cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3977
Views
5
Helpful
37
Replies

Trying to set up a VPN

jsandau
Level 1
Level 1

I thought an SSL VPN would be good but everytime I go to connect to it I have click through security warnings and install a securty certificate. Other than that the VPN works, however there will be less tech savy (and paitent) users using this vpn, and they will not want to have to click through a bunch of security warnings to get to the VPN. So is there a way I can have the user connect to a web portal once and that will download the VPN any connect software on thier computer then after that all they have to do is open the any connect software and type in a username and password and preferably have the vpn software remember the ip address for them? Also if this could be done via CCP that would be great, I'm new to Cisco routers and don't know the command line yet. If it can't be done via ccp then I guess I'll have to bite the bullet and do it via command line. Thanks.

1 Accepted Solution

Accepted Solutions

The problem is that you configured to use keypair "test" in the trustpoint but you did not generate the key with label "test".

Please following the extactly steps below.

1. generate a key with name "test"

crypto key generate rsa modulus 1024 label test

2. remove "ip domain name" If it is configured

no ip domain name xxxx.xxx

3. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn
subject-name CN=
rsakeypair test

4. change your host name to IP address.

hostname

5. crypto pki enroll self-signed

6. change your hostname back to its previous name.

7. add "ip domain name" back

8. change webvpn config to point to the new trustpoint

webvpn gateway gateway_1

ssl trustpoint self-signed

Then try the webvpn by using your public IP.

View solution in original post

37 Replies 37

Yudong Wu
Level 7
Level 7

On the SSL VPN client, you need install the certificate of root CA which issued the certificate to your SSL VPN Router/ASA. The root CA should be in the trusted list as well in your client's computer.

What do you mean by on the ssl client I have to install a certificate? When I access the vpn web portal through the ip address I get to a page where I type in a username and password then form there I go to a Cisco SSL VPN service page I click on the start button by tunnel connection then I get a whole bunch of certificate warnings then I get a screen that asks me to install the certificate. I do that and then I am able to connect to the vpn. But this happens everytime I need to connect to the VPN. I've seen cisco VPNs where I just open up the Anyconnect cliet on my computer and choose the ip from a drop down list then it asks me for a user name and password once I enter those I am connected to the vpn with no hassel.

could you please post your configuration file here?

Building configuration...

Current configuration : 13425 bytes

!

! Last configuration change at 08:32:26 PCTime Fri Sep 3 2010 by administrator

! NVRAM config last updated at 16:47:39 PCTime Thu Sep 2 2010 by administrator

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 *password*

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-4112746227

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4112746227

revocation-check none

rsakeypair TP-self-signed-4112746227

!

!

crypto pki certificate chain TP-self-signed-4112746227

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313132 37343632 3237301E 170D3130 30383234 31373234

  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237

  34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99

  BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE

  50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC

  0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC

  42450203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 149F4E46 8DB29BD6 9657D5DD D700A6F8 DC4D7E28

  9D301D06 03551D0E 04160414 9F4E468D B29BD696 57D5DDD7 00A6F8DC 4D7E289D

  300D0609 2A864886 F70D0101 04050003 8181000A 7A1FC97B 3261F4DC 226ECC63

  890E13D2 29DD0398 2C335CAA A8D4ABFF 4D9E4927 70813327 0A940859 9D87F4EA

  F9F016E1 258ACBC2 F68EA255 045D0976 9F01B97C 8FBCC4B6 84835922 3F069EE8

  14353DF2 9CF5AF42 A905777A 9220089E E4FD59B9 40ADD114 0878EBA1 A0997B04

  3288FD2F 1710878A 4A20C8EC 549A0BE1 EB164B

      quit

dot11 syslog

no ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.11.100.1 10.11.100.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.11.100.0 255.255.255.0

   default-router 10.11.100.1

!

!

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

!

multilink bundle-name authenticated

!

!

username *name* privilege 15 secret 5 *password*

username *name* privilege 7 secret 5 *password*

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *password* address *ip address*

crypto isakmp key *password* address *ip address 2*

!

crypto isakmp client configuration group *group name*

key *Password*

pool *name*

crypto isakmp profile ciscocp-ike-profile-1

   match identity group *group name*

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*ip address*

set peer *ip address*

set transform-set ESP-3DES-SHA

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to*ip address 2*

set peer *ip address 2*

set transform-set ESP-3DES-SHA1

match address 106

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class class-default

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_VPN_PT

  pass

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_2

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool *name* 10.11.100.50 10.11.100.99

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host *ip address*

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host *ip address* any

access-list 103 permit ip host *ip address 2* any

access-list 104 remark CCP_ACL Category=0

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny   ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 105 permit ip 10.11.100.0 0.0.0.255 any

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address *ip address* port 443

http-redirect port 80

ssl trustpoint TP-self-signed-4112746227

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context *name*

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "*name*"

   svc keep-client-installed

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Since you are using self-signed cert, please following the following link to add it to the trusted root cert.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/administration/23admin2.html#wp1026122

You should be able to use your SSL Anyconnect client from Start->All Programs-->Cisco->Cisco Anyconnect VPN Client.

Ok I must be missing something here. Because here are the steps I followed:


Step 1 Go to Tools | Internet Options | Trusted Sites.

The Internet Options window opens.

Step 2 Click the Security tab.

Step 3 Click the Trusted Sites icon.

Step 4 Click Sites.

The Trusted Sites window opens.

Step 5 Type  the host name or IP address of the security appliance. Use a wildcard  such as https://*.yourcompany.com to allow all ASA 5500s within the  yourcompany.com domain to be used to support multiple sites.

Step 6 Click Add.

Step 7 Click OK.

The Trusted Sites window closes.

Step 8 Click OK in the Internet Options window.

And

Step 1 Click View Certificate in the Security Alert window.

The Certificate window opens.

Step 2 Click Install Certificate.

The Certificate Import Wizard Welcome opens.

Step 3 Click Next.

The Certificate Import Wizard - Certificate Store window opens.

Step 4 Select "Automatically select the certificate store based on the type of certificate."

Step 5 Click Next.

The Certificate Import Wizard - Completing window opens.

Step 6 Click Finish.

Step 7 Another Security Warning window prompts "Do you want to install this certificate?" Click Yes.

The Certificate Import Wizard window indicates the import is successful.

Step 8 Click OK to close this window.

Step 9 Click OK to close the Certificate window.

Step 10 Click Yes to close the Security Alert window.

The security appliance window opens, signifying the certificate is trusted.

But the next time I open the web portal I have to install the certificate again

And when I try to connect via anny connect (without going through the web portal) I get The security alert box, go through the steps to install a certificate, but thenm I get the error unable to process response from *host ip address*

I think the issue might be related to self-signed certificate here.

I will run a lab testing on this when I get chance.

Ok, I did not forget your question and ran a quick lab testing on this.

So basically the issue is related to your self-signed certificate.

Here is what I did.

1. Generate the self-signed certificate like the following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn hostname.test.com
subject-name CN=hostname.test.com
rsakeypair test

Then, crypto pki enroll self-signed

2. When you access WebVPN, you must use "hostname.test.com" instead of IP address. In this way, after you install the certificate, it won't popup any alert message anymore.

3. You can add "svc keep-client-installed" in your policy. The the user can lauch the client from start->all program->Cisco->Cisco AnyConnect VPN client.

Would the network need to have a public domain name for that to work? They don't have a public domain that's why I was setting it up using the ip address.

It's not necessary.

I think the client will check the "subject name" in your certificate with the hostname in your URL or "connect to" box. If they don't match, you will see those popup alert message.

So, if you add an entry in host file of your client's PC/laptop, it should work. That's how I did the testing.

You can probably play with the trustpoint configuration to see if you can put ip address in the subject-name.  Let me try this to see how it works.

Ok, here is steps if you would like to use IP address instead of dns name.

1. remove "ip domain name "

2. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn 172.16.182.87
subject-name CN=172.16.182.87
rsakeypair test

3. change your host name to IP address. "hostname 172.16.182.87"

4. crypto pki enroll self-signed

5. change your hostname back to its previous name.

6. add "ip domain name"

After above steps, you can use IP to connect to webvpn without those cert popup windows after you install the cert.

How would I edit the certificate. in CCP I go to security->vpn->vpn components->public key infrastructure->certificate authority server then click on router certificates then I see test_trustpoint_conf and tp-self-signed-411; neither of which I can edit. I can delete them, but I don't think I want to do that as I've done it beofre and the router wouldn't function anymore, I had to completely restore the factory settings before the router would work again.

Sorry, I don't use CCP and am not sure how to use it to configure the self-signed cert.

You can use the command line per you previous post..


You can try to add a new trustpoint by using CCP to see if you can specify the related parameter as what I mentioned in the previous post.

Ok, how would I do that via command line then?  I don't really know the command line I want this to be done right, so I can't really go messing around with the command line, as this isn't a test router, it's being used in a production environment right now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: