Not sure if anyone is interested but I've setup an SSL VPN in a lab environment and the config was fairly easy so I thought i'd share. Useful if you ever need to remote into work/home. There are several configuration and design options and for more information on the IOS based side of the SSL VPN (opposed to ASA's) see this website.

You'll need a ISR series (800/1800/2800/3800) router or an ASA. This config is based on a 2811. I've found that the latest version of the IOS (c2800nm-adventerprisek9-mz.124-24.T1) works the best for both the web access and tunnel access but you'll obviously need a smartnet contract, CCIE or PICA access to download it. Licences are your own responsibility but several (I think 2?) licences are available for free.

Some screenies of the web portal:

The is the login screen the user is presented with



The home page of the user. The bookmarks are for internal websites and users can bookmark internal pages to access through the portal, in this case the configuration page for FreeNAS. On the right is web based access to windows (CIFS/Samba) shares as shown in the last screenshot. Below that is the full tunnel button. This will use Java to download the VPN client to the remote machine, install, configure and connect automatically making the machine appear as if it's on the LAN of the remote site.





On to the config!

aaa new-model
!
aaa authentication login SSLVPN local (Use local usernames)
!
username jimmeh password XXXXXX (local username)
!
crypto pki trustpoint local (create the trustpoint details for the certificate used for SSL)
enrollment selfsigned
serial-number
fqdn external.domainnamehere.com
subject-name CN=external.domainnamehere.com
revocation-check none
rsakeypair SSLVPN
!
!
crypto pki enroll local (create the selfsigned certificate associated with trustpoint "local")
!
interface Loopback0 (Used to redirect from the dynamic IP on the ADSL dialer interface)
ip address 192.168.4.1 255.255.255.255
!
interface Loopback1 (Used as a default gateway by machines on the VPN LAN segment)
ip address 192.168.3.1 255.255.255.0
!
ip local pool SSLVPNPOOL 192.168.3.11 192.168.3.20 (IP addresses used by machines in full tunnel mode)
!
ip nat inside source static tcp 192.168.4.1 443 interface Dialer1 443 (Map loopback zero https port to the dynamic dialer)
!
webvpn gateway SSLVPN (Activate the webvpn gateway service)
ip address 192.168.4.1 port 443 (Define the IP/Port to listen to)
ssl encryption aes-sha1 (Encryption used on the link)
ssl trustpoint local (Cert/Trustpoint to use on the link)
inservice (Turn on the gateway)
!
webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1 (Installed on flash to allow users to download the VPN client through the web portal)
!
webvpn context SSLVPNCONTEXT (Defines the user experience/access)
title "Dopeycat" (Title on the webpage)
login-photo file flash:/Cat.gif (The greatest cat in the world)
logo file flash:/milo-paw-print.png (Another logo for the web portal)
color #003366 (Colours on the webportal)
secondary-color #003366
title-color black
ssl authenticate verify all (added automatically when a context is created, can't remove)
!
nbns-list "SSLNBNS" (define a list of Netbios Name Servers)
nbns-server 192.168.2.12 (IP address for WINs server)
login-message "Welcome to Dopeycat" (Message on login portal)
!
cifs-url-list "SSLCIFS" (define a list of CIFS shares)
heading "NAS" (Heading)
url-text "Phat" url-value "//nas/Phat" (Link to CIFS shares)
!
policy group SSLVPNPOLICY (User policies)
cifs-url-list "SSLCIFS" (Attach a list of CIFS shares)
nbns-list "SSLNBNS" (Attach a list of WINS servers)
functions file-access (Defines accesses for CIFS shares)
functions file-browse (As just above)
functions svc-enabled (Enables full tunnel access, the other option is svc-required which is ONLY tunnel access)
timeout idle 600 (Self explanatory - don't want dead sessions hanging around)
svc address-pool "SSLVPNPOOL" (Attach an IP address pool to hand out to clients)
svc default-domain "dopeycat.local" (Domain suffix given to the VPN adapter on clients)
svc keep-client-installed (Allow the ANYVPN Client to remain installed on clients even after disconnecting)
svc split dns "dopeycat.local" (Split Tunnel is a concept that allows the client to use their local internet connection and only encrypt traffic bound for the secure site. Split DNS allows you the same with name resolution. This defines the suffix for the split)
svc split include 192.168.0.0 255.255.0.0 (IP Range to include for encryption over the tunnel)
svc dns-server primary 192.168.2.10 (DNS server IP for the tunnel)
default-group-policy SSLVPNPOLICY (attaches the policy to apply to the SSLVPNCONTEXT)
gateway SSLVPN (Attach this context to the gateway configuration above)
max-users 5
inservice (turn on)
!

jimmeh thats gold, im going to start submitting forum entries to digg.com

If you liked this article give it a digg
http://digg.com/software/SSL_VPN

Looks good Jimmeh.

Would this still work using a router simulator by any chance?

Damo wrote:Looks good Jimmeh.

Would this still work using a router simulator by any chance?

I had a poke around the feature navigator and don't believe so.

I don't think any of the emulators such as packet flow and boson would have the sophistication given that they don't even provide true statistics or packet flow so I had a look at support through Dynamips

Dynamips supports the 1700/2600/3600/3700/7200 systems and uses a VM with a real IOS. However these routers seemed to have stopped receiving upgrades as of 12.4(15)T (and then only for the 2600XM's and 3700 series - the others are stuck in 12.4 mainline) and do not support SSL VPN functionality.

Alas it would seem you need an ISR.

I thouhght it was a long shot.

Cheers for the info though.