可以参考下

1、实验拓扑

2、实验需求

R1、R2、R3实现内网路由互通。PC模拟外网，将R1设置为SSL VPN网关，实现PC能给使用ssl vpn 访问内网IP、TCP、web资源。

3、所用设备及版本

<R1>dis ver

H3C Comware Platform Software

Comware Software, Version 5.20, Release 2207, Standard

Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved.

H3C MSR20-40 uptime is 0 week, 0 day, 11 hours, 8 minutes

Last reboot 2011/11/10 05:26:26

System returned to ROM By <Reboot> Command.

CPU type: FREESCALE PowerPC 8248 400MHz

256M bytes SDRAM Memory

4M bytes Flash Memory

Pcb               Version:  2.0

Logic             Version:  5.0

Basic    BootROM  Version:  3.09

Extended BootROM  Version:  3.13

[SLOT  0]CON            (Hardware)2.0,      (Driver)1.0,      (Cpld)5.0

[SLOT  0]AUX            (Hardware)2.0,      (Driver)1.0,      (Cpld)5.0

[SLOT  0]ETH0/0         (Hardware)2.0,       (Driver)1.0,      (Cpld)5.0

[SLOT  0]ETH0/1         (Hardware)2.0,       (Driver)1.0,      (Cpld)5.0

[SLOT  0]CELLULAR0/0    (Hardware)2.0,       (Driver)1.0,      (Cpld)5.0

[SLOT  4]DSIC-9FSW      (Hardware)3.0,       (Driver)1.0,      (Cpld)2.0

<R2>did s ver

H3C Comware Platform Software

Comware Software, Version 5.20, Release 2207P23, Standard

Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved.

H3C MSR30-20 uptime is 0 week, 0 day, 2 hours, 4 minutes

Last reboot 2009/05/26 22:41:35

System returned to ROM By <Reboot> Command.

CPU type: FREESCALE MPC8349 533MHz

512M bytes DDR SDRAM Memory

4M bytes Flash Memory

Pcb               Version:  3.0

Logic             Version:  2.0

Basic    BootROM  Version:  3.12

Extended BootROM  Version:  3.14

[SLOT  0]CON                       (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]AUX                       (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]GE0/0                     (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]GE0/1                     (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]CELLULAR0/0               (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

<R3>dis c ver

H3C Comware Platform Software

Comware Software, Version 5.20, Release 2207P14, Standard

Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved.

H3C MSR30-16 uptime is 0 week, 0 day, 2 hours, 7 minutes

Last reboot 2011/12/01 18:44:13

System returned to ROM By <Reboot> Command.

CPU type: FREESCALE MPC8360 400MHz

256M bytes DDR SDRAM Memory

4M bytes Flash Memory

Pcb               Version:  3.0

Logic             Version:  2.0

Basic    BootROM  Version:  2.08

Extended BootROM  Version:  2.12

[SLOT  0]CON                       (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]AUX                       (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]ETH0/0                    (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]ETH0/1                    (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]CELLULAR0/0               (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

4、实验步骤

a)       配置内网多台路由器的基本信息、路由信息，实现内网的互通；

b)       将ca、本地证书上传到R1的flash中，配置域等相关配置，导入ca、本地证书；

c)        登录R1的web页面，配置相关WEB、TCP、IP资源；

d)       配置资源组，关联相应资源；

e)       配置本地用户；

f)        配置用户组，关联用户和资源组；

具体配置如下：

[R1]pki domain svpn

 [R1-pki-domain-svpn]crl check disable

[R1-pki-domain-svpn]quit     

[R1]ssl server-policy svpn

[R1-ssl-server-policy-svpn]pki-domain svpn

[R1-ssl-server-policy-svpn]quit

[R1]ssl-vpn server-policy svpn

[R1]ssl-vpn enable

[R1]pki import-certificate ca domain svpn pem file  2003_server.cer  //导入证书，要是设备的时间在证书的有效期内。可以通过dis  clock 查看和<H3C>clock  datetime  21:00:00 2013/12/12配置时间

The trusted CA's finger print is:

    MD5  fingerprint:7EFC 890E 3E04 543F 940A E5FF C79A EAD9

    SHA1 fingerprint:AD8F 99DC CBBE 768E 69CE C10B 8C90 1A27 51BC FBA5

Is the finger print correct?(Y/N):y

%Nov 10 14:58:54:830 2011 R1 PKI/6/PKI_CA_CERT_TRUSTED: Root CA certificate of the domain svpn is trusted.

Import CA certificate successfully.

[R1]

%Nov 10 14:58:54:847 2011 R1 PKI/6/PKI_IMPORT_CA_CERT_SUCC: Imported CA certificates of the domain svpn successfully.

[R1]pki import-certificate local domain svpn p12 filename  2003_local.pf x

Please input challenge password:  //输入证书密码

Both local device and import file has a key, please choose one of them.

[R1]public-key local destroy rsa    //如若之前有到过证书，需要先销毁

Warning: Confirm to destroy these keys? [Y/N]:y

[R1] pki import-certificate local domain svpn p12 filename 2003_local.pfx   //重新导入

Please input challenge password:

%Nov 10 14:59:50:872 2011 R1 PKI/6/PKI_VERIFY_CERT_SUCC: Verified the certificate CN=SSL VPN,OU=R&D,O=H3C,L=Beijing,ST=Beijing,C=CN of domain svpn successfully.

Import local certificate successfully.

Import key pair successfully.

[R1]

%Nov 10 14:59:50:907 2011 R1 PKI/6/PKI_IMPORT_LOCAL_CERT_SUCC: Imported local certificate of the domain svpn successfully.

5、实验测试