I-CISCO AnyConnect 5.0 Isikhokelo esiKhuselekileyo soMxumi
CISCO AnyConnect 5.0 Secure Client

Uxwebhu Intshayelelo

Ilingiselelwe ngu:
ICisco Systems, Inc.
170 eNtshona Tasman uGqr.
San Jose, CA 95134

Olu xwebhu lubonelela ngeSikhokelo kubasebenzi be-IT kwi-TOE, i-Cisco Secure Client - AnyConnect 5.0 ye-iOS 16. Olu xwebhu lweSikhokelo lubandakanya imiyalelo yokufaka ngempumelelo i-TOE kwiNdawo yokuSebenza, imiyalelo yokulawula ukhuseleko lwe-TSF, kunye nemiyalelo yokubonelela nge amandla olawulo akhuselweyo.

Imbali yohlaziyo

Inguqulelo Umhla Guqula
0.1 Nge-1 kaMeyi, 2023 Inguqulelo yokuqala
0.2 NgoJulayi 27, 2023 Uhlaziyo

I-Cisco kunye ne-logo yeCisco ziimpawu zorhwebo okanye iimpawu zorhwebo ezibhalisiweyo zeCisco kunye/okanye namahlakani ayo e-US nakwamanye amazwe. Ukuya view uluhlu lweempawu zorhwebo zeCisco, yiya kule URL: www.cisco.com/go/trademark. Iimpawu zokuthengisa zomntu wesithathu ezikhankanyiweyo ziyipropathi yabanini bazo. Ukusetyenziswa kwegama elithi iqabane akuthethi ukuba ubudlelwane phakathi kweCisco kunye nayo nayiphi na enye inkampani. (1110R)

© 2023 Cisco Systems, Inc. Onke amalungelo agciniwe.

Imixholo fihla
1 Intshayelelo
2 Iinkqubo kunye nesiKhokelo sokuSebenza kwi-IT Environmental
3 Iinkqubo zokuLungisa kunye nesiKhokelo sokuSebenza se-TOE
4 Qala Cisco Secure Client-Nayiphi naConnect
5 IsiKhokelo sokuSebenza se-TOE
6 Ukufumana amaxwebhu kunye nokungeniswa kwesicelo seNkonzo
7 Ukuqhagamshelana noCisco
8 Amaxwebhu / Izibonelelo
8.1 Iimbekiselo
9 Izithuba eziyeleleneyo

Intshayelelo

Esi Sikhokelo soMsebenzisi oSebenzayo kunye neeNkqubo zokuLungisa amaxwebhu olawulo lwe-Cisco Secure ClientAnyConnect v5.0 ye-Apple iOS 16 TOE, njengoko yaqinisekiswa phantsi kweMithetho eqhelekileyo. I-Cisco Secure Client-AnyConnect v5.0 ye-Apple iOS 16 inokubhekiselwa apha ngezantsi yi-acronym ehambelanayo umz. VPN Client okanye ngokulula i-TOE.

Abaphulaphuli
Olu xwebhu lubhalelwe abalawuli abafaka kunye nokuqwalasela i-TOE. Olu xwebhu luthatha ukuba uqhelene neengqikelelo ezisisiseko kunye namagama asetyenziswa kusetyenziso lwe-intanethi, kwaye uyayiqonda i-topology yakho yenethiwekhi kunye nemigaqo enokusetyenziswa zizixhobo kuthungelwano lwakho, ukuba ungumntu othembekileyo, kwaye uqeqeshelwe ukusebenzisa indlela yokusebenza. iinkqubo apho usebenzisa inethiwekhi yakho.

Injongo
Olu xwebhu sisiKhokelo sokuSebenza soMsebenzisi kunye neeNkqubo zokuLungisa zoVavanyo lweMiqobo yoMgangatho. Kwabhalwa ukugqamisa uqwalaselo oluthile lwe-TOE kunye nemisebenzi yomlawuli kunye nojongano oluyimfuneko ukuqwalasela nokugcina i-TOE kuqwalaselo oluvavanyiweyo. Olu xwebhu alwenzelwe iinkcukacha ngezenzo ezithile ezenziwe ngumlawuli kodwa imephu yendlela yokuchonga iindawo ezifanelekileyo ngaphakathi kwamaxwebhu eCisco ukufumana iinkcukacha ezithile zokuqwalasela nokugcina imisebenzi ye-AnyConnect Secure Mobility Client. Yonke imiyalelo yokhuseleko efanelekileyo yokulawula idatha ye-TSF ibonelelwe ngaphakathi kolu xwebhu ngaphakathi kwecandelo ngalinye elisebenzayo.

IiReferensi zoxwebhu
Eli candelo lidwelisa amaxwebhu eNkqubo yeCisco ekwayinxalenye yoLuhlu lweCriteria yoLungiselelo oluQhelekileyo (CI). Amaxwebhu asetyenzisiweyo aboniswe apha ngezantsi kwiThebhile 1. Kulo lonke olu xwebhu, izikhokelo ziya kubhekiswa kuzo “#”, njenge [1].

Itheyibhile 1 Cisco Documentation

# Isihloko Ikhonkco
1 Cisco Secure Client (kubandakanywa AnyConnect) Administrator Guide, Release 5 https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/anyconnect/Cisco-Secure-Client-5/admin/guide/b- cisco-secure-client-admin-guide-5-0.html
2 Cisco AnyConnect Mobile Platforms Administrator Guide, Khupha 4.1 https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/anyconnect/anyconnect41/administration/guide/Cisc o_AnyConnect_Mobile_Administrator_Guide_4-1.html
3 Apple iOS User Guide for Cisco AnyConnect Secure Mobility Client, Khupha 4.6.x https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/anyconnect/anyconnect46/user/guide/Apple_iOS_Any Connect_User_Guide_4-6-x.html
4 Amanqaku okukhutshwa kweCisco AnyConnect Secure Mobility Client, Khupha 4.9 https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/anyconnect/anyconnect49/release/notes/release- amanqaku-anyconnect-4-9.html
5 Khupha amanqaku oMthengi oKhuselekileyo weCisco (kubandakanywa nayiphi na i-AnyConnect), Khupha i-5 ye-Apple iOS https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/anyconnect/Cisco-Secure-Client- 5/ukukhutshwa/amanqaku/ukukhutshwa-amanqaku-apile-ios-cisco-secure- i-client-release-5-0.html

TOE Ngaphezuluview
I-TOE yiCisco AnyConnect Secure Mobility Client (apha emva kokubizwa ngokuba ngumxhasi weVPN, okanye i-TOE). I-Cisco AnyConnect Secure Mobility Client ibonelela abasebenzisi abakude nge-IPsec (IKEv2) ekhuselekileyo yoqhagamshelwano lwe-VPN kwi-Cisco 5500 Series Adaptive Security Appliance (ASA) VPN Gateway evumela izicelo ezifakiweyo ukuba zinxibelelane ngokungathi ziqhagamshelwe ngokuthe ngqo kuthungelwano lweshishini.

Imekobume yokuSebenza
I-TOE ifuna ezi zinto zilandelayo ze-IT Environment Components xa i-TOE iqwalaselwe kuqwalaselo lwayo oluvavanyiweyo:

Uluhlu 2. Amacandelo okuSingqongileyo okuSebenzayo

Icandelo Usetyenziso/Inkcazo yeNjongo
Igunya lesiqinisekiso Igunya lesatifikethi lisetyenziselwa ukubonelela ngezatifikethi ezisebenzayo zedijithali.
Iqonga leSelfowuni I-TOE ixhomekeke nakweyiphi na i-CC elandelayo eqinisekisiweyo yamaqonga esixhobo esiphathwayo se-Apple:
  • I-Apple iPhone 11/XR isebenzisa i-iOS 16
ASA 5500-X series VPN Gateway I-Cisco ASA 5500-X ene-software version 9.2.2 okanye kamva isebenza njenge-head-end VPN Gateway.
Iqonga lolawulo le-ASDM I-ASDM 7.7 isebenza kuyo nayiphi na kwezi nkqubo zilandelayo:
  • Windows 7, 8, 10
  • I-Windows Server 2008, 2012, 2012 R2, 2016 kunye neServer 2019
  • I-Apple OS X 10.4 okanye kamvaQaphela ukuba isoftware ye-ASDM ifakwe kwisixhobo se-ASA kwaye iqonga lolawulo lisetyenziselwa ukuqhagamshela kwi-ASA kunye nokuqhuba i-ASDM. Ekuphela kwesoftware efakwe kwiqonga lolawulo yiCisco ASDM Launcher.

Iqonga elisezantsi leMobile libonelela ngokusebenza kokhuseleko olufunekayo kwi-MOD_VPNC_V2.4] kwaye ichazwa kusetyenziswa ibinzana elithi “TOE Platform” kolu xwebhu.

I-Cisco AnyConnect TOE isebenzisa izixhobo ze-hardware yenethiwekhi kwi-platform ye-OS yeselula ukuthumela nokufumana iipakethi ezifihliweyo. I-TOE ayifikeleli koovimba bolwazi olubuthathaka.

Iireferensi kolu xwebhu kwi-"ASA" zibhekisa kwi-VPN Gateway

Ukusebenza okungabandakanywayo

Umsebenzi odweliswe ngezantsi awuqukwanga kubumbeko oluvavanyiweyo.

Itheyibhile 3. UkuSebenza okungaBandakanyiyo kunye nengqiqo

Umsebenzi awubandakanywanga Ingqiqo
Indlela yokusebenza ye-Non-FIPS 140-2 I-TOE ibandakanya indlela yokusebenza ye-FIPS. Iimowudi ze-FIPS zivumela i-TOE ukuba isebenzise i-cryptography evunyiweyo kuphela. Indlela yokusebenza ye-FIPS kufuneka yenziwe ukuze i-TOE isebenze kuqwalaselo lwayo oluvavanyiweyo.
Itonela ye-SSL eneendlela zokutshintsha i-DLTS [MOD_VPNC_V2.4] ivumela kuphela itonela ye-IPsec VPN.

Ezi nkonzo ziya kucinywa ngolungelelwaniso. Ukukhutshelwa ngaphandle kwalo msebenzi akuchaphazeli ukuthotyelwa kweProtection Pro ebangwayofiles.

Iinkqubo kunye nesiKhokelo sokuSebenza kwi-IT Environmental

Ukuze isebenze kuqwalaselo lwayo oluvavanyiweyo, i-TOE ifuna ubuncinci (1) uGunyaziwe weSatifikethi (CA), enye (1) VPN Gateway, kunye (1) nesixhobo esiphathwayo se-Apple iPhone.

Ukufana nommandla we-PKI yomthengi, isisombululo se-CA esinemigangatho emibini esebenzisa i-Offline Root CA kunye ne-Enterprise Subordinate CA eqasha iMicrosoft 2012 R2 Certificate Authority (CA) iya kubhekiselwa kweli candelo. Ezinye iimveliso ze-CA endaweni kaMicrosoft zinokusetyenziswa.

I-Root CA iqwalaselwe njenge-standalone (Iqela lokusebenza) iseva ngelixa i-Subordinate CA ibunjwe njengenxalenye yedomeyini ye-Microsoft kunye neenkonzo ze-Active Directory ezivuliweyo. Lo mzobo ulandelayo ubonelela ngomboniso obonakalayo we-TOE kunye ne-IT

Okusingqongileyo. I-TOE yi-software esebenza kwi-iOS 13. Umda we-TOE ubonakaliswa ngumgca obomvu we-hash. Jonga umfanekiso 1 ngezantsi.

Umzobo 1. I-TOE kunye neNdalo
I-TOE kunye neNdalo

I-Subordinate CA ikhupha izatifikethi zedijithali ze-X.509 kwaye ibonelele ngoLuhlu lokurhoxiswa kweSatifikethi (CRL) kwi-TOE Platform kunye ne-VPN Gateway.
Kungenjalo, enye (1) enye ingcambu ye-Enterprise CA inokubekwa.

  • Faka kwaye uQinise iGunya leSatifikethi

Ukuba usebenzisa isisombululo se-CA samanqanaba amabini e-Microsoft, faka kwaye ulungise i-Root (GRAYCA) kunye noGunyaziwe weSatifikethi soShishino olungaphantsi (GRAYSUBCA1) ngokuhambelana nesikhokelo somthengisi. Oku kulandelayo sisikhokelo senyathelo nenyathelo lolungiselelo lweMicrosoft Active Directory Certificate Services:

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Kucingelwa ukuba zozibini isatifikethi se-Offline Root CA (GRAYCA) kunye nezatifikethi ze-CA (GRAYSUBCA1) eziboniswe kumfanekiso 1 zifakelwe kwaye zithenjwa ukuqinisekisa ukuba kusekwe ikhonkco lesatifikethi esithenjiweyo. Ukuba usebenzisa i-CA kumthengisi ongenguye uMicrosoft, landela isikhokelo sokufakela se-CA salo mthengisi.

Nokuba yeyiphi na imveliso ye-CA esetyenzisiweyo, isatifikethi se-RSA kwi-ASA MA sibe nokuSetyenziswa okungundoqo kulandelayo kunye neempawu zosetyenziso olungundoqo olwandisiweyo:

  • Usetyenziso Olungundoqo: Umsayino weDijithali, isiVumelwano esiPhambili
  • EKU: IP yokhuseleko IKE phakathi, IP ekupheleni inkqubo yokhuseleko

Iinkalo zeGama elilelinye leSifundo (i-SAN) ngaphakathi kwe-ECDSA kunye nezatifikethi ze-RSA kwi-ASA MASIFANELE zingqinelane nolwazi loqhagamshelwano oluchazwe kwi-AnyConnect pro.file kumxhasi.

  • Faka kwaye uMise iSango leVPN

Faka iCisco ASA 9.1 (okanye kamva), ngokuzikhethela nge-ASDM, ngokuhambelana nezikhokelo zofakelo kunye namanqaku okukhululwa afanelekileyo kwiinguqulelo eziza kufakwa. I-ASDM ivumela i-ASA ukuba ilawulwe ukusuka kujongano lomsebenzisi womzobo. Kungenjalo, ukuba umlawuli uyathanda, kunokusetyenziswa amanyathelo oqwalaselo lomgca womyalelo olinganayo (CLI).

Uqwalaselo lweNqanaba: Njengoko kukho iiparamitha ezilawulwa yi-ASA, iGateway Administrator kufuneka ilandele amanyathelo akweli candelo ukuqinisekisa ukuba i-TOE ikwisimo sayo esivavanyiweyo.

  • Vumela i-AnyConnect kunye ne-IKEv2 kwi-ASA. Kwi-ASDM, yiya kuLungiselelo> UkuFikelela kude kwi-VPN> Inethiwekhi (uMxumi) Ukufikelela> Nayiphi na iQhagamshelwano leProfiles kwaye ukhethe Yenza iCisco AnyConnect ibhokisi yokukhangela kwaye Vumela ufikelelo phantsi kweIKEv2.
    Iinkqubo kunye nokuSebenza
  • Kwi-AnyConnect Connection Profiles iphepha elikhankanywe ngasentla, khetha iSatifikethi sesiXhobo. Qinisekisa ukuba Sebenzisa kwaeso siqinisekiso sesixhobo sinye… ASITONGWA kwaye ukhethe isatifikethi se-EC ID phantsi kwesiqinisekiso sesixhobo se-ECDSA. Emva koko khetha Kulungile.
    Iinkqubo kunye nokuSebenza
  • Yenza umgaqo-nkqubo we-crypto we-IKEv2 usebenzisa i-algorithms evunyelwe kwi-Common Criteria evavanyiweyo uqwalaselo. Kwi-ASDM, yiya kuLungiselelo> UkuFikelela kude kwi-VPN> Inethiwekhi (Umxhasi) Ukufikelela> Advanced> IPsec> Imigaqo-nkqubo ye-IKE kwaye wongeze umgaqo-nkqubo we-IKEv2.

Khetha Faka kwaye ungenise u-1 ngokubaluleka okuphezulu. Uluhlu luyi-1 ukuya kwi-65535, kunye ne-1 eyona nto iphambili.

Uguqulelo oluntsonkothileyo:
I-AES: Ixela i-AES-CBC eneqhosha le-128-bit loguqulelo oluntsonkothileyo lwe-ESP.
AES-256: Ixela i-AES-CBC eneqhosha le-256-bit loguqulelo oluntsonkothileyo lwe-ESP.
I-AES-GCM-128: Ixela iMowudi ye-AES Galois Counter 128-bit encryption
I-AES-GCM-256: Ixela iMowudi ye-AES Galois Counter 256-bit encryption

Iqela le-DH: Khetha isazisi seqela likaDiffie-Hellman. Oku kusetyenziswa yintanga nganye ye-IPsec ukufumana imfihlo ekwabelwana ngayo, ngaphandle kokuyidlulisela komnye nomnye. Ukhetho olusebenzayo lu: 19 kunye nama-20.

PRF Hash - Cacisa iPRF esetyenziselwa ukwakhiwa kwezinto eziphambili kuzo zonke ii-cryptographic algorithms ezisetyenziswa eMzantsi Afrika. Ukhetho olusebenzayo lu: sha256 kunye ne-sha384

Kule exampkuqwalaselo khetha:

 

Ukubaluleka: 1

Imowudi yokuBala ye-AES Galois (AES-GCM) i-256-bit encryption: Xa iGCM ikhethiwe, ayibandakanyi imfuneko yokukhetha i-algorithm yengqibelelo. Oku kungenxa yokuba ubunakho bobunyani bakhelwe kwi-GCM, ngokungafaniyo ne-CBC (i-Cipher-Block Chaining).

Iqela le-Diffie-Hellman: 20
Imfezeko Hash: Null
PRF Hash: sha384
Ubomi bonke: 86400
Iinkqubo kunye nokuSebenza

Khetha Kulungile.

Inqaku loMlawuli: Ukusetyenziswa kwalo naluphi na uFihlo oloNgezelelweyo, i-DH-Group, Imfezeko okanye i-PRF Hash engadweliswanga ngasentla ayivavanywa.

Inqaku loMlawuli: Ithebhu ephezulu ibonisa i-IKE iparameter yonyanzeliso lwamandla. Qinisekisa ukuba iparamitha yoQinisekiso lwaMandla oMbutho woKhuseleko ijongiwe. Oku kuqinisekisa ukuba amandla e-IKEv2 encryption cipher aphezulu kunamandla omntwana wayo IPsec SA's encryption ciphers. Ii-algorithms zamandla aphezulu ziya kuthotywa.

I-CLI elinganayo yile: crypto ipsec ikev2 sa-strength-enforcement

  • Yenza isiphakamiso se-IPSEC. Kwi-ASDM, yiya kwi-Configuration> Remote Access VPN> Inethiwekhi (Umxhasi) Ukufikelela> Advanced> IPsec> IPsec Proposals (Transform Sets) kwaye wongeze i-IKEv2 IPsec Proposal. uze ukhethe Lungile.
    Kwi-example ngezantsi kwegama elisetyenzisiweyo yiNGE-AES-GCM-256 ene-AES-GCM-256 yoguqulelo oluntsonkothileyo kunye ne-Null ye-Integrity Hash:
    Iinkqubo kunye nokuSebenza
  • Yenza imephu ye-crypto eguqukayo, khetha isiphakamiso se-IPsec kwaye usebenzise ujongano lwangaphandle. Kwi-ASDM, yiya kwi-Configuration> I-Remote Access VPN> Inethiwekhi (uMthengi) Ukufikelela> Advanced> IPsec> I-Crypto Maps. Khetha Faka, khetha ujongano lwangaphandle kunye nesindululo se-IKEv2.
    Cofa i Tab ekwinqanaba eliPhezulu. Qinisekisa oku kulandelayo:
    Yenza i-NAT-T isebenze —Yenza ukuba i-NAT Traversal (NAT-T) isebenze kulo mgaqo-nkqubo
    ULungiselelo loBomi boKhuseleko loMbutho — imiselwe kwiiyure ezisi-8 (28800 imizuzwana)
  • Yenza idama ledilesi VPNUSERS eya kwabelwa abasebenzisi beVPN. Amachibi eedilesi aqulathe le mihlaba ilandelayo:
    Igama -Ichaza igama elinikezelwe kuluhlu lweedilesi ze-IP.
    Ukuqala Idilesi ye-IP —Ixela idilesi yokuqala ye-IP equleni.
    Idilesi ye-IP yokuphelisa —Ixela idilesi ye-IP yokugqibela equleni.
    Isigqubuthelo seMaski esingaphantsi— Ikhetha i-subnet mask ukuze isetyenziswe kwiidilesi equleni.

Kwi-ASDM, yiya kuLungiselelo> UFikelelo olukude kwi-VPN> Inethiwekhi (Umxhasi) Ufikelelo> Isabelo sedilesi> Amachibi eedilesi kwaye wongeze i-IP pool echaza le mimandla ingasentla uze ukhethe Ok.

Yongeza umgaqo-nkqubo weqela oza kusebenzisa izicwangciso ezifunwayo kubasebenzisi beVPN. Imigaqo-nkqubo yeQela ikuvumela ukuba ulawule imigaqo-nkqubo yeqela le-AnyConnect VPN. Umgaqo-nkqubo weqela le-VPN yingqokelela yeempawu/ixabiso lesibini elijoliswe kumsebenzisi eligcinwe nokuba ngaphakathi kwisixhobo se-ASA. Ukuqwalasela umgaqo-nkqubo weqela le-VPN kuvumela abasebenzisi ukuba bafumane iimpawu ongaziqwalaselanga kwiqela ngalinye okanye kwinqanaba lomsebenzisi. Ngokungagqibekanga, abasebenzisi beVPN abanalo umbutho womgaqo-nkqubo weqela. Ulwazi lomgaqo-nkqubo weqela lusetyenziswa ngamaqela e-tunnel ye-VPN kunye neeakhawunti zabasebenzisi. Kwi-ASDM, yiya kuLungiselelo> UkuFikelela kude kwi-VPN> Inethiwekhi (Umxhasi) Ukufikelela> amaPolisa eQela kwaye Yongeza umgaqo-nkqubo weqela langaphakathi. Qinisekisa ukuba i-protocol ye-tunnel ye-VPN isetelwe kwi-IKEv2 kunye ne-IP pool eyenziwe ngasentla ibhekiselwe kumgaqo-nkqubo ngokususa ukukhetha kwi-Lifa lebhokisi lokutshekisha kwaye ukhethe ukuseta okufanelekileyo. I-DNS efanelekileyo, i-WINS kunye namagama e-domain nawo angongezwa kumgaqo-nkqubo kwicandelo labancedisi.

Jonga kwi-example nkqubo yeqela NGE-VPN-GP ngezantsi:
Iinkqubo kunye nokuSebenza

  • Yenza igama leqela letonela. Iqela letonela liqulethe imigaqo-nkqubo yoqhagamshelwano lwetonela yoqhagamshelwano lwe-IPsec. Umgaqo-nkqubo woqhagamshelo ungakhankanya uqinisekiso, ugunyaziso, kunye neeseva ze-accounting, umgaqo-nkqubo weqela ongagqibekanga, kunye neempawu ze-IKE.

Kwi-ASDM, yiya kuLungiselelo> UkuFikelela kude kwi-VPN> Inethiwekhi (uMxumi) Ukufikelela> Nayiphi na iQhagamshelwano leProfiles. Emazantsi ephepha phantsi koQhagamshelwano lweProfiles, khetha Faka.

Kwi-exampLe ngezantsi kwetonela igama leqela elithi NGE-VPN-RAS liyasetyenziswa.
Iinkqubo kunye nokuSebenza

Iireferensi zoqwalaselo Uqinisekiso lweSatifikethi, umgaqo-nkqubo weqela elinxulumeneyo NGE-VPN-GP kunye ne-Enable IPsec (IKEv2). I-DNS kunye negama lesizinda nazo zinokongezwa apha. Kwakhona qinisekisa ukuba i-IPsec kuphela isetyenziswa ngokungajongi iProtokholi yoMxumi we-SSL VPN.

