cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
0
Helpful
13
Replies

SSL VPN on IOS router

sheldonscott
Level 1
Level 1

I have created a SSL VPN on a 1841 router. When I enter the IP address of the router in browser I get prompted to enter username and password. I get logged in however the SSL VPN Client does not download to the client. Does anyone know what can be missing? I really appreciate your help.

13 Replies 13

deyassccna
Level 1
Level 1

Dear Sheldonscott

I have done the implementation of ISR1841 with  anyconnect last week. I almost cried...

First of all, please chech the IOS and other requirements.

You have to choose T train,  IOS 12.4(6) T or higher.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_qas0900aecd80323cba.pdf

If these are satisfied, then you have to put the pkg file of anyconnect to be donwloaded in advance.

Also check the number of max-users, "max-users 10 " for 1841. 

If you can  put the configuration on line or the situation in detail,

I think I could be your help. (or other experts who knows more)

Thanks for the doc.I am going to upgrade the code. I have a older version than 12.4T

Herbert Baerten
Cisco Employee
Cisco Employee

Do you have this:

webvpn context 
policy group
   functions svc-required
default-group-policy

b.schlegel
Level 1
Level 1

This doc works flawlessly howerver you have to use the gui

http://www9.cisco.com/application/pdf/paws/110608/ssl-ios-00.pdf

The link that you provided was the first doc that I used. However I had to change the version of JAVA that I had for CCP to work. Then CCP would stop working in the middle of the process. So I then change back to using my SDM. What version of the JAVA do you have?

Version 6 Upddate 17.  The only issue I really ran into was getting the SSLVPN package on the router since I did it over the interent.  What I did was simply tftp it to the router then do the install with CCP.  I find the CCP a lot cleaner and easier to use than the SDM but I do wish it could be done from the command line easier.  Unfrotunately Cisco's documentation seems to use gui a lot these days.  Also make sure you have 12.4(24)T, it's very important to have one of the new IOS's as the standalone won't even run on the older version IOS.

Here is the final config on the 1841

aaa authentication login ciscocp_vpn_xauth_ml_1 local
!

crypto pki trustpoint TP-self-signed-2208354296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2208354296
revocation-check none
rsakeypair TP-self-signed-2208354296
!
!
crypto pki certificate chain TP-self-signed-2208354296
certificate self-signed 01
  3082025F 308201C8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323038 33353432 3936301E 170D3039 30383139 31393039
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32303833
  35343239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B5E1 244856DB B1AEA753 47F69F40 78E3390D 856E3869 6DE50226 BBC0ED6D
  B98C0C25 D7780AF2 815B904B E07B581E 880662E3 D2C5CAC5 5599BC01 2D368F1A
  2054CC70 5DACD33D 785E224F E7ECDADA 5F478DCA 2C15F5B5 E2A2E7C0 4263D227
  5AF6D83F B376C691 2A8760BB 9FBCA2E0 0C774709 61C2FE6B 8F651237 D0348743
  F19B0203 010001A3 81863081 83300F06 03551D13 0101FF04 05300301 01FF3030
  0603551D 11042930 2782254C 616E6361 73746572 4D756C74 694C696E 6B2E6375
  73746F6D 6572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14229D6B
  8C7D1334 51CA8058 0BF6F8A1 41A43A70 75301D06 03551D0E 04160414 229D6B8C
  7D133451 CA80580B F6F8A141 A43A7075 300D0609 2A864886 F70D0101 04050003
  8181006C 597E1D87 78E72E6B E2371699 DC65BCF6 65693CD6 1BA37D95 7BA5C270
  6D701C96 8EA4D868 63DB7286 81A99D08 0AC30662 A1346F26 D7782A07 0CAB190A
  437A2244 BCFB145F 7CDEA9FF 2FC148D9 FCA2ADC7 F25759DF 65832716 1CCA5865
  BD8D3874 AFBC0F79 DBE316AC E9564AEF 3CF25212 A71AD6E4 6B57FFE3 6F64205E 28B874
        quit
!

ip local pool SSLVPNPOOL 172.16.3.1 172.16.3.254

!

ip http server
ip http authentication local
!

webvpn gateway gateway_1
ip address x.x.x.x port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2208354296
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
!
webvpn context lansslvpn
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "SSLVPNPOOL"
   svc keep-client-installed
   svc split include x.x.x.x  255.255.255.0
   svc dns-server primary x.x.x.x

   default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end

Thanks a great deal for the info. I do not have 12 4T on the router. I am going to upload now hopefully it will work.

sheldonscott
Level 1
Level 1

Okay guys. I made some changes. I actually had a recent IOS version 12.4(24) T. no when I log on I get the following error " The installer was not able to start the CIsco SSL VPN CLient. PLease contact your IT administrator for mor information" I have attached the configs. thanks again for your assistance.

Sheldon.

Try adding

"no ip http secure-server" via command line and test, maybe the routers trying to respond to the CP on the outside instead of pushing it to the AnyConnect

I tried that but it did not work. However in my browser I get a red X saying Certificate Error. Is there are way I can regenerage the cert?

You could try rebuilding it, removing the key manually then enable the https it should automatically rebuild the cert I think.  Then no out the https again.  I might try downloading the stand alone version of the vpn client from cisco's site with a valid COO and see if you get the same error or even try it on another pc to rule out browser errors

F.Y.I

I used SDM to configure it because CCP did not work correctly.

With SDM, you can delete and rebuild the SSL's Self-Signed Certificate in VPN menu.

→please reload !

And this might sound like "Cheat"or "Bug" ,  in my case,

modifying and creating additional remote access group profile, name and DHCP pool and so on,

changed the situation like you and it worked fine finally.

(I could not choose the latest IOS as Flash does not have enough space.)

deyass

Deyassccna,

I will try your suggestion. The install actuall goes all the way through but ofcourse we get a few messages about the cert. So this weekend I will recreate the profile etc and also try another IOS version remotely. I should be able to get this working by Monday. I am really close, I can actually taste it. The SSL VPN is an alternative solution for my remote users. They all currently use IPSec trhough the VPN concentrator. Thanks everyone for all you help. I  really do appreciate this.

Sheldon.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: