Hi! I have the same problem. Must the router and the CA Server (for example: MS w2k3) have the exactly same time inclunding seconds?

Thanks,

JP

I think the original poster wanst to know what I want to know. Can I use a self generated/ self signed certificate to enable wenVPN? And if so, what is the procedure to do this process and enable the cert on the router?

Hi,

I have tested it long back and it worked with Cisco self generated certificate.

Below is the transcript for webvpn setup, which I did it before:

aaa new-model

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa session-id common

ip domain name xyzadb.com

ip name-server A.B.C.D

webvpn enable gateway-addr X.Y.Z.42

!

webvpn

title "Secure Corporate Access: Unauthorized users prohibited"

title-color blue

secondary-color white

text-color black

idle-timeout 300

ssl encryption xxxx

ssl trustpoint xxxxx

url-list "weblist"

heading "WEB ACCESS"

url-text "web" url-value "http://www.xyzadb.com"

url-text "web2" url-value "https://as.xyzadb.com/"

!

crypto pki trustpoint TP-self-signed-3344843329

enrollment selfsigned xxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

crypto pki certificate chain TP-self-signed-3344843329

certificate self-signed 01 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxx

!

crypto isakmp client configuration group web

key web

dns A.B.C.D A.B.H.22

domain xyzadb.com

pool SDM_POOL_1

acl 100

include-local-lan

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 client configuration address respond

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

ip local pool SDM_POOL_1 p.q.r.s

ip http server

ip http secure-server

HTH. Please rate posts that helps.

I am confused on how to set the router to use its self signed cert for WebVPN. How do I set the trustpoint? Do I use my own IP address?

Can you post your current router config by changing the password`s and gloabal ip address.

The trustpoint is auto generated by router, when you enable "ip http secure-server".

After seting up the webvpn in your router. You can access the site from a pc from Internet side with https:///

Then it will ask for authentication, enter the useid/pass, which you have set in the router.

HTH. Rate the posts which helped you.

Ok, I have it working now but I have a new issue. I am unable to run "webvpn enable" by itself without specifying the "gateway-addr". See this message:

goremote(config)#webvpn enable

Use gateway-addr to specify IP address for WebVPN if "ip http secure-server" is configured

I need it to run without requiring the "gateway-addr" option because my sites are dhcp and get their IP's via DHCP. I use Cisco's New DDNS capability to get to the box and since I do not know the IP I use the DDNS hostname.

Anyone have success getting the IOS to work with "webvpn enable" alone?

Thanks

Disable the ip http secure-server with command "no ip http secure-server".

Make sure that the "crypto pki trustpoint" is not deleted.

You can generate key maually also. Please refer the link.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cac.html

Webvpn link:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044b201.html

Enable the webvpn with out any gateway address.

Then try to access the webvpn.

HTH. Please rate posts that helps.

Here is my config. It will never go into "router(config-webvpn)" mode unless I have assigned a "gateway-addr". I show the output at the very bottom of this config showing what I get if I do not define the gateway in the webvpn enable command vs. when I do define the gateway-addr option. Notice that "no ip http secure-server" is defined in my config.

hostname goremote

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 xxxxx

!

aaa new-model

!

!

aaa authentication login ssh local enable

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.99.1

!

ip dhcp pool 192.168.99.0/24

network 192.168.99.0 255.255.255.0

default-router 192.168.99.1

lease 0 1

!

!

ip domain name tzo.com

ip ips sdf location flash://128MB.sdf

ip ips notify SDEE

ip ddns update method tzo

HTTP

add jexxxxx@tzo.com&TZOKey=1234567&B1=Sign+On&TZOKey=1234567&B1=Sign+On')">http://cgi.tzo.com/webclient/tzoperl.html?TZOName=goremote.tzo.com&Email=jexxxxx@tzo.com&TZOKey=1234567&B1=Sign+On&TZOKey=1234567&B1=Sign+On

interval maximum 0 0 10 0

!

!

!

crypto pki trustpoint TP-self-signed-3493937278

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3493937278

revocation-check none

rsakeypair TP-self-signed-3493937278

!

!

crypto pki certificate chain TP-self-signed-3493937278

certificate self-signed 01

30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343933 39333732 3738301E 170D3036 30323038 32303535

35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393339

33373237 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CB08 76092FFF 9FE63CEF 9BA269C3 5F08D35A B8D7F8F4 4BC70BE4 12587524

0DD11201 E605EB05 9692308F C6C17A18 1CA3912A 0DF18A98 49E07A8C 1C872526

4C5FB259 D3DEF100 6635F001 8992FD29 74E99CD6 661DA726 794C93B8 C2F652FE

CF89F672 0F8E3E95 EF8DA4D6 687010BD C8CB2F02 06A5C0FB E12D0969 102343E7

BBC70203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603

551D1104 14301282 10676F72 656D6F74 652E747A 6F2E636F 6D301F06 03551D23

04183016 8014D80C 46ED8D3C 71DF98A2 801157E1 D2D7D213 6397301D 0603551D

0E041604 14D80C46 ED8D3C71 DF98A280 1157E1D2 D7D21363 97300D06 092A8648

86F70D01 01040500 03818100 6EE82101 BACA4B48 E98DBC41 17F43B09 22438D4F

quit

file prompt quiet

username xxx password 0 xxx

!

!

!

!

!

!

interface FastEthernet0

ip ddns update xxx

ip address dhcp

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.99.1 255.255.255.0

!

interface Async1

no ip address

encapsulation slip

!

ip classless

ip route 0.0.0.0 0.0.0.0 65.165.xxx.xxx

!

!

ip http server

no ip http secure-server

!

!

goremote(config)#webvpn enable

Use gateway-addr to specify IP address for WebVPN if "ip http secure-server" is configured

goremote(config)#webvpn

(Prompt should have changed here but never does)

(Now with the gateway-addr option added below)

goremote(config)#webvpn enable gateway-addr 65.165.xxx.xxx

goremote(config)#webvpn

goremote(config-webvpn)#

goremote(config-webvpn)#