09-02-2010 04:05 PM
I thought an SSL VPN would be good but everytime I go to connect to it I have click through security warnings and install a securty certificate. Other than that the VPN works, however there will be less tech savy (and paitent) users using this vpn, and they will not want to have to click through a bunch of security warnings to get to the VPN. So is there a way I can have the user connect to a web portal once and that will download the VPN any connect software on thier computer then after that all they have to do is open the any connect software and type in a username and password and preferably have the vpn software remember the ip address for them? Also if this could be done via CCP that would be great, I'm new to Cisco routers and don't know the command line yet. If it can't be done via ccp then I guess I'll have to bite the bullet and do it via command line. Thanks.
Solved! Go to Solution.
09-13-2010 10:54 AM
The problem is that you configured to use keypair "test" in the trustpoint but you did not generate the key with label "test".
Please following the extactly steps below.
1. generate a key with name "test"
crypto key generate rsa modulus 1024 label test
2. remove "ip domain name" If it is configured
no ip domain name xxxx.xxx
3. configure your trustpoint like following
crypto pki trustpoint self-signed
enrollment selfsigned
fqdn
subject-name CN=
rsakeypair test
4. change your host name to IP address.
hostname
5. crypto pki enroll self-signed
6. change your hostname back to its previous name.
7. add "ip domain name" back
8. change webvpn config to point to the new trustpoint
webvpn gateway gateway_1
ssl trustpoint self-signed
Then try the webvpn by using your public IP.
09-02-2010 09:20 PM
On the SSL VPN client, you need install the certificate of root CA which issued the certificate to your SSL VPN Router/ASA. The root CA should be in the trusted list as well in your client's computer.
09-03-2010 07:40 AM
What do you mean by on the ssl client I have to install a certificate? When I access the vpn web portal through the ip address I get to a page where I type in a username and password then form there I go to a Cisco SSL VPN service page I click on the start button by tunnel connection then I get a whole bunch of certificate warnings then I get a screen that asks me to install the certificate. I do that and then I am able to connect to the vpn. But this happens everytime I need to connect to the VPN. I've seen cisco VPNs where I just open up the Anyconnect cliet on my computer and choose the ip from a drop down list then it asks me for a user name and password once I enter those I am connected to the vpn with no hassel.
09-03-2010 08:03 AM
could you please post your configuration file here?
09-03-2010 08:43 AM
Building configuration...
Current configuration : 13425 bytes
!
! Last configuration change at 08:32:26 PCTime Fri Sep 3 2010 by administrator
! NVRAM config last updated at 16:47:39 PCTime Thu Sep 2 2010 by administrator
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname *name*
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 *password*
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-4112746227
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112746227
revocation-check none
rsakeypair TP-self-signed-4112746227
!
!
crypto pki certificate chain TP-self-signed-4112746227
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 37343632 3237301E 170D3130 30383234 31373234
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237
34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99
BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE
50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC
0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC
42450203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 149F4E46 8DB29BD6 9657D5DD D700A6F8 DC4D7E28
9D301D06 03551D0E 04160414 9F4E468D B29BD696 57D5DDD7 00A6F8DC 4D7E289D
300D0609 2A864886 F70D0101 04050003 8181000A 7A1FC97B 3261F4DC 226ECC63
890E13D2 29DD0398 2C335CAA A8D4ABFF 4D9E4927 70813327 0A940859 9D87F4EA
F9F016E1 258ACBC2 F68EA255 045D0976 9F01B97C 8FBCC4B6 84835922 3F069EE8
14353DF2 9CF5AF42 A905777A 9220089E E4FD59B9 40ADD114 0878EBA1 A0997B04
3288FD2F 1710878A 4A20C8EC 549A0BE1 EB164B
quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.11.100.1 10.11.100.99
!
ip dhcp pool ccp-pool1
import all
network 10.11.100.0 255.255.255.0
default-router 10.11.100.1
!
!
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
username *name* privilege 15 secret 5 *password*
username *name* privilege 7 secret 5 *password*
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *password* address *ip address*
crypto isakmp key *password* address *ip address 2*
!
crypto isakmp client configuration group *group name*
key *Password*
pool *name*
crypto isakmp profile ciscocp-ike-profile-1
match identity group *group name*
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*ip address*
set peer *ip address*
set transform-set ESP-3DES-SHA
match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to*ip address 2*
set peer *ip address 2*
set transform-set ESP-3DES-SHA1
match address 106
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 107
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 101
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_VPN_PT
pass
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_2
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.11.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool *name* 10.11.100.50 10.11.100.99
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.11.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any host *ip address*
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host *ip address* any
access-list 103 permit ip host *ip address 2* any
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 105 permit ip 10.11.100.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 107 remark CCP_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address *ip address* port 443
http-redirect port 80
ssl trustpoint TP-self-signed-4112746227
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context *name*
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "*name*"
svc keep-client-installed
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end
09-03-2010 10:11 AM
Since you are using self-signed cert, please following the following link to add it to the trusted root cert.
