华三防火墙VPN配置

1.29.5  LDAP认证、授权配置举例

1. 组网需求

Device为SSL VPN网关设备，连接公网用户和企业私有网络VPN 1。用户通过Device可以通过IP接入方式安全地访问VPN 1内的Server。Device通过LDAP server采用远程认证和授权方式对用户进行认证和授权。

2. 组网图

图1-28 LDAP认证、授权配置组网图

‌

3. 配置LDAP服务器

(1)     新建组织单位sslvpn_usergroup

a.     在LDAP服务器上，选择[开始/管理工具]中的[Active Directory用户和计算机]，打开Active Directory用户和计算机界面；

b.     在Active Directory用户和计算机界面的左侧导航树中，右键单击***.***，选择[新建/组织单位]，打开[新建对象-组织单位]对话框；

c.     在对话框中输入组织单位名称sslvpn_usergroup，并单击<确定>按钮。

图1-29 新建组织单位sslvpn_usergroup

(2)     新建用户sslvpn所属组织单位为sslvpn_usergroup

a.     在Active Directory用户和计算机界面的左侧导航树中，右键单击sslvpn_usergroup，选择[新建/用户]，打开[新建对象-用户]对话框；

b.     在对话框中输入姓名和用户登录名为sslvpn，并单击<下一步>按钮。

图1-30 新建用户sslvpn

c.     在弹出的对话框的“密码”区域框内输入用户密码ldap!123456，并单击<下一步>按钮。用户账户的其它属性（密码的更改方式、密码的生存方式、是否禁用账户）请根据实际情况选择配置，图中仅为示例。

图1-31 设置用户密码

d.     单击<完成>按钮，创建新用户sslvpn。

(3)     将用户sslvpn加入Users组。

在Active Directory用户和计算机界面的左侧导航树中，单击sslvpn_usergroup，在右侧信息框中右键单击用户sslvpn，选择“属性”项；

在弹出的[sslvpn属性]对话框中选择“隶属于”页签，并单击<添加(D)...>按钮。

图1-32 修改用户属性

在弹出的[选择组]对话框中的可编辑区域框中输入对象名称“Users”，单击<确定>，完成用户sslvpn添加到Users组。

图1-33 添加用户sslvpn到用户组Users

4. 配置步骤

(1)     配置接口IP地址

# 根据组网图中规划的信息，配置各接口的IP地址，具体配置步骤如下。

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0

[Device-GigabitEthernet1/0/1] quit

请参考以上步骤配置其他接口的IP地址，具体配置步骤略。

(2)     创建SSL VPN AC接口，用于转发IP接入流量

# 创建SSL VPN AC接口1，配置该接口绑定VPN实例VPN1，并配置接口的IP地址为10.1.1.100/24。

[Device] interface sslvpn-ac 1

[Device-SSLVPN-AC1] ip binding vpn-instance VPN1

[Device-SSLVPN-AC1] ip address 10.1.1.100 24

[Device-SSLVPN-AC1] quit

(3)     配置静态路由

本举例仅以静态路由方式配置路由信息。实际组网中，请根据具体情况选择相应的路由配置方式。

# 请根据组网图中规划的信息，配置静态路由，本举例假设到达Server的下一跳IP地址为2.2.2.3，到达User的下一跳IP地址为1.1.1.3实际使用中请以具体组网情况为准，具体配置步骤如下。

[Device] ip route-static 20.2.2.2 24 2.2.2.3

[Device] ip route-static 40.1.1.1 24 1.1.1.3

(4)     配置接口加入安全域。

# 请根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Device-security-zone-Untrust] import interface sslvpn-ac 1

[Device-security-zone-Untrust] quit

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/2

[Device-security-zone-Trust] import interface gigabitethernet 1/0/3

[Device-security-zone-Trust] quit

(5)     配置安全策略放行Untrust与Local安全域之间的流量，用于用户访问SSL VPN网关设备。

# 配置名称为sslvpnlocalout1的安全策规则，使Device可以向用户发送报文，具体配置步骤如下。

[Device] security-policy ip

[Device-security-policy-ip] rule name sslvpnlocalout1

[Device-security-policy-ip-1-sslvpnlocalout1] source-zone local

[Device-security-policy-ip-1-sslvpnlocalout1] destination-zone untrust

[Device-security-policy-ip-1-sslvpnlocalout1] source-ip-host 1.1.1.2

[Device-security-policy-ip-1-sslvpnlocalout1] source-ip-host 10.1.1.100

[Device-security-policy-ip-1-sslvpnlocalout1] destination-ip-host 40.1.1.1

[Device-security-policy-ip-1-sslvpnlocalout1] destination-ip-subnet 10.1.1.0 24

[Device-security-policy-ip-1-sslvpnlocalout1] action pass

[Device-security-policy-ip-1-sslvpnlocalout1] quit

# 配置名称为sslvpnlocalin1的安全策略规则，使用户可以向Device发送报文，具体配置步骤如下。

[Device-security-policy-ip] rule name sslvpnlocalin1

[Device-security-policy-ip-2-sslvpnlocalin1] source-zone untrust

[Device-security-policy-ip-2-sslvpnlocalin1] destination-zone local

[Device-security-policy-ip-2-sslvpnlocalin1] source-ip-host 40.1.1.1

[Device-security-policy-ip-2-sslvpnlocalin1] source-ip-host subnet 10.1.1.0 24

[Device-security-policy-ip-2-sslvpnlocalin1] destination-ip-host 1.1.1.2

[Device-security-policy-ip-2-sslvpnlocalin1] destination-ip-host 10.1.1.100

[Device-security-policy-ip-2-sslvpnlocalin1] action pass

[Device-security-policy-ip-2-sslvpnlocalin1] quit

# 配置名称为sslvpnlocalout2的安全策规则，使Device可以向Server发送报文，具体配置步骤如下。

[Device-security-policy-ip] rule name sslvpnlocalout2

[Device-security-policy-ip-3-sslvpnlocalout2] source-zone local

[Device-security-policy-ip-3-sslvpnlocalout2] destination-zone trust

[Device-security-policy-ip-3-sslvpnlocalout2] source-ip-host 2.2.2.2

[Device-security-policy-ip-3-sslvpnlocalout2] source-ip-host 3.3.3.1

[Device-security-policy-ip-3-sslvpnlocalout2] destination-ip-host 20.2.2.2

[Device-security-policy-ip-3-sslvpnlocalout2] destination-ip-host 3.3.3.2

[Device-security-policy-ip-3-sslvpnlocalout2] action pass

[Device-security-policy-ip-3-sslvpnlocalout2] quit

# 配置名称为sslvpnlocalin2的安全策略规则，使Server可以向Device发送报文，具体配置步骤如下。

[Device-security-policy-ip] rule name sslvpnlocalin2

[Device-security-policy-ip-4-sslvpnlocalin2] source-zone trust

[Device-security-policy-ip-4-sslvpnlocalin2] destination-zone local

[Device-security-policy-ip-4-sslvpnlocalin2] source-ip-host 20.2.2.2

[Device-security-policy-ip-4-sslvpnlocalin2] source-ip-host 3.3.3.2

[Device-security-policy-ip-4-sslvpnlocalin2] destination-ip-host 2.2.2.2

[Device-security-policy-ip-4-sslvpnlocalin2] destination-ip-host 3.3.3.1

[Device-security-policy-ip-4-sslvpnlocalin2] action pass

[Device-security-policy-ip-4-sslvpnlocalin2] quit

# 配置名称为untrust-trust的安全策规则，使用户可以通过SSL VPN AC接口访问Server，具体配置步骤如下。

[Device-security-policy-ip] rule name untrust-trust

[Device-security-policy-ip-5-untrust-trust] source-zone untrust

[Device-security-policy-ip-5-untrust-trust] destination-zone trust

[Device-security-policy-ip-5-untrust-trust] source-ip-subnet 10.1.1.0 24

[Device-security-policy-ip-5-untrust-trust] destination-ip-host 20.2.2.2

[Device-security-policy-ip-5-untrust-trust] action pass

[Device-security-policy-ip-5-untrust-trust] quit

# 配置名称为trust-untrust的安全策略规则，使Server可以通过SSL VPN AC接口向用户发送报文，具体配置步骤如下。

[Device-security-policy-ip] rule name trust-untrust

[Device-security-policy-ip-6-trust-untrust] source-zone trust

[Device-security-policy-ip-6-trust-untrust] destination-zone untrust

[Device-security-policy-ip-6-trust-untrust] source-ip-host 20.2.2.2

[Device-security-policy-ip-6-trust-untrust] destination-ip-subnet 10.1.1.0 24

[Device-security-policy-ip-6-trust-untrust] action pass

[Device-security-policy-ip-6-trust-untrust] quit

[Device-security-policy-ip] quit

(6)     配置PKI域，设置证书申请所需的相关参数

[Device] pki domain sslvpn

[Device-pki-domain-sslvpn] public-key rsa general name sslvpn

[Device-pki-domain-sslvpn] undo crl check  enable

[Device-pki-domain-sslvpn] quit

[Device] pki import domain sslvpn der ca filename ca.cer

[Device] pki import domain sslvpn p12 local filename server.pfx

(7)     配置SSL服务器端策略，引用PKI域

[Device] ssl server-policy ssl

[Device-ssl-server-policy-ssl] pki-domain sslvpn

[Device-ssl-server-policy-ssl] quit

(8)     配置SSL VPN网关，为用户提供访问SSL VPN网关的入口

# 配置SSL VPN网关gw的IP地址为1.1.1.2，端口号为2000，并引用SSL服务器端策略ssl。

[Device] sslvpn gateway gw

[Device-sslvpn-gateway-gw] ip address 1.1.1.2 port 2000

[Device-sslvpn-gateway-gw] ssl server-policy ssl

[Device-sslvpn-gateway-gw] service enable

[Device-sslvpn-gateway-gw] quit

(9)     创建SSL VPN客户端地址池，用于为IP接入客户端分配IP地址

# 创建地址池ippool，指定IP地址范围为10.1.1.1～10.1.1.10。

[Device] sslvpn ip address-pool ippool 10.1.1.1 10.1.1.10

(10)     配置LDAP，用于认证SSL VPN用户

[Device] ldap server ldap1

[Device-ldap-server-ldap1] ip 3.3.3.2

[Device-ldap-server-ldap1] login-dn cn=admin,cn=users,dc=ldap,dc=com

[Device-ldap-server-ldap1] login-password simple admin!123456

[Device-ldap-server-ldap1] search-base-dn dc=ldap,dc=com

[Device-ldap-server-ldap1] quit

[Device] ldap attribute-map test

[Device-ldap-attr-map-test] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group