  • Yenza imaphu yesatifikethi, wenze imephu ye-NGE VPN abasebenzisi kwiqela letonela ye-VPN eyadalwa ngaphambili. Imephu yesatifikethi iya kusetyenziswa kubasebenzisi be-AC. Kule meko, i-Subordinate ye-CA yegama eliqhelekileyo lifaniswe ukuqinisekisa ukuba isicelo se-platform ye-TOE engenayo kunye nesatifikethi se-EC esikhutshwe kwi-Subordinate CA siya kufakwa kwimephu yeqela elifanelekileyo le-tunnel eyadalwa ngaphambili. Abasebenzisi be-VPN abangakhutshelwanga isatifikethi esivela kwi-EC CA baya kubuyela kumaqela etonela engagqibekanga kwaye
    lusilele uqinisekiso kwaye izakwalelwa ufikelelo.
    Kwi-ASDM, yiya kuLungiselelo> UFikelelo olukude kwi-VPN> I-Advanced> Isatifikethi ku-AnyConnect kunye ne-Clientless SSL VPN Connection Profile Iimephu. Ngaphantsi kweSatifikethi sokuQhagamshela iProfile Iimephu khetha Faka. Khetha iDefaultCertificateMap ekhoyo ngokuphambili kwe-10 kwaye ubhekisele kwiqela letonela le-NGE-RAS-VPN.
    Iinkqubo kunye nokuSebenza
    Kwi-ASDM, yiya kuLungiselelo> UFikelelo olukude kwi-VPN> I-Advanced> Isatifikethi ku-AnyConnect kunye ne-Clientless SSL VPN Connection Profile Iimephu. Ngaphantsi kweNqobo zokuMaphu khetha Yongeza. Khetha uMniki mhlaba, Igama eliQhelekileyo (CN) lelungu, Iqulathe uMsebenzi, uze ukhethe Lungile.
    Iinkqubo kunye nokuSebenza
    Qinisekisa ukuba ukhetha SEBENZISA kwiphepha eliphambili kwaye UGCINE ubumbeko.
  • Qwalasela i-ASA ukuba yamkele uqhagamshelo lweVPN oluvela kumthengi we-AnyConnect VPN, sebenzisa i-AnyConnect VPN Wizard. Le wizard iqwalasela i-IPsec (IKEv2) iiprothokholi zeVPN zokufikelela kwinethiwekhi ekude. Jonga kwimiyalelo elapha:
    https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/asdm710/vpn/asdm-710-vpnconfig/vpn-wizard.html#ID-2217-0000005b

Iinkqubo zokuLungisa kunye nesiKhokelo sokuSebenza se-TOE

Ukufakela iCisco Secure Client-AnyConnect TOE, landela la manyathelo angezantsi:

  1. Vula i-App Store.
  2. Khetha Khangela
  3. KwiBhokisi yokukhangela, faka iCisco Secure Client-NanyConnect
  4. Cinezela FAKA I-APP
  5. Khetha Faka

Qala Cisco Secure Client-Nayiphi naConnect

Cisco Cisco Secure Client-AnyConnect icon ukuqalisa usetyenziso. Ukuba eli lixesha lokuqala uqala iCisco Secure Client-AnyConnect emva kokufaka okanye uphuculo, khetha Lungile ukwenza i-TOE yandise iNethiwekhi yaBucala eNgcono (VPN) yesixhobo sakho.

Ukuqinisekiswa kweMfezeko

Ukuqinisekiswa kwemfezeko kwenziwa rhoqo xa i-app ilayishwa kwaye iya kulinda ukuqinisekiswa kwemfezeko. Iinkonzo zeCryptographic ezibonelelwa liqonga le-iOS ziyacelwa ukuba ziqinisekise utyikityo lwedijithali lwe-TOE ephunyeziweyo. files. Ukuba ukuqinisekiswa kwemfezeko kusilela ukugqiba ngempumelelo, i-GUI ayisayi kulayisha, inika usetyenziso olungasebenzisekiyo. Ukuba ukuqinisekiswa kwemfezeko kuphumelele, i-GUI yosetyenziso iya kulayisha kwaye isebenze ngokuqhelekileyo.

Qwalasela isichongi seReferensi

Eli candelo lixela uqwalaselo lwesalathisi sereferensi yeVPN Gateway peer. Ngexesha le-IKE isigaba soku-1 sokuqinisekiswa, i-TOE ithelekisa isazisi sereferensi kwisibonisi esinikezelwe yi-VPN Gateway. Ukuba i-TOE imisela ukuba azihambelani, ukuqinisekiswa akuyi kuphumelela.

Khetha uQhagamshelwano kwiskrini sasekhaya ukuya view amangeno asele eqwalaselwe kwisixhobo sakho. Amangeno onxibelelwano oluninzi anokudweliswa, amanye phantsi kwesihloko se-VPN ye-App. Amangeno oqhagamshelo anokuba ne ubume bulandelayo:

  • Yenza ukuba- Olungeno loqhagamshelwano luvulwe ngumphathi wesixhobo esiphathwayo kwaye lunokusetyenziselwa ukuqhagamshela.
  • Iyasebenza- Olungeno oluphawulweyo okanye oluphawulweyo luyasebenza ngoku.
  • NONE Olungeno loqhakamshelwano lulo olusebenzayo kwaye ngoku luqhagamshelwe kwaye luyasebenza.
  • Akudityaniswanga— Olungeno loqhakamshelwano lolona lusebenzayo kodwa alikaxhunywanga okwangoku kwaye alisebenzi.

Ukuze ufumane imiyalelo jonga kwi "Yongeza okanye uguqule uQhagamshelwano lwamaNgeno ngesandla" icandelo [3].

Qwalasela usetyenziso lwesatifikethi

IAnyConnect ifuna isatifikethi se-X.509. Jonga kwi "Lungiselela izatifikethi" icandelo [3].

Vala iiSeva ezingathenjwa

Olu seto lwesicelo lumisela ukuba iAnyConnect ivala imidibaniso xa ingakwazi ukuchonga isango elikhuselekileyo.
Olu khuseleko LUVULIWE ngokungagqibekanga kwaye akufunekanga lucinywe.

