Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect configuration using IPSec

I have configured our ASA running 8.4(7) for the AnyConnect client (using IPSec). It prompted me to create an identity certificate when running the VPN wizard, which I did. We use AAA to authenticate so I didn't create a CA certificate. Is this required anyways for AnyConnect? When I try to connect from a pre-deployed AnyConnect client, I get an error: "Untrusted VPN Server Certificate". If I ignore and choose to connect anyway, the Login Fails. What am I missing?
 

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

In addition to the IPsec

In addition to the IPsec IKEv2 VPN, there is a client services bit that runs when you first connect. that is used to verify the AnyConnect package version and distribute and changes to the client profile (and a few more obscure things). It is done via SSL and as such uses the ASA's certificate to validate the server. If your client doesn't trust the certificate you will get the error.

You can disable client services by changing the default command:

crypto ikev2 enable outside client-services port 443

to simply read

crypto ikev2 enable outside

The best path though is to enable it and setup the ASA with a proper trusted certificate.

10 REPLIES
Hall of Fame Super Silver

In addition to the IPsec

In addition to the IPsec IKEv2 VPN, there is a client services bit that runs when you first connect. that is used to verify the AnyConnect package version and distribute and changes to the client profile (and a few more obscure things). It is done via SSL and as such uses the ASA's certificate to validate the server. If your client doesn't trust the certificate you will get the error.

You can disable client services by changing the default command:

crypto ikev2 enable outside client-services port 443

to simply read

crypto ikev2 enable outside

The best path though is to enable it and setup the ASA with a proper trusted certificate.

New Member

 Hi Marvin, If we disable

 

Hi Marvin,

 

If we disable client services on 443 then we will not get error

untrusted vpn server?

 

Regards

Mahesh

New Member

Can it not use the identity

Can it not use the identity certificate that was generated during the VPN wizard setup? or do I need to generate a CA certificate?

How do I get the client to trust the ASA certificate? Where do I install it on the client pc?

Thanks

Hall of Fame Super Silver

The identity certificate

The identity certificate generated during setup is OK as long as you want to manually install it as follows below.

to establish trust, install it on the client PC in the trusted root CA store. You need to browse to the ASA and use your browser tools to download the certificate to your computer. (i.e click on lock icon in your browser bar, select certificate information, copy to file). Then import it - in windows this is the default action for a .cer file. You should override the default store to make sure it is installed n the trusted root store.

Avoiding that complexity is why Cisco recommends getting a certificate issued by a trusted 3rd party CA. Most organizations don't want to have to explain all the above to their users as it doesn't scale very well support-wise.

New Member

Thanks for the help! Sorry

Thanks for the help! Sorry for the delay in responding. I have exported the self-signed cert from the ASA. Imported it into my Windows 7 PC using Certmgr.msc into the Trusted Root Certificates but I still get an error that the server is untrusted. Any thoughts?

Hall of Fame Super Silver

Check that same certificate

Check that same certificate is both specified for use with client services as well as bound to your outside interface on the ASA.

New Member

I checked, as far as I can

I checked, as far as I can tell it is setup this way. I did notice that AnyConnect seems to be trying port 80 on the ASA...see the attached log. Also, getting a Key Exchange error.
 

Hall of Fame Super Silver

I don't know why AnyConnect

I don't know why AnyConnect would be trying to use port 80.

On the certificate - have you compared what shows up in the details pane when you open the imported certificate in certmgr.msc against the one that is presented when you browse to the ASA outside interface via https? (You can inspect an SSL certificate pretty easily using the Chrome browser by clicking on the lock icon in the URL bar.)

New Member

Thanks that helped me fix my

Thanks that helped me fix my self-signed cert so that I was able to connect successfully.

Hall of Fame Super Silver

You're welcome - good to hear

You're welcome - good to hear it's working now.

Thanks for marking as correct.

717
Views
0
Helpful
10
Replies