You should be able to use your SSL Anyconnect client from Start->All Programs-->Cisco->Cisco Anyconnect VPN Client.
09-03-2010 10:49 AM
Ok I must be missing something here. Because here are the steps I followed:
Step 1 Go to Tools | Internet Options | Trusted Sites.
The Internet Options window opens.
Step 2 Click the Security tab.
Step 3 Click the Trusted Sites icon.
Step 4 Click Sites.
The Trusted Sites window opens.
Step 5 Type the host name or IP address of the security appliance. Use a wildcard such as https://*.yourcompany.com to allow all ASA 5500s within the yourcompany.com domain to be used to support multiple sites.
Step 6 Click Add.
Step 7 Click OK.
The Trusted Sites window closes.
Step 8 Click OK in the Internet Options window.
And
Step 1 Click View Certificate in the Security Alert window.
The Certificate window opens.
Step 2 Click Install Certificate.
The Certificate Import Wizard Welcome opens.
Step 3 Click Next.
The Certificate Import Wizard - Certificate Store window opens.
Step 4 Select "Automatically select the certificate store based on the type of certificate."
Step 5 Click Next.
The Certificate Import Wizard - Completing window opens.
Step 6 Click Finish.
Step 7 Another Security Warning window prompts "Do you want to install this certificate?" Click Yes.
The Certificate Import Wizard window indicates the import is successful.
Step 8 Click OK to close this window.
Step 9 Click OK to close the Certificate window.
Step 10 Click Yes to close the Security Alert window.
The security appliance window opens, signifying the certificate is trusted.
But the next time I open the web portal I have to install the certificate again
And when I try to connect via anny connect (without going through the web portal) I get The security alert box, go through the steps to install a certificate, but thenm I get the error unable to process response from *host ip address*
09-04-2010 08:01 AM
I think the issue might be related to self-signed certificate here.
I will run a lab testing on this when I get chance.
09-08-2010 11:31 AM
Ok, I did not forget your question and ran a quick lab testing on this.
So basically the issue is related to your self-signed certificate.
Here is what I did.
1. Generate the self-signed certificate like the following
crypto pki trustpoint self-signed
enrollment selfsigned
fqdn hostname.test.com
subject-name CN=hostname.test.com
rsakeypair test
Then, crypto pki enroll self-signed
2. When you access WebVPN, you must use "hostname.test.com" instead of IP address. In this way, after you install the certificate, it won't popup any alert message anymore.
3. You can add "svc keep-client-installed" in your policy. The the user can lauch the client from start->all program->Cisco->Cisco AnyConnect VPN client.
09-08-2010 11:36 AM
Would the network need to have a public domain name for that to work? They don't have a public domain that's why I was setting it up using the ip address.
09-08-2010 11:44 AM
It's not necessary.
I think the client will check the "subject name" in your certificate with the hostname in your URL or "connect to" box. If they don't match, you will see those popup alert message.
So, if you add an entry in host file of your client's PC/laptop, it should work. That's how I did the testing.
You can probably play with the trustpoint configuration to see if you can put ip address in the subject-name. Let me try this to see how it works.
09-08-2010 12:42 PM
Ok, here is steps if you would like to use IP address instead of dns name.
1. remove "ip domain name "
2. configure your trustpoint like following
crypto pki trustpoint self-signed
enrollment selfsigned
fqdn 172.16.182.87
subject-name CN=172.16.182.87
rsakeypair test
3. change your host name to IP address. "hostname 172.16.182.87"
4. crypto pki enroll self-signed
5. change your hostname back to its previous name.
6. add "ip domain name"
After above steps, you can use IP to connect to webvpn without those cert popup windows after you install the cert.
09-08-2010 02:57 PM
How would I edit the certificate. in CCP I go to security->vpn->vpn components->public key infrastructure->certificate authority server then click on router certificates then I see test_trustpoint_conf and tp-self-signed-411; neither of which I can edit. I can delete them, but I don't think I want to do that as I've done it beofre and the router wouldn't function anymore, I had to completely restore the factory settings before the router would work again.
09-09-2010 10:41 AM
Sorry, I don't use CCP and am not sure how to use it to configure the self-signed cert.
You can use the command line per you previous post..
You can try to add a new trustpoint by using CCP to see if you can specify the related parameter as what I mentioned in the previous post.
09-09-2010 03:19 PM
Ok, how would I do that via command line then? I don't really know the command line I want this to be done right, so I can't really go messing around with the command line, as this isn't a test router, it's being used in a production environment right now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: