IP Phone VPN basic configuration example

Document

Dec 16, 2011 1:25 PM
Dec 16th, 2011

Software used on this example:

> CUCM version: 8.6.2.20000-2

>ASA 5505: 8.4(2) with correct license:

    ciscoasa# show version | i AnyConnect for Cisco VPN Phone

    AnyConnect for Cisco VPN Phone    : Enabled        perpetual

    ciscoasa#

> CP-7945G with firmware SCCP45.9-2-1S

Topology:

IPPhoneVPN-overview-Whole-Network.png

Setup the ASA for basic connectivity:

ASA starting with no configuration at all.

Assign IP address to outside interface:

interface Vlan1

nameif outside

security-level 100

ip address 172.16.1.1 255.255.255.0

Assign IP address to inside interface:

interface Vlan210

nameif inside

security-level 100

ip address 192.168.210.28 255.255.255.0

Configure same-security-traffic permit inter-interface to allowed the ASA to transmit traffic between interfaces with the same security-level (This depends on what the customer has already configured for connectivity):

ciscoasa(config)# same-security-traffic permit inter-interface

Configure static route (lab purpose only):

ciscoasa(config)# route inside 0.0.0.0 0.0.0.0 192.168.210.1 1

Assign vlan to inside interface (This depends on what the customer has already configured):

interface Ethernet0/0

switchport access vlan 210

ciscoasa#ping 192.168.210.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.210.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa#

This is for lab only purposes, the ASA should not provide IP addresses for outside devices, the local device at user’s home should do so (DSL modem, etc).

DHCP server commands:

dhcpd address 172.16.1.10-172.16.1.20 outside

dhcpd enable outside

Generate self-signed certificate:

ciscoasa# configure terminal

ciscoasa(config)#crypto key generate rsa label 172.16.1.1 modulus 1024

WARNING: You have a RSA keypair already defined named 172.16.1.1.

Do you really want to replace them? [yes/no]: yes

Keypair generation process begin. Please wait...

ciscoasa(config)#

Create trustpoint and associate keypair to generated self-signed certificate:

ciscoasa(config)# crypto ca trustpoint 172.16.1.1

ciscoasa(config-ca-trustpoint)# enrollment self

ciscoasa(config-ca-trustpoint)# fqdn none

ciscoasa(config-ca-trustpoint)# subject-name CN=172.16.1.1

ciscoasa(config-ca-trustpoint)#  keypair 172.16.1.1

ciscoasa(config)# crypto ca enroll 172.16.1.1

% The fully-qualified domain name will not be included in the certificate

% Include the device serial number in the subject name? [yes/no]: no

Generate Self-Signed Certificate? [yes/no]: yes

ciscoasa(config)#

Export self-signed certificate:

ciscoasa(config)# crypto ca export 172.16.1.1 identity-certificate

The PEM encoded identity certificate follows:

-----BEGIN CERTIFICATE-----

MIIBoTCCAQqgAwIBAgIERWHqTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwox

NzIuMTYuMS4xMB4XDTExMTIxNTIxNTI1NloXDTIxMTIxMjIxNTI1NlowFTETMBEG

A1UEAxMKMTcyLjE2LjEuMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucQR

mun/QT1U1BVSTXIjAaim/vFndn7XcTQVmKNHMD2TcRPiymlW6dxkDmsKSdRxWF6x

FmExUsfqEQd2Flja/5Klyu1gWGlBvfrYnnYgEbxx/UG4UXAWNV1miKKf1gA49YsO

LLaHdMMmYJ553UD/RfevoTpefCkSFfr68Si6gsECAwEAATANBgkqhkiG9w0BAQUF

AAOBgQA/YwIxDLSS51a1o94sqGv3nRJAHu/YttugX89rfyO7tSZIBP1rRuAgEsGy

9lQ7LIWBWzUeV6uBmcnSBntlSjAWnHHZzG2xwZo3ef7hES09SRXcYj3RJ4zTlqa+

8nA+FB03DS2iJAZnToDj7zmtYT8QLwjoCa2oHN2dNqVfQgu3yg==

-----END CERTIFICATE-----

ciscoasa(config)#

Copy the text from the terminal and save it as a .pem file and upload it to the Certificate Management part of the CUCM. Copy also the  “BEGIN CERTIFICATE” and “END CERTIFICATE” lines.

ASA Certificate Upload :

Upload ASA self-signed certificate to CUCM:

Go to Cisco Unified Operating System Administration > Security > Certificate Management > Upload Certificate/Certificate Chain

CertificateManagement.png

Download CUCM Certificates:

Download CUCM certificates and save them:

The certificates will be the CallManager.pem, the CAPF.pem and the Cisco_Manufaturing_CA.pem.

Upload CUCM Certificates to the ASA:

Create trustpoints for the CUCM certificates (do the same for the CAPF.pem and the Cisco_Manufaturing_CA.pem):

ciscoasa(config)# crypto ca trustpoint CallManager.pem

ciscoasa(config-ca-trustpoint)# enrollment terminal

ciscoasa(config)# crypto ca authenticate CallManager.pem

Enter the base 64 encoded CA certificate.

End with the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIICpjCCAg+gAwIBAgIQYyQY70T0dDs3IQh7VRYTxDANBgkqhkiG9w0BAQUFADBl

MQswCQYDVQQGEwJDUjEOMAwGA1UEChMFQ2lzY28xDDAKBgNVBAsTA1RBQzESMBAG

A1UEAxMJQ1VDTVB1Yjg2MRAwDgYDVQQIEwdIZXJlZGlhMRIwEAYDVQQHEwlMYSBB

dXJvcmEwHhcNMTExMjAxMTgwOTA2WhcNMTYxMTI5MTgwOTA1WjBlMQswCQYDVQQG

EwJDUjEOMAwGA1UEChMFQ2lzY28xDDAKBgNVBAsTA1RBQzESMBAGA1UEAxMJQ1VD

TVB1Yjg2MRAwDgYDVQQIEwdIZXJlZGlhMRIwEAYDVQQHEwlMYSBBdXJvcmEwgZ8w

DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALKlH5iExWLCmsQOPnuMQK7qmCXIWMnh

3JVY2QSb75z9xGj1gxwJAxWxHt9tQOEku4hHrx7NuVZdRP9bWU+9w3bhADW0HT4W

4rboSNYLY0qscIQvgQiIV5tNfg1GMQFaKVZkL3zFpa8P9COUlTgyR5/pwh/Ha4iF

Bmwa9TrZvBPdAgMBAAGjVzBVMAsGA1UdDwQEAwICvDAnBgNVHSUEIDAeBggrBgEF

BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMFMB0GA1UdDgQWBBQ9Mkdnt3GDvmY6YcM1

z1dMHnEOzjANBgkqhkiG9w0BAQUFAAOBgQCUME1u3sRgEQLbRQUL4EgSwHUGxj6b

9lJUINzeBd6C0XIJQu/wjXD0HUjumGB2rzpinSWfkUtiUh7P8eKOszFZLNmy4qGo

iIty/dhUyh478C4DLHKZPPzfSR/f5YHYhHcZnwEdelwHL8q90tNevy0/6oOJfyPy

aFhHw/mLDT1HCQ==

-----END CERTIFICATE-----

quit

INFO: Certificate has the following attributes:

Fingerprint:     568123ea 9723a59d aa6e1857 32cd4950

Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

ciscoasa(config)#

ASA WebVPN configuration:

Create DHCP pool for devices launching VPN connections:

ip local pool Webvpn_POOL 192.168.210.10-192.168.210.20 mask 255.255.255.0

Associate trust-point to outside interface:

ssl trust-point 172.16.1.1 outside

Enable WebVPN feature:


webvpn

enable outside

enable inside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect enable

Create Group-Policy:


group-policy GroupPhoneWebvpn internal

group-policy GroupPhoneWebvpn attributes

banner none

vpn-simultaneous-logins 10

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

default-domain value asa.cisco.com

address-pools value Webvpn_POOL

webvpn

anyconnect ssl dtls enable

anyconnect keep-installer installed

anyconnect ssl keepalive 120

anyconnect ssl rekey time 4

anyconnect ssl rekey method new-tunnel

anyconnect dpd-interval client none

anyconnect dpd-interval gateway 300

anyconnect ssl compression deflate

anyconnect ask none default webvpn

Create user name and password for authentication aaa local:

username cisco password 12345

username cisco attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

Create user name and password for authentication certificate plus password:

username CP-7945G-SEP00235E1868AF password 12345

username CP-7945G-SEP00235E1868AF attributes

vpn-group-policy GroupPhoneWebvpn

service-type remote-access

Create Tunnel-Group for authentication aaa local:

tunnel-group VPNphone type remote-access

tunnel-group VPNphone general-attributes

address-pool Webvpn_POOL

default-group-policy GroupPhoneWebvpn

tunnel-group VPNphone webvpn-attributes

group-url https://172.16.1.1/VPNphone enable

Create Tunnel-Group for authentication certificate plus password:

tunnel-group CertPassTunnelGroup type remote-access

tunnel-group CertPassTunnelGroup general-attributes

authorization-server-group LOCAL

default-group-policy GroupPhoneWebvpn

username-from-certificate CN

tunnel-group CertPassTunnelGroup webvpn-attributes

authentication aaa certificate

pre-fill-username ssl-client

group-url https://172.16.1.1/CertPass enable

Create Tunnel-Group for certificate only authentication:

tunnel-group CertOnlyTunnelGroup type remote-access

tunnel-group CertOnlyTunnelGroup general-attributes

default-group-policy GroupPhoneWebvpn

tunnel-group CertOnlyTunnelGroup webvpn-attributes

authentication certificate

group-url https://172.16.1.1/CertOnly enable

Configure the VPN Gateways:

Add VPN Gateway for Username and Password authentication:

Go to Advanced Features> VPN > VPN Gateway

VPNGateway.png

Create a VPN Group using the VPN Gateways:

Add VPN Group and associate the previously created VPN gateway to it:

Go to Advanced Features > VPN > VPN Group

VPNGroup.png

Create a VPN Profile:

Go to Advanced Features > VPN > VPN Profile

Auto detection:

If enabled, the VPN client will only be able to run if it detects that it is out of the corporate network.

Enable Host ID Check:

If enabled, the VPN gateway's certificate's subjectAltName or CN must match the URL that the VPN Client has connected to.

Enable Password Persistence:

If enabled, a user's password will be saved in the phone until a failed login or a user clears it.

VPNProfile.png

Assign a VPN Group and Profile in the Phone Common Profile:

Associate VPN Group and Profile to the Phone Common Profile:

Go to Device > Device Settings > Common Phone Profile

CommonPhoneProfile.png

Assign Phone Common Profile to IP Phone:

Associate Phone Common Profile to IP Phone:

Go to Device > Phone

Related information:

Useful links:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_5_1/secugd/secuvpn.html

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

https://supportforums.cisco.com/docs/DOC-9124

Average Rating: 0 (0 ratings)
masalern Tue, 09/18/2012 - 14:49

Good document meneses, but I think we should specify that when selecting "certificate" as client authentication method, 3 certificates from the callmanager shoulld be uploaded into the ASA.

CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for mixed-mode clusters)

Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate (MIC).

CAPF - Authenticating IP phones with an LSC.

if not, users will get "authetiction failed", when selecting phone VPN feature.

Actions

Login or Register to take actions

This Document

Posted December 16, 2011 at 1:25 PM
Stats:
Comments:1 Avg. Rating:0
Views:26084 Contributors:1
Shares:0
Tags: No tags.
 

Documents Leaderboard

Rank Username Points
1 85
2 71
3 65
4 30
5 24
Rank Username Points
5
5