R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
358
Figure 124 Network diagram
Configuration procedure
In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA.
Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used
by the remote user can reach each other, and the CA is enabled with the CA service and can issue
certificates to the device (SSL VPN gateway) and the host.
1. Apply for a certificate for the SSL VPN gateway:
# Configure a PKI entity named en and specify the common name of the entity as http-server.
<Router> system-view
[Router] pki entity en
[Router-pki-entity-en] common-name http-server
[Router-pki-entity-en] quit
# Configure a PKI domain named sslvpn, and specify the trusted CA as ca server, the URL of the
RA server as http://10.2.1.1/certsrv/mscep/mscep.dll, registration authority for certificate
requesting as RA, and the entity as en.
[Router] pki domain sslvpn
[Router-pki-domain-sslvpn] ca identifier ca server
[Router-pki-domain-sslvpn] certificate request url
http://10.2.1.1/certsrv/mscep/mscep.dll
[Router-pki-domain-sslvpn] certificate request from ra
[Router-pki-domain-sslvpn] certificate request entity en
[Router-pki-domain-sslvpn] quit
# Generate the local RSA key pair.
[Router] public-key local create rsa
# Retrieve the CA certificate.
[Router] pki retrieval-certificate ca domain sslvpn
# Apply for a certificate for the device.
[Router] pki request-certificate domain sslvpn
2. Configure an SSL server policy for the SSL VPN service:
# Configure an SSL server policy named myssl, and specify the policy to use PKI domain sslvpn.
[Router] ssl server-policy myssl
[Router-ssl-server-policy-myssl] pki-domain sslvpn
[Router-ssl-server-policy-myssl] quit
3. Configure SSL VPN:
Router
SSL VPN gateway
Host
Remote user
Internal servers
CA
Internet
10.2.1.1/24
10.1.1.1/24