Yes, I forgot write the line "webvpn gateway gateway_1", but is config in the router.

I don´t know if the certificated how verify if the certificated is indeed.

If I try telnet to port 443 and 4443, the router respond.

I attach in a file te running_config

I think that the problem is that in the flash:  don´t show any html page

Show flash:

#- --length-- -----date/time------ path
         3559 Sep 21 2009 09:04:56 cpconfig-180x.cfg
      2324992 Sep 21 2009 09:05:10 cpexpress.tar
         1038 Sep 21 2009 09:05:16 home.shtml
       115712 Sep 21 2009 09:05:24 home.tar
       527849 Sep 21 2009 09:05:36 128MB.sdf
     23687708 Nov 20 2009 12:16:26 c180x-advipservicesk9-mz.124-24.T2.bin

Regards

Ignacio

Hi Ignacio,

There is no need to have any html file on the flash, the html files used by the WebVPN portal are built-in into the IOS image.

One interesting thing I noticed:

webvpn context AZVASE_SSL

...
gateway gateway_1 domain domain.com

...
inservice

!

As you can see you have defined a domain there. I believe this feature is used if you want to have multiple gateways to the same IP so in your case, you should access the portal through https:///domain.com

Since it seems you only want ot use a single one, could you try without it and by just putting gateway gateway_1 there?

Regards,

Nicolas

Hi Nicolas

Ok, I apply the changes

The new config for WEBVPN is

webvpn gateway gateway_1
ip address [PWAN] port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3941405438
inservice
!
webvpn context AZVASE_SSL
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1
inservice

When I try access in the web explorer https://IPWAN show me this error

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): Error de protocolo SSL

Regards

Ignacio

Hi Ignacio,

That's already better.

Which browser are you using to get to the portal?

Do you have the same error if you get from another browser?

Could you try to assign another trustpoint to the gateway:

 conf t
 cry key gen rsa general-keys label SSL_VPN mod 1024 
 crypto pki trustpoint SSL
 enrollment selfsigned
 fqdn none
 subject-name CN=domain.com
 revocation-check crl
 rsakeypair SSL_VPN
 cry pki enr SSL

Respond to Prompts:...no serial #, no ip addr in subject-name, yes generate self-signed cert

webvpn gateway gateway_1
 ssl trustpoint SSL

Let me know if it doesn't help and I'll see waht else we could do.

Regards,
Nicolas

Hi Nicolas

The result is the same.

I try with IE6, IE8 and Google Crhrome

Regards

Hi Ignacio.

Can you get me the output of the following on your router:

show crypto pki trustp
show cryp pki cert
show cry key my rsa

Can you also take a wireshark capture on a host that tries to connect to your portal?

Regards,

Nicolas

Hi Nicolas

ROviedo#show crypto pki trustp
Trustpoint TP-self-signed-3941405438:
    Subject Name:
    cn=IOS-Self-Signed-Certificate-3941405438
          Serial Number (hex): 01
    Persistent self-signed certificate trust point

Trustpoint SSL:

ROviedo#show cryp pki cert
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-3941405438
  Subject:
    Name: IOS-Self-Signed-Certificate-3941405438
    cn=IOS-Self-Signed-Certificate-3941405438
  Validity Date:
    start date: 22:01:10 Paris Apr 8 2008
    end   date: 01:00:00 Paris Jan 1 2020
  Associated Trustpoints: TP-self-signed-3941405438
  Storage: nvram:IOS-Self-Sig#1.cer

ROviedo#show cry key my rsa
% Key pair was generated at: 13:01:34 Paris Oct 27 2010
Key name: SSL_VPN
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DFB82C
  9903FE21 9F489264 0A636D4A 12FD75F4 0B021D35 D8588F8B BED61D54 20585762
  C84ADF80 052AE99B 7768F516 34C17CB1 D19339F7 A02AA860 882D117A A7048F47
  785EB2FE 361B510E 31EAC4A0 4D9D87CD 7F72ED1C 92414F6D E0FD5A14 5909C171
  64EFC1A8 BD859ABA ED7859F4 1C08EA84 43A77C76 1234AFA1 06AE8C87 7F020301 0001
% Key pair was generated at: 20:01:45 Paris Oct 27 2010
Key name: SSL_VPN.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D811D9 304648D6
  AC7F5635 462AB22A 55D0D585 8ED2C308 BE95FF76 A9A7A8C4 73BEC9B0 25E978D3
  812DC909 D95880A8 55AC5E24 3AE9594C 48BD1AAF E08491C7 B55A3335 499EF3E2
  28261D36 C1805EA4 5C28D065 1E177E2F 85C4BC4B 60ED34E9 DD020301 0001

Regards

Ignacio

Hi Ignacio,

Here is what I believe is occuring:

It was not working with our original trustpoint since I don't see the key named TP-self-signed-3941405438 when you do show cry key my rsa.

It is not working with the new "SSL"  trustpoint we've created since the certificate is not configured for it (If it was, we would see it in show crypto pki trustpoint and show crypto pki cert.

The command to generate the certificate for the trustpoint was in my previous reply but it must be executed from exec mode and not from config mode:

• crypto pki enroll SSL
  

Once you've entered it, you'll get a couple of prompts, put the following: no serial number, no ip address in subject-name, yes generate self-signed cert.
Verify that the certificate is now properly configured for the SSL trustpoint and you should then be able to connect to the SSLVPN portal.

Regards,
Nicolas

Hi Nicolas,

All ok.

You are a crack,

Rhkans for you help

Best regards

Ignacio