Trying to set up a VPN

Answered Question

I thought an SSL VPN would be good but everytime I go to connect to it I have click through security warnings and install a securty certificate. Other than that the VPN works, however there will be less tech savy (and paitent) users using this vpn, and they will not want to have to click through a bunch of security warnings to get to the VPN. So is there a way I can have the user connect to a web portal once and that will download the VPN any connect software on thier computer then after that all they have to do is open the any connect software and type in a username and password and preferably have the vpn software remember the ip address for them? Also if this could be done via CCP that would be great, I'm new to Cisco routers and don't know the command line yet. If it can't be done via ccp then I guess I'll have to bite the bullet and do it via command line. Thanks.

I have this problem too.
0 votes
Correct Answer by Yudong Wu about 6 years 2 months ago

The problem is that you configured to use keypair "test" in the trustpoint but you did not generate the key with label "test".

Please following the extactly steps below.

1. generate a key with name "test"

crypto key generate rsa modulus 1024 label test

2. remove "ip domain name" If it is configured

no ip domain name xxxx.xxx

3. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn
subject-name CN=
rsakeypair test

4. change your host name to IP address.

hostname

5. crypto pki enroll self-signed

6. change your hostname back to its previous name.

7. add "ip domain name" back

8. change webvpn config to point to the new trustpoint

webvpn gateway gateway_1

ssl trustpoint self-signed

Then try the webvpn by using your public IP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Yudong Wu Thu, 09/02/2010 - 21:20

On the SSL VPN client, you need install the certificate of root CA which issued the certificate to your SSL VPN Router/ASA. The root CA should be in the trusted list as well in your client's computer.

What do you mean by on the ssl client I have to install a certificate? When I access the vpn web portal through the ip address I get to a page where I type in a username and password then form there I go to a Cisco SSL VPN service page I click on the start button by tunnel connection then I get a whole bunch of certificate warnings then I get a screen that asks me to install the certificate. I do that and then I am able to connect to the vpn. But this happens everytime I need to connect to the VPN. I've seen cisco VPNs where I just open up the Anyconnect cliet on my computer and choose the ip from a drop down list then it asks me for a user name and password once I enter those I am connected to the vpn with no hassel.

Building configuration...

Current configuration : 13425 bytes

!

! Last configuration change at 08:32:26 PCTime Fri Sep 3 2010 by administrator

! NVRAM config last updated at 16:47:39 PCTime Thu Sep 2 2010 by administrator

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 *password*

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-4112746227

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4112746227

revocation-check none

rsakeypair TP-self-signed-4112746227

!

!

crypto pki certificate chain TP-self-signed-4112746227

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313132 37343632 3237301E 170D3130 30383234 31373234

  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237

  34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99

  BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE

  50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC

  0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC

  42450203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 149F4E46 8DB29BD6 9657D5DD D700A6F8 DC4D7E28

  9D301D06 03551D0E 04160414 9F4E468D B29BD696 57D5DDD7 00A6F8DC 4D7E289D

  300D0609 2A864886 F70D0101 04050003 8181000A 7A1FC97B 3261F4DC 226ECC63

  890E13D2 29DD0398 2C335CAA A8D4ABFF 4D9E4927 70813327 0A940859 9D87F4EA

  F9F016E1 258ACBC2 F68EA255 045D0976 9F01B97C 8FBCC4B6 84835922 3F069EE8

  14353DF2 9CF5AF42 A905777A 9220089E E4FD59B9 40ADD114 0878EBA1 A0997B04

  3288FD2F 1710878A 4A20C8EC 549A0BE1 EB164B

      quit

dot11 syslog

no ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.11.100.1 10.11.100.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.11.100.0 255.255.255.0

   default-router 10.11.100.1

!

!

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

!

multilink bundle-name authenticated

!

!

username *name* privilege 15 secret 5 *password*

username *name* privilege 7 secret 5 *password*

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *password* address *ip address*

crypto isakmp key *password* address *ip address 2*

!

crypto isakmp client configuration group *group name*

key *Password*

pool *name*

crypto isakmp profile ciscocp-ike-profile-1

   match identity group *group name*

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*ip address*

set peer *ip address*

set transform-set ESP-3DES-SHA

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to*ip address 2*

set peer *ip address 2*

set transform-set ESP-3DES-SHA1

match address 106

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class class-default

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_VPN_PT

  pass

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_2

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool *name* 10.11.100.50 10.11.100.99

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host *ip address*

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host *ip address* any

access-list 103 permit ip host *ip address 2* any

access-list 104 remark CCP_ACL Category=0

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 105 permit ip 10.11.100.0 0.0.0.255 any

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address *ip address* port 443

http-redirect port 80

ssl trustpoint TP-self-signed-4112746227

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context *name*

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "*name*"

   svc keep-client-installed

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Ok I must be missing something here. Because here are the steps I followed:


Step 1 Go to Tools | Internet Options | Trusted Sites.

The Internet Options window opens.

Step 2 Click the Security tab.

Step 3 Click the Trusted Sites icon.

Step 4 Click Sites.

The Trusted Sites window opens.

Step 5 Type  the host name or IP address of the security appliance. Use a wildcard  such as https://*.yourcompany.com to allow all ASA 5500s within the  yourcompany.com domain to be used to support multiple sites.

Step 6 Click Add.

Step 7 Click OK.

The Trusted Sites window closes.

Step 8 Click OK in the Internet Options window.

And

Step 1 Click View Certificate in the Security Alert window.

The Certificate window opens.

Step 2 Click Install Certificate.

The Certificate Import Wizard Welcome opens.

Step 3 Click Next.

The Certificate Import Wizard - Certificate Store window opens.

Step 4 Select "Automatically select the certificate store based on the type of certificate."

Step 5 Click Next.

The Certificate Import Wizard - Completing window opens.

Step 6 Click Finish.

Step 7 Another Security Warning window prompts "Do you want to install this certificate?" Click Yes.

The Certificate Import Wizard window indicates the import is successful.

Step 8 Click OK to close this window.

Step 9 Click OK to close the Certificate window.

Step 10 Click Yes to close the Security Alert window.

The security appliance window opens, signifying the certificate is trusted.

But the next time I open the web portal I have to install the certificate again

And when I try to connect via anny connect (without going through the web portal) I get The security alert box, go through the steps to install a certificate, but thenm I get the error unable to process response from *host ip address*

Yudong Wu Sat, 09/04/2010 - 08:01

I think the issue might be related to self-signed certificate here.

I will run a lab testing on this when I get chance.

Yudong Wu Wed, 09/08/2010 - 11:31

Ok, I did not forget your question and ran a quick lab testing on this.

So basically the issue is related to your self-signed certificate.

Here is what I did.

1. Generate the self-signed certificate like the following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn hostname.test.com
subject-name CN=hostname.test.com
rsakeypair test

Then, crypto pki enroll self-signed

2. When you access WebVPN, you must use "hostname.test.com" instead of IP address. In this way, after you install the certificate, it won't popup any alert message anymore.

3. You can add "svc keep-client-installed" in your policy. The the user can lauch the client from start->all program->Cisco->Cisco AnyConnect VPN client.

Yudong Wu Wed, 09/08/2010 - 11:44

It's not necessary.

I think the client will check the "subject name" in your certificate with the hostname in your URL or "connect to" box. If they don't match, you will see those popup alert message.

So, if you add an entry in host file of your client's PC/laptop, it should work. That's how I did the testing.

You can probably play with the trustpoint configuration to see if you can put ip address in the subject-name.  Let me try this to see how it works.

Yudong Wu Wed, 09/08/2010 - 12:42

Ok, here is steps if you would like to use IP address instead of dns name.

1. remove "ip domain name "

2. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn 172.16.182.87
subject-name CN=172.16.182.87
rsakeypair test

3. change your host name to IP address. "hostname 172.16.182.87"

4. crypto pki enroll self-signed

5. change your hostname back to its previous name.

6. add "ip domain name"

After above steps, you can use IP to connect to webvpn without those cert popup windows after you install the cert.

How would I edit the certificate. in CCP I go to security->vpn->vpn components->public key infrastructure->certificate authority server then click on router certificates then I see test_trustpoint_conf and tp-self-signed-411; neither of which I can edit. I can delete them, but I don't think I want to do that as I've done it beofre and the router wouldn't function anymore, I had to completely restore the factory settings before the router would work again.

Yudong Wu Thu, 09/09/2010 - 10:41

Sorry, I don't use CCP and am not sure how to use it to configure the self-signed cert.

You can use the command line per you previous post..


You can try to add a new trustpoint by using CCP to see if you can specify the related parameter as what I mentioned in the previous post.

Yudong Wu Thu, 09/09/2010 - 22:53

Well, you might need to read the config guide and command ref if you would like to learn how to use command line.

Yudong Wu Fri, 09/10/2010 - 08:38

Ok, this is the only link which I found on CCO about using CCP to configure Anyconnect on the router.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml

But it does not inclued info of generating certificate. If you would like to get rid of those certifcate popup windows, you have to generate the self-signed certificate like what I mentioned before. Sorry, I never play with CCP before. But it should be doable on CCP as well.

Yudong Wu Fri, 09/10/2010 - 13:17

Yes, that's the public IP address which you got from your ISP.

Anyconnect client will use it to connect to your router.

Do you have a static public IP? I saw your router is configured as DHCP client.

Yudong Wu Fri, 09/10/2010 - 22:27

What trustpoint name did you configured in step 2?

You need use the same trustpoint name in "crypto pki enroll "

You need check the following configuration as well to use the same trustpoint name which you configured in step 2.

webvpn gateway gateway_1

ssl trustpoint TP-self-signed-4112746227  <<<<< Replace "TP-self-signed-4112746227" with new trustpoint name.

here are the exact steps I followed:

I changed the host name from yourdomain.com to *external IP address*

crypto pki trustpoint TP-self-signed-4112746227

(TP-self-signed-4112746277 was already there, I guess that is the one that CCP created, so I just wanted to edit that one)

enrollment selfsigned

fqdn *external IP Address*

subject-name CN=*external IP address*

rsakeypair test

crypto pki enroll self-signed rypto pki enroll TP-self-signed-4112746227

That's when I get the error. Alos now i don't seem to have nay vpn access. when I go to https://*external ip address* I get a page cannot be displayed error.

Yudong Wu Mon, 09/13/2010 - 08:31

Can you send me the following output?

show crypto ca cert

show crypto key mypub rsa

show run

Show Crypto ca cert:

Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number: 0x2
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-4112746227
  Subject:
    Name: IOS-Self-Signed-Certificate-4112746227
    cn=IOS-Self-Signed-Certificate-4112746227
  Validity Date:
    start date: 14:15:27 PCTime Sep 10 2010
    end   date: 17:00:00 PCTime Dec 31 2019
  Associated Trustpoints: TP-self-signed-4112746227
  Storage: nvram:IOS-Self-Sig#8.cer

Show crypto key mypub rsa:

% Key pair was generated at: 15:33:19 PCTime Jun 9 2010
Key name: TP-self-signed-4112746227
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E0195E
  CA90611B 264BA900 CB9644F5 5859F7E8 B6291611 FF750CC1 F84F99BB 531024D9
  0BDF1AC4 FE58417F C2F5124B 62F7B945 5C58D8DF F4EE8042 EB09AE50 BF3B9027
  5BF68D01 D18313CE 3BC743E0 BA0AEDF1 DC52142F 2DB892B3 877BCC06 68D12049
  9FE43AC5 4B0E7939 459CAD8C 5ADB8529 F24C6B1C 2C06E347 DC26DC42 45020301 0001
% Key pair was generated at: 14:44:41 PCTime Sep 10 2010
Key name: HTTPS_SS_CERT_KEYPAIR
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 0096B970 35F7601D
  5274FE99 104D332A C184E1B8 7B6E80DB F021329A 4060E954 73BD204D E7D1BC8A
  F7B970D7 C8641C3F 0FB1C343 3FBB92AD AFC8077A 74DAE087 65365BE2 C9EAD501
  6D4B606D 16F4F69A 95E3E11C A75DE920 CA733FAC E6024DE1 51020301 0001
% Key pair was generated at: 11:00:11 PCTime Sep 13 2010
Key name: TP-self-signed-4112746227.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E0F3E5 188FF4A3
  43B34598 BF62BBFA 839B6511 529DB9C2 7B71EAD3 EAF6D5FA 595C3601 360CD573
  4AA3B205 025FA0E7 633BC1A6 C3C34CE9 92D37B8E F2DD3C0D 4DD4FD3A 9CB18FAF
  1EF79244 03490CB8 C148A736 37879D87 D1C57580 FE8B3136 49020301 0001

show run:

Building configuration...

Current configuration : 15678 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *host name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret *password*

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name [email protected]

revocation-check crl

!

crypto pki trustpoint TP-self-signed-4112746227

enrollment selfsigned

fqdn *external ip address*

subject-name CN=*external ip address*

revocation-check none

rsakeypair test

!

crypto pki trustpoint tp-self-signed-4112746277

enrollment selfsigned

fqdn *external ip address*

subject-name CN=*external ip address*

revocation-check crl

rsakeypair test

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain TP-self-signed-4112746227

certificate self-signed 02

  30820257 308201C0 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313132 37343632 3237301E 170D3130 30393130 32313135

  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237

  34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99

  BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE

  50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC

  0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC

  42450203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603

  551D1104 23302182 1F4C6574 68627269 6467655F 53434144 412E796F 7572646F

  6D61696E 2E636F6D 301F0603 551D2304 18301680 149F4E46 8DB29BD6 9657D5DD

  D700A6F8 DC4D7E28 9D301D06 03551D0E 04160414 9F4E468D B29BD696 57D5DDD7

  00A6F8DC 4D7E289D 300D0609 2A864886 F70D0101 04050003 81810050 8CA99031

  63FDE47E 1211CABE F928262D 0B5A0F98 5E0AC93D 3E66CDCF 1E0C376F 3ED388E8

  A1278120 46022932 DB449A54 7EA9138F 47478F6A AFDCA706 F3E9206E 718F668C

  1605681B B77BA23B 1B9DD266 FCC57E97 EE835F5B 60546C0C 12E0BB4B D72600E0

  ED01F4DB B6880EA6 246C4502 73CCAB49 7787CB05 BC38D2CC 78FD41

                quit

crypto pki certificate chain tp-self-signed-4112746277

dot11 syslog

no ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.11.100.1 10.11.100.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.11.100.0 255.255.255.0

   default-router 10.11.100.1

!

!

no ip bootp server

ip domain name *external ip address*

!

multilink bundle-name authenticated

!

!

username administrator privilege 15 secret *password*

username VPNuser privilege 7 secret 5 *password*

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco1811VPN address *external ip address 2*

crypto isakmp key Cisco1811VPN address *external ip address 3*

!

crypto isakmp client configuration group VPN_users

key *shared key*

pool VPN_Pool

crypto isakmp profile ciscocp-ike-profile-1

   match identity group VPN_users

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*external ip address 2*

set peer *external ip address 2*

set transform-set ESP-3DES-SHA

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to*external ip address 3*

set peer *external ip address 3*

set transform-set ESP-3DES-SHA1

match address 106

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 110

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all SDM_VPN_PT0

match access-group 108

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-cls-sdm-permit-ip-1

match access-group name VNC

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class type inspect sdm-cls-VPNOutsideToInside-3

  inspect

class type inspect CCP_PPTP

  pass

class type inspect sdm-cls-VPNOutsideToInside-4

  inspect

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT0

  pass

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class type inspect sdm-cls-VPNOutsideToInside-4

  inspect

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_2

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool VPN_Pool10.11.100.50 10.11.100.99

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended VNC

remark CCP_ACL Category=128

permit ip any host 10.11.100.101

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host *external ip address*

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host *external ip address 2* any

access-list 103 permit ip host *external ip address 3* any

access-list 104 remark CCP_ACL Category=0

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 105 permit ip 10.11.100.0 0.0.0.255 any

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 108 remark CCP_ACL Category=128

access-list 108 permit ip host *external ip address 3* any

access-list 109 remark CCP_ACL Category=0

access-list 109 remark IPSec Rule

access-list 109 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 110 remark CCP_ACL Category=0

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address *external ip address* port 443

http-redirect port 80

ssl trustpoint TP-self-signed-4112746227

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context VPN_Pool

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_Pool"

   svc keep-client-installed

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Correct Answer
Yudong Wu Mon, 09/13/2010 - 10:54

The problem is that you configured to use keypair "test" in the trustpoint but you did not generate the key with label "test".

Please following the extactly steps below.

1. generate a key with name "test"

crypto key generate rsa modulus 1024 label test

2. remove "ip domain name" If it is configured

no ip domain name xxxx.xxx

3. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn
subject-name CN=
rsakeypair test

4. change your host name to IP address.

hostname

5. crypto pki enroll self-signed

6. change your hostname back to its previous name.

7. add "ip domain name" back

8. change webvpn config to point to the new trustpoint

webvpn gateway gateway_1

ssl trustpoint self-signed

Then try the webvpn by using your public IP.

I'm following your steps exactly but wehen I get to

4. change your host name to IP address.

hostname

I get an error that syas hostname contains illegal characters. There dosen't seem to be be any other errors so I continue on. I'm still not getting the web page when I type in the ip address, I'm still getting a page cannot be displayed error. Also the hostname and domain name are mixed up. The hostname is the external IP address and the domain name is Cisco_Router. Should it be this way?

Yudong Wu Mon, 09/13/2010 - 14:27

can you paste the following again?

show crypto ca cert

show crypto key mypub rsa

show run

Finally I got it! I deleted all the certificate and the gateway and started from scratch. The only problem now is the user still have to go through the web portal to connect, the VPN client stays on thier computer, but they can't use it to connect. But I think that is a problem for another day. It's now set up so that it will only ask them to install the certificate once, which is fine. Thank you so much for all your help and patience.

Yudong Wu Mon, 09/13/2010 - 14:46

Great!!!!

I am glad that you finally made it work.

After the first connection with web, did you try to  lauch the client from start->all program->Cisco->Cisco  AnyConnect VPN client directly without using web?

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T1
0, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 20:59 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)

*host name* uptime is 19 hours, 46 minutes
System returned to ROM by power-on
System image file is "flash:c181x-advipservicesk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 1811 (MPC8500) processor (revision 0x400) with 236544K/25600K bytes of mem
ory.
Processor board ID FHK134975HW, with hardware revision 0000

10 FastEthernet interfaces
1 Serial interface
1 terminal line
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Yudong Wu Tue, 09/14/2010 - 10:22

I tested on "anyconnect-win-2.5.1025-k9.pkg" and "12.4(22)T3" and did not see the issue.

You can try upgrade the code to see if it can be fixed.

Antonio Knox Fri, 09/10/2010 - 06:03

If I understand you correctly, this seems to be your main question:

"So is there a way I can have the user connect to a web portal once and  that will download the VPN any connect software on thier computer then  after that all they have to do is open the any connect software and type  in a username and password and preferably have the vpn software  remember the ip address for them?"

The answer is yes.  There are two ways to go about this......

Command Line:

group-policy AnyConnect attributes

webvpn

svc keep-installer installed

ASDM (I'm running Version 6.3):

Go to Configuration --> Remote Access VPN --> Group Policies --> Highlight Your-Group-Policy-Name --> Edit --> Expand 'Advanced' on the left --> Click SSL VPN Client --> In the 'Keep Installer on Client System' uncheck 'Inherit' and click the 'Yes' radio button  --> Click OK --> Click apply

from that point on, when a user connects to AnyConnect, the vpn client will remain on the users machine.  It will also remember the VPN gateway address when its run.  All they should have to do is locate the installer on their machine, run it, click connect, and enter their creds.  Hope that helps.

Please rate my post if its helpful.

Actions

This Discussion