I'm trying to configure a remote access vpn policy which allows a user to connect, and stay connected (always on VPN). I'm looking at using this on some internet kiosks we manage and rather than providing a hardware site to site ipsec solution, thought I'd try this route.
I have a standard SSL Any connect profile working nicely. Under the AnyConnect Client Profile Editor I have created a new profile which has the 'Automatic VPN policy' enabed as well as 'Connect' for both a trusted and untrusted network. I have entered the domain name of our corporate environment. When I go to connect I get the following error:
"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
Doing a bit of reading this seems to be often a certificate error. The question is why does ticking the automatic vpn policy cause this error, why is the ssl cert suddently an issue? I'm using a self signed cert FYI.
Hi Marcus, thanks for your follow up. The thing is, we're looking at rolling out a lot of these kiosks (1200 in fact). Each of these sites will be on building provided internet access, so the DNS and domain names are not consistant. My understand of that section of the configuration was that you specify what you consider to be trusted DNS/Domain names, ie if you reach mycompany.com or my DNS servers x.x.x.x you are on our LAN (no need to VPN), or if you can't reach those you are on a untrusted network and must dial up the VPN. Due to the above reasons regarding varying access methods, I cant make a new profile for every site.
I am using a self signed certificate but that works fine for the regular ssl vpn any connect. When I connect a certificate comes up, I can choose to accept it or decline it and away we go. As soon as the automatic VPN option is selected this doesn't happen, I just get the "AnyConnect cannot confirm it is connected to your secure gateway" error straight away.
But that's the point. The anyconnect has to validate your gateway certificate and if you connect with automatic VPN option it seems thats there is no way to do it via confirming through certificate pop-up. So there is only the way that your certificate CA can validate it. Try out to copy your certificate CA to your Client PC and drop it in the corresponding certificate store.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...