This configuration details how to setup an SSL VPN in ‘tunnel mode’ on a router running v15 IOS.
Such a configuration could be run implemented on a small to mid-size remote site utilising an ISR router.
Firstly install the AnyConnect package onto the router:
!
webvpn install svc flash:/anyconnect-linux-64-4.2.01035-k9.pkg sequence 1
!
Confirm the package installation:
#sh webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC Linux_64
4.2.01035
Wed Dec 23 08:03:10 EST 2015
First enable new-model AAA, create an AAA authC method ‘WEBVPN_AUTHC’ which will consult the local user database and then create a local user account with minimal privileges:
! aaa new-model ! aaa authentication login WEBVPN_AUTHC local ! username seb privilege 0 secret 5 $1$/0rc$uHbejVQpJUmYXyVZewmM0. !
Define an IP pool which will be used to allocate webVPN local tunnel endpoints from. This can share a subnet that is already used by the router (make sure there is no overlap with existing interfaces or DHCP scopes), or an entirely new private IP pool can be used. If you choose the later, ensure that it is redistributed into the dynamic routing processes that you may be running to ensure the return traffic is sent to the router; assuming it is not the default gateway for the network.
! ip local pool WEBVPN_POOL 10.83.98.1 10.83.98.63 !
Split tunnelling is configured to ensure that only traffic destined for subnets routed at the remote network is sent down the tunnel. I am including the WEBVPN_POOL and one ‘inside’ subnet that is routed by the router as the permit statements in the WEBVPN_ACL_SPLIT access list.
! ip access-list standard WEBVPN_ACL_SPLIT permit 10.83.30.0 0.0.0.255 permit 10.83.98.0 0.0.0.255 !
Now enable the webVPN gateway. We can configure various elements under this section, and crucially which interface and port will be listening for incoming connections.
! webvpn gateway WEBVPN_GATEWAY ip interface FastEthernet0/1 port 443 ssl encryption aes-sha1 ssl trustpoint TP-self-signed-4044395249 inservice !
The ‘webvpn context’ sections brings together what we have configured already and additional features.
! webvpn context WEBVPN_CONTEXT title "Sebs WEBVPN gateway" aaa authentication list WEBVPN_AUTHC gateway WEBVPN_GATEWAY max-users 5 inservice !
Within the context a group policy must also be configured:
! webvpn context WEBVPN_CONTEXT ! policy group WEBVPN_POLICY functions svc-enabled functions svc-required filter tunnel WEBVPN_ACL svc address-pool "WEBVPN_POOL" netmask 255.255.255.192 svc rekey method new-tunnel svc split include acl WEBVPN_ACL_SPLIT default-group-policy WEBVPN_POLICY !
Full configuration below:
!
aaa new-model
!
aaa authentication login WEBVPN_AUTHC local
!
username seb privilege 0 secret 5 $1$/0rc$uHbejVQpJUmYXyVZewmM0.
!
ip local pool WEBVPN_POOL 10.83.98.1 10.83.98.63
!
!
ip access-list standard WEBVPN_ACL_SPLIT
permit 10.83.30.0 0.0.0.255
permit 10.83.98.0 0.0.0.255
!
!
webvpn gateway WEBVPN_GATEWAY
ip interface FastEthernet0/1 port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-4044395249
inservice
!
webvpn install svc flash:/webvpn/anyconnect-linux-64-4.2.01035-k9.pkg sequence 1
!
webvpn context WEBVPN_CONTEXT
title "Sebs WEBVPN gateway"
ssl encryption aes-sha1
ssl authenticate verify all
!
acl "WEBVPN_ACL"
permit ip 10.83.98.0 255.255.255.0 any
!
!
policy group WEBVPN_POLICY
functions svc-enabled
functions svc-required
filter tunnel WEBVPN_ACL
svc address-pool "WEBVPN_POOL" netmask 255.255.255.192
svc rekey method new-tunnel
svc split include acl WEBVPN_ACL_SPLIT
default-group-policy WEBVPN_POLICY
aaa authentication list WEBVPN_AUTHC
gateway WEBVPN_GATEWAY
max-users 5
inservice
!
Leave a Reply