I-AnyConnect isebenzisa isatifikethi esifunyenwe kwiseva ukungqinisisa isichongi sayo. Ukuba kukho impazamo yesatifikethi ngenxa yomhla ophelelweyo okanye ongasebenziyo, ukusetyenziswa kweqhosha elingalunganga, okanye igama elingangqinelaniyo, uqhagamshelwano luyavalwa.

Cwangcisa iModi ye-FIPS ye-VPN
Imo ye-VPN ye-FIPS isebenzisa iMigangatho yokuLungiselela iNkcukacha ye-Federal (FIPS) i-cryptography algorithms kuyo yonke imidibaniso ye-VPN.

  1. Kwi-Cisco Secure Client-AnyConnect app, cofa Useto.
  2. Cinezela imo ye-FIPS ukwenza olu seto lusebenze.

Ukuhlangabezana neemfuno ze-cryptographic kwi-ST, imo ye-FIPS kufuneka ivulwe. Emva kokuqinisekiswa kokutshintsha kwemowudi ye-FIPS, usetyenziso luyaphuma kwaye kufuneka luphinde luqalwe ngokutsha ngesandla. Xa uqalisa ngokutsha, useto lwemowudi ye-FIPS yakho iyasebenza.

Imowudi yokuThemba yeSiqinisekiso esiQisileyo

Olu seto luqwalasela iCisco Secure Client-AnyConnect TOE ukungavumeli isatifikethi sesiphelo se-VPN Gateway engenakuqinisekisa ngokuzenzekelayo.

  1. Kwifestile yasekhaya, cofa Imenyu > Useto.
  2. Nika amandla iMowudi yokuThemba yeSiqinisekiso esiQiqisiweyo.

Kumzamo wokuqhagamshelwa olandelayo, iSiqinisekiso seSiqinisekiso seTrasti siya kwenziwa sisebenze

Qwalasela ukurhoxiswa kwesatifikethi

Olu seto lulawula ukuba ngaba i-Cisco Secure Client-AnyConnect TOE iya kugqiba ngemeko yokurhoxiswa kwesatifikethi esifunyenwe kwi-head-end VPN Gateway. Olu seto kufuneka IVUMWE kwaye akufunekanga lucinywe.

  1. Ukusuka kwifestile yasekhaya ye-AnyConnect, cofa Imenyu > Useto.
  2. Yenza ukurhoxiswa kweSiqinisekiso sokuHlola ukwenza olu seto lusebenze.

IsiKhokelo sokuSebenza se-TOE

Ukuseka uQhagamshelwano lweVPN

Jonga kwi “Misela a Uqhagamshelo lweVPN” icandelo [3].

UMlawuli kufuneka aqaphele le migaqo ilandelayo YOKUKHUSELA, BYPASS, kunye ne-DISCARD malunga nokusetyenziswa kwe-IPsec kwi-AnyConnect:

  • KHUSELA
    Amangeno ePROTECT aqwalaselwe ngenkqubo yeqela lofikelelo kude kwiASA kusetyenziswa iASDM. Ukungena kwe-PROTECT, i-traffic ihamba nge-IPsec VPN tunnel enikezwe yi-TOE. Akukho lungelelwaniso olufunekayo kwitonela ye-TOE yonke itrafikhi. Umlawuli ngokuzithandela angacwangcisa ngokucacileyo le ndlela yokuziphatha ngomyalelo kwiGroup Policy yabo: itonela-mgaqo-nkqubo wetonelall.
  • I-BYPASS
    I-TOE ixhasa imisebenzi ye-BYPASS (xa ukucandwa kwetonela kuye kwavunyelwa ngokucacileyo ngumgaqo-nkqubo woFikelelo olukude). Xa itonela yokwahlula yenziwe, iASA VPN Gateway ityhala uluhlu lwamacandelo othungelwano kwi TOE ukuya KHUSELA. Zonke ezinye izithuthi zihamba zingakhuselekanga ngaphandle kokubandakanya i-TOE ngaloo ndlela idlula ukhuseleko lwe-IPsec.
    Ukwahlula itonela kuqwalaselwe kuNxibelelwano (uMxumi) umgaqo-nkqubo wofikelelo lweqela. Umlawuli unokhetho olulandelayo:
    Okungabandakanywanga: Khupha kuphela uthungelwano oluchazwe luluhlu lwe-tunnel-network-network
    Itonela icacisiwe: Itonela kuphela uthungelwano olucaciswe luluhlu lwetoneli yolwahlulo lothungelwano Jonga kwindawo ethi "Malunga nokuLungisa iTunnel yoLwahlulo lweTrafikhi ye-AnyConnect" kwicandelo le-VPN ASDM isikhokelo soqwalaselo kwaye ubone amanyathelo anikezelweyo kwicandelo elithi "Qwalasela i-Split-Tunneling ye-AnyConnect Traffic". Emva kokwenza utshintsho kumgaqo-nkqubo weqela kwi-ASDM, qiniseka ukuba umgaqo-nkqubo weqela unxulunyaniswa ne-Connection Profile kuBumbeko > UFikelelo olukude kwi-VPN > Inethiwekhi (uMxumi) Ufikelelo > AnyConnect Connection Profiles > Yongeza/Hlela > Inkqubo yeQela. Amangeno e-BYPASS SPD abonelelwa liqonga lokusingatha ngemithetho yemvume yendlela yothungelwano engacacanga. Akukho lungelelwaniso olufunekayo kwiqonga le-TOE ukuyivumela ukuba idlule kule traffic.
  • LAHLA
    Imithetho ye-DISCARD yenziwa ngokukodwa ngeqonga le-TOE. Akukho jongano lolawulo lokuchaza umthetho we-DISCARD.

Ukubeka iliso kunye neNgxaki

Jonga kwi Ukubeka iliso kunye neNgxaki icandelo [3].

Iyaphuma Cisco Secure Client-AnyConnect
Ukuphuma kwi-app kuphelisa uqhagamshelo lwangoku lweVPN kwaye kumisa zonke iinkqubo ze-TOE. Sebenzisa eli nyathelo ngononophelo. Ezinye ii-apps okanye iinkqubo kwisixhobo sakho zinokusebenzisa uqhagamshelo lwangoku lweVPN kwaye uphume kwiCisco Secure Client-AnyConnect app inokuchaphazela kakubi ukusebenza kwayo.

Kwifestile yasekhaya, cofa Imenyu > Phuma.

Inkxaso yeCryptographic
I-TOE ibonelela nge-cryptography ekuxhaseni i-IPsec nge-ESP symmetric cryptography yobuninzi be-AES encryption/decryption kunye ne-SHA-2 algorithm ye-hashing. Ukongeza i-TOE ibonelela nge-cryptography ukuxhasa utshintshiselwano olungundoqo lwe-Diffie Hellman kunye nomsebenzi wokuphuma osetyenziswa kwi-IKEv2 kunye ne-ESP protocol. Imiyalelo yokuqwalasela imisebenzi ye-cryptographic ichazwe kwicandelo "Iinkqubo kunye neSikhokelo sokuSebenza kwiNdawo ye-IT" yolu xwebhu.

Uhlaziyo oluthembekileyo

Eli candelo libonelela ngemiyalelo yokwamkela ngokukhuselekileyo i-TOE kunye naluphi na uhlaziyo lwe-TOE olulandelayo. "Uhlaziyo" luguqulelo olutsha lwe-TOE.

Uguqulelo lwe-TOE lunokubuzwa ngumsebenzisi. Ukusuka kwiscreen sasekhaya cofa "Malunga". Uguqulelo lunokubuzwa kwiqonga eliphathwayo:

  • I-iPhone: Vula iisetingi kwaye uye kwi-General> Usetyenziso. Ngaphantsi koGcino, fumana iCisco Secure Client Nayiphi na iQhagamshela kwaye ucofe. Ulwazi lwenguqulelo luya kuboniswa.

Uhlaziyo kwiCisco Secure Client-AnyConnect TOE ilawulwa ngeApple App Store isebenzisa le nkqubo ingezantsi.

Phawula: Phambi kokuphucula isixhobo sakho kufuneka uqhawule iseshoni yeVPN ukuba umntu usekiwe, kwaye uvale usetyenziso ukuba luvuliwe. Ukuba uyasilela ukwenza oku, ukuqaliswa ngokutsha kwesixhobo sakho kuyafuneka ngaphambi kokuba usebenzise inguqulelo entsha yeCisco Secure Client-AnyConnect TOE.

  1. Cofa i-icon ye-App Store kwiphepha lasekhaya le-iOS.
  2. Cofa iCisco Secure Client-AnyConnect isaziso sokuphucula.
  3. Funda malunga neempawu ezintsha.
  4. Cofa uHlaziyo.
  5. Ngenisa i-password yakho ye-ID ye-Apple.
  6. Thepha KULUNGILE.

Uhlaziyo luyaqhubeka.

Ukufumana amaxwebhu kunye nokungeniswa kwesicelo seNkonzo

Ngolwazi malunga nokufumana amaxwebhu, usebenzisa iCisco Bug Search Tool (BST), ukungenisa isicelo senkonzo, kunye nokuqokelela ulwazi olongezelelweyo, bona Yintoni entsha kuXwebhu lweMveliso yeCisco.

Ukufumana umxholo omtsha wobugcisa weCisco ngqo kwidesktop yakho, ungabhalisa kwi Yintoni Entsha kwiCisco Product Documentation RSS feed. Ukutya kweRSS yinkonzo yasimahla.

Ukuqhagamshelana noCisco

ICisco ineeofisi ezingaphezu kwama-200 kwihlabathi liphela. Iidilesi, iinombolo zefowuni, kunye neenombolo zefeksi zidweliswe kwiCisco webindawo kwi www.cisco.com/go/offices.

ILogo yeCISCO

Amaxwebhu / Izibonelelo

CISCO AnyConnect 5.0 Secure Client [pdf] Isikhokelo somsebenzisi
5.0 ye-iOS 16, AnyConnect 5.0 Secure Client, 5.0 Secure Client, Secure Client, Client

Iimbekiselo

Izithuba eziyeleleneyo

Shiya uluvo

Idilesi yakho ye-imeyile ayizupapashwa. Iindawo ezifunekayo ziphawulwe *