10-20-2010 09:39 AM
I want if is possible configure in one routerCisco 877, two VPN.
1- Client access by software Cisco VPN Client
2- Client access trought Thin Clint SSL VPN
I try this and run the 1, but the 2, when I try access the webvpn in internet explorer https:\\[IP WAN], the page WebVPN don´t run. this is the configuration to SSL VPN
ip address [IP WAN] port 443
http-redirect port 80
ssl trustpoint ausnml-3825-01_Certificate
inservice
webvpn context webvpn
title-color #CCCC66
secondary-color white
text-color black
ssl authenticate verify all
port-forward "portforward_list_1"
local-port 3000 remote-server "192.168.0.151" remote-port 3389 description "Terminal Server"
policy group policy_1
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1 domain webvpn
max-users 2
inservice
10-26-2010 07:48 AM
Hi Ignacio,
You should be able to run both type of VPN on the same router.
The config looks good except that I guess it is missing the first line "webvpn gateway gateway_1".
Can you verify that a certificate is indeed configured under the ausnml-3825-01_Certificate trustpoint? Can you try with a self signed one to see if it helps?
If it doesn't help, can you check if you are able to telnet to your WAN IP on port 443? Since we are on a router, we have to explicitly allow the traffic to the WAN IP if an access-group is applied to it (unlike on a firewall).
If both are ok, can you let me know exactly which version you are running?
Regards,
Nicolas
10-26-2010 10:04 AM
Yes, I forgot write the line "webvpn gateway gateway_1", but is config in the router.
I don´t know if the certificated how verify if the certificated is indeed.
If I try telnet to port 443 and 4443, the router respond.
I attach in a file te running_config
I think that the problem is that in the flash: don´t show any html page
Show flash:
#- --length-- -----date/time------ path
3559 Sep 21 2009 09:04:56 cpconfig-180x.cfg
2324992 Sep 21 2009 09:05:10 cpexpress.tar
1038 Sep 21 2009 09:05:16 home.shtml
115712 Sep 21 2009 09:05:24 home.tar
527849 Sep 21 2009 09:05:36 128MB.sdf
23687708 Nov 20 2009 12:16:26 c180x-advipservicesk9-mz.124-24.T2.bin
Regards
Ignacio
10-26-2010 03:45 PM
Hi Ignacio,
There is no need to have any html file on the flash, the html files used by the WebVPN portal are built-in into the IOS image.
One interesting thing I noticed:
webvpn context AZVASE_SSL
...
gateway gateway_1 domain domain.com
...
inservice
!
As you can see you have defined a domain there. I believe this feature is used if you want to have multiple gateways to the same IP so in your case, you should access the portal through https://
Since it seems you only want ot use a single one, could you try without it and by just putting gateway gateway_1 there?
Regards,
Nicolas
10-27-2010 03:15 AM
Hi Nicolas
Ok, I apply the changes
The new config for WEBVPN is
webvpn gateway gateway_1
ip address [PWAN] port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3941405438
inservice
!
webvpn context AZVASE_SSL
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group policy_1
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_2
gateway gateway_1
inservice
When I try access in the web explorer https://IPWAN show me this error
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): Error de protocolo SSL
Regards
Ignacio
10-27-2010 03:34 AM
Hi Ignacio,
That's already better.
Which browser are you using to get to the portal?
Do you have the same error if you get from another browser?
Could you try to assign another trustpoint to the gateway:
conf t
cry key gen rsa general-keys label SSL_VPN mod 1024
crypto pki trustpoint SSL
enrollment selfsigned
fqdn none
subject-name CN=domain.com
revocation-check crl
rsakeypair SSL_VPN
cry pki enr SSL
Respond to Prompts:...no serial #, no ip addr in subject-name, yes generate self-signed cert
webvpn gateway gateway_1
ssl trustpoint SSL
Let me know if it doesn't help and I'll see waht else we could do.
Regards,
Nicolas
10-27-2010 04:11 AM
Hi Nicolas
The result is the same.
I try with IE6, IE8 and Google Crhrome
Regards
10-27-2010 04:26 AM
Hi Ignacio.
Can you get me the output of the following on your router:
show crypto pki trustp
show cryp pki cert
show cry key my rsa
Can you also take a wireshark capture on a host that tries to connect to your portal?
Regards,
Nicolas
10-27-2010 11:10 AM
Hi Nicolas
ROviedo#show crypto pki trustp
Trustpoint TP-self-signed-3941405438:
Subject Name:
cn=IOS-Self-Signed-Certificate-3941405438
Serial Number (hex): 01
Persistent self-signed certificate trust point
Trustpoint SSL:
ROviedo#show cryp pki cert
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-3941405438
Subject:
Name: IOS-Self-Signed-Certificate-3941405438
cn=IOS-Self-Signed-Certificate-3941405438
Validity Date:
start date: 22:01:10 Paris Apr 8 2008
end date: 01:00:00 Paris Jan 1 2020
Associated Trustpoints: TP-self-signed-3941405438
Storage: nvram:IOS-Self-Sig#1.cer
ROviedo#show cry key my rsa
% Key pair was generated at: 13:01:34 Paris Oct 27 2010
Key name: SSL_VPN
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DFB82C
9903FE21 9F489264 0A636D4A 12FD75F4 0B021D35 D8588F8B BED61D54 20585762
C84ADF80 052AE99B 7768F516 34C17CB1 D19339F7 A02AA860 882D117A A7048F47
785EB2FE 361B510E 31EAC4A0 4D9D87CD 7F72ED1C 92414F6D E0FD5A14 5909C171
64EFC1A8 BD859ABA ED7859F4 1C08EA84 43A77C76 1234AFA1 06AE8C87 7F020301 0001
% Key pair was generated at: 20:01:45 Paris Oct 27 2010
Key name: SSL_VPN.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D811D9 304648D6
AC7F5635 462AB22A 55D0D585 8ED2C308 BE95FF76 A9A7A8C4 73BEC9B0 25E978D3
812DC909 D95880A8 55AC5E24 3AE9594C 48BD1AAF E08491C7 B55A3335 499EF3E2
28261D36 C1805EA4 5C28D065 1E177E2F 85C4BC4B 60ED34E9 DD020301 0001
Regards
Ignacio
10-27-2010 03:49 PM
Hi Ignacio,
Here is what I believe is occuring:
It was not working with our original trustpoint since I don't see the key named TP-self-signed-3941405438 when you do show cry key my rsa.
It is not working with the new "SSL" trustpoint we've created since the certificate is not configured for it (If it was, we would see it in show crypto pki trustpoint and show crypto pki cert.
The command to generate the certificate for the trustpoint was in my previous reply but it must be executed from exec mode and not from config mode:
Once you've entered it, you'll get a couple of prompts, put the following: no serial number, no ip address in subject-name, yes generate self-signed cert.
Verify that the certificate is now properly configured for the SSL trustpoint and you should then be able to connect to the SSLVPN portal.
Regards,
Nicolas
10-28-2010 09:16 AM
Hi Nicolas,
All ok.
You are a crack,
Rhkans for you help
Best regards
Ignacio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: