyconnect
+crypto pki trustpoint anyconnect
+ enrollment url http://<ip address>:80
+ serial-number none
+ fqdn none
+ ip-address none
+ subject-name CN=<site name>,OU=user-vpn,O=<company name>
+ revocation-check none
+ rsakeypair anyconnect
+crypto pki authenticate anyconnect
+crypto pki enroll anyconnect
+</code>
+The certificate server should now have a pending request.
+<code root>
+do show crypto pki server ca-server requests
+do crypto pki server ca-server grant <request number>
+</code>
+The request number is often 1
+===== Export And Install Certificates For Client =====
+<code root>crypto pki export anyconnect pem terminal</code>
+===== Crypto Configuration =====
+<code root>
+aaa new-model
+aaa group server radius freeradius
+server-private <freeradius ip> auth-port 1812 acct-port 1813 key cisco12
+aaa authentication login win7 group freeradius
+aaa accounting network default start-stop group freeradius
+</code>
+<code root>
+crypto ikev2 profile default
+ match identity remote key-id anyconnect_remote_access
+ match identity remote key-id cisco.com
+ identity local dn
+ authentication remote eap query-identity
+ authentication local rsa-sig
+ pki trustpoint anyconnect
+ dpd 60 2 on-demand
+ aaa authentication eap win7
+ aaa authorization user eap cached
+ aaa accounting eap default
+ virtual-template 1
+</code>
+<code root>
+crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
+ mode tunnel
+crypto ipsec profile default
+ set ikev2-profile default
+</code>
+<code root>
+interface Virtual-Template1 type tunnel
+ ip unnumbered Loopback0
+ tunnel mode ipsec ipv4
+ tunnel protection ipsec profile default
+</code>
+<code root>ip local pool mypool 192.168.1.3</code>
+<code root>access-list 99 permit any</code>
+<code root>a</code>
+ggggg
+<code root>a</code>
+ggggg
+<code root>a</code>
+gggggg
+<code root>a</code>
+===== Introduction =====
+===== Introduction =====

atelier/chantier/vpn-ikev2-anyconnect-with-freeradius.1527238099.txt.gz · Dernière modification: 25/05/2018 10:48 par bapt6

Debian-facile

Différences

Pied de page des forums