[Device-ldap-attr-map-test] quit

[Device] ldap scheme shml

[Device-ldap-shml] authentication-server ldap1

[Device-ldap-shml] authorization-server ldap1

[Device-ldap-shml] attribute-map test

[Device-ldap-shml] quit

(11)     配置ISP域，通过ISP域对SSL VPN用户进行认证

# 创建ISP域bbb，为SSL VPN用户配置AAA认证方法为LDAP认证、LDAP授权、不计费。

[Device] domain bbb

[Device-isp-bbb] authentication sslvpn ldap-scheme shml

[Device-isp-bbb] authorization sslvpn ldap-scheme shml

[Device-isp-bbb] accounting sslvpn none

[Device-isp-bbb] quit

(12)     配置SSL VPN访问实例，为用户提供不同的SSL VPN服务

# 配置SSL VPN访问实例ctx引用SSL VPN网关gw，并配置SSL VPN访问实例关联的VPN实例为VPN1。

[Device] sslvpn context ctx

[Device-sslvpn-context-ctx] gateway gw

[Device-sslvpn-context-ctx] vpn-instance VPN1

[Device-sslvpn-context-ctx] aaa domain bbb

[Device-sslvpn-context-ctx] ip-route-list rtlist

[Device-sslvpn-context-ctx-route-list-rtlist] include 20.2.2.0 255.255.255.0

[Device-sslvpn-context-ctx-route-list-rtlist] quit

[Device-sslvpn-context-ctx] uri-acl uriacl

[Device-sslvpn-context-ctx-uri-acl-uriacl] rule 1 permit uri icmp://20.2.2.0

[Device-sslvpn-context-ctx-uri-acl-uriacl] quit

[Device-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 1

[Device-sslvpn-context-ctx] ip-tunnel address-pool ippool mask 255.255.255.0

[Device-sslvpn-context-ctx] policy-group pgroup

[Device-sslvpn-context-ctx-policy-group-pgroup] ip-tunnel access-route ip-route-list rtlist

[Device-sslvpn-context-ctx-policy-group-pgroup] filter ip-tunnel uri-acl uriacl

[Device-sslvpn-context-ctx-policy-group-pgroup] quit

[Device-sslvpn-context-ctx] service enable

[Device-sslvpn-context-ctx] quit

(13)     配置本地用户组，基于用户组对用户进行授权

# 创建本地用户组users，指定授权SSL VPN策略组为pgroup。

[Device] user-group users

[Device-ugroup-users] authorization-attribute sslvpn-policy-group pgroup

[Device-ugroup-users] quit

5. 验证配置

# 在Device上查看SSL VPN网关状态，可见SSL VPN网关gw处于Up状态。

[Device] display sslvpn gateway

Gateway name: gw

  Operation state: Up

  IP: 1.1.1.2  Port: 2000

  SSL server policy configured: ssl

  SSL server policy in use: ssl

  Front VPN instance: Not configured

# 在Device上查看SSL VPN访问实例状态，可见SSL VPN访问实例ctx处于Up状态。

[Device] display sslvpn context

Context name: ctx

  Operation state: Up

  AAA domain: domain1

  Certificate authentication: Disabled

  Password authentication：Enabled

  Authentication use: All

  SMS auth type: Not configured

  Urlmasking: Disabled

  Code verification: Disabled

  Default policy group: Not configured

  Associated SSL VPN gateway: gw

  SSL client policy configured: ssl

  SSL client policy in use: ssl

  Maximum users allowed: 1048575

  VPN instance: VPN1

  Idle timeout: 30 min

  Authentication server-type: aaa

  Password changing: Enabled

# 用户在PC上启动IP接入客户端软件，输入访问地址1.1.1.2、端口号2000、用户名sslvpn、密码123456，登录成功。

# 在Device上可以看到用户会话信息。

[Device] display sslvpn session context ctx

SSL VPN context: ctx

Users: 1

Username        Connections  Idle time   Created       User IP

sslvpn          6            0/00:02:05 0/00:03:14    40.1.1.1

# 在PC上查看IPv4路由表，其中40.1.1.1/24为本地网卡地址，10.1.1.1/24为SSL VPN网关设备分配给用户的地址，20.2.2.0/24为到达内部服务器Server的路由。

>route -4 print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

         10.1.1.0    255.255.255.0         On-link      10.1.1.1        276

         10.1.1.1  255.255.255.255         On-link      10.1.1.1        276

       10.1.1.255  255.255.255.255         On-link      10.1.1.1        276

         20.2.2.0    255.255.255.0         On-link      10.1.1.1        276

       20.2.2.255  255.255.255.255         On-link      10.1.1.1        276

         40.1.1.0    255.255.255.0         On-link      40.1.1.1        276

         40.1.1.1  255.255.255.255         On-link      40.1.1.1        276

       40.1.1.255  255.255.255.255         On-link      40.1.1.1        276

===========================================================================

# 在PC上可以Ping通服务器地址20.2.2.2。

C:\>ping 20.2.2.2

Pinging 20.2.2.2 with 32 bytes of data:

Reply from 20.2.2.2: bytes=32 time=197ms TTL=254

Reply from 20.2.2.2: bytes=32 time=1ms TTL=254

Reply from 20.2.2.2: bytes=32 time=1ms TTL=254

Reply from 20.2.2.2: bytes=32 time=186ms TTL=254

Ping statistics for 20.2.2.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 197ms, Average = 96ms