cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1332
Views
0
Helpful
1
Replies

Cisco 1841 SSL VPN and Anyconnect Help

skapple
Level 1
Level 1

I am pretty new to Cisco programming and am trying to get an SSL VPN set up  for remote access using a web browser and using Anyconnect version 3.1.04509. If I try to  connect via a web browser I get an error telling me the security  certificate is not secure. If I try to connect via Anyconnect I get an  error saying "Untrusted VPN Server Blocked." If I change the Anyconnect  settings to allow connections to untrusted servers, I get two errors  that say"Certificate does not match the server name" and "Certificate is  malformed." Below is the running config in the router at this time.  There is another Site-to-Site VPN tunnel that is up and working properly  on this device. Any help would be greatly appreciated. Thanks

Current configuration : 7741 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname buchanan1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 XXXXXXX

enable password XXXX

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

crypto pki trustpoint buchanan_Certificate

enrollment selfsigned

revocation-check crl

rsakeypair buchanan_rsakey_pairname

!

crypto pki certificate chain buchanan_Certificate

certificate self-signed 01

  30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E

  170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D

  311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30

  0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1

  AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6

  79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30

  0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563

  68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F

  97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97

  DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0

  4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6

  3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B

        quit

dot11 syslog

ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

username buchanan privilege 15 password 0 XXXXX

username cybera password 0 cybera

username skapple privilege 15 secret 5 XXXXXXXXXX

username buckys secret 5 XXXXXXXXXXX

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key p2uprEswaspus address XXXXXX

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set cybera esp-3des esp-md5-hmac

!

crypto ipsec profile cybera

set transform-set cybera

!

archive

log config

  hidekeys

!

ip ssh version 1

!

!

!

interface Tunnel0

description Cybera WAN - IPSEC Tunnel

ip address x.x.x.x 255.255.255.252

ip virtual-reassembly

tunnel source x.x.x.x

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile cybera

!

interface FastEthernet0/0

description LAN Connection

ip address 192.168.1.254 255.255.255.0

ip helper-address 192.168.1.2

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description WAN Connection

ip address x.x.x.x 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

shutdown

atm restart timer 300

no atm ilmi-keepalive

!

interface Virtual-Template2

ip unnumbered FastEthernet0/0

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254

ip local pool LAN_POOL 192.168.1.50 192.168.1.99

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 4.71.21.0 255.255.255.224 x.x.x.x

ip route 10.4.0.0 255.255.0.0 x.x.x.x

ip route 10.5.0.0 255.255.0.0 x.x.x.x

ip route x.x.x.x 255.255.240.0 x.x.x.x

ip route x.x.x.x 255.255.255.255 x.x.x.x

ip route x.x.x.x 255.255.255.255 x.x.x.x

ip http server

no ip http secure-server

!

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable

ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable

!

access-list 1 permit 192.168.1.0 0.0.0.255

control-plane

!

line con 0

line aux 0

line vty 0 4

password xxxxx

transport input telnet ssh

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip address x.x.x.x port 443

http-redirect port 80

ssl trustpoint buchanan_Certificate

inservice

!

webvpn install svc flash:/webvpn/anyconnect-w

in-3.1.04059-k9.pkg sequence 1
!
webvpn context employees
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
   functions svc-enabled
   svc address-pool "LAN_POOL"
   svc default-domain "buchanan.local"
   svc keep-client-installed
   svc dns-server primary 192.168.1.2
   svc wins-server primary 192.168.1.2
virtual-template 2
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 10
inservice
!
end

buchanan1841#
1 Reply 1

Michael Muenz
Level 5
Level 5

Perhaps you have changed the host-/domainname after the certificate was created?

I'd generate a new one ...

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: