Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Problems enabling WEBVPN on 871W

Hello All,

I am experiencing issues configuring WebVPN on a cisco 871W.  Would someone be able to point out the problems in my configuration?

Thanks

aaa new-model

!

!

aaa authentication login sslvpn local

ip domain name LAKEVIEW

!

!

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate

revocation-check crl

rsakeypair my-rsa-keys

webvpn gateway MY-CISCO-WEBVPN-GATEWAY

ip address 192.168.0.1 port 443

ssl encryption aes-sha1

ssl trustpoint my-trustpoint

inservice

!

webvpn install svc usbflash0:/webvpn/svc.pkg

!

webvpn context Cisco-WebVPN

title "Tyson's home VPN"

ssl authenticate verify all

!

login-message "Cisco Secure Login WebVPN"

!       

policy group WEBVPNPOLICY

   functions svc-enabled

   svc address-pool "webvpn-pool"

   svc rekey method new-tunnel

   svc split include 192.168.0.0 255.255.255.0

default-group-policy WEBVPNPOLICY

aaa authentication list sslvpn

gateway MY-CISCO-WEBVPN-GATEWAY domain webvpn

inservice webvpn gateway MY-CISCO-WEBVPN-GATEWAY
ip address 50.174.58.233 port 443
ssl encryption aes-sha1
ssl trustpoint my-trustpoint
inservice
!

9 REPLIES
Community Member

Re: Problems enabling WEBVPN on 871W

Hi,

1. You have to enable SSL on this router.

Check it.

ip http secure-server

2. I have verified your configuration. You have entered the two defined webvpn gateways with the same name?

In my opinion, correct configuration should look like this:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate

revocation-check crl

rsakeypair my-rsa-keys

webvpn gateway MY-CISCO-WEBVPN-GATEWAY

ip address 50.174.58.233 port 443

ssl encryption aes-sha1

ssl trustpoint my-trustpoint

inservice

!

webvpn install svc usbflash0:/webvpn/svc.pkg

!

webvpn context Cisco-WebVPN

title "Tyson's home VPN"

ssl authenticate verify all

!

login-message "Cisco Secure Login WebVPN"

!      

policy group WEBVPNPOLICY

   functions svc-enabled

   svc address-pool "webvpn-pool"

   svc rekey method new-tunnel

   svc split include 192.168.0.0 255.255.255.0

default-group-policy WEBVPNPOLICY

aaa authentication list sslvpn

gateway MY-CISCO-WEBVPN-GATEWAY

domain webvpn

inservice

Try it out.

3. Put the results of the commands:

show webvpn gateway

show webvpn install status svc

show webvpn context

________________

Best regards,
MB

________________ Best regards, MB
Community Member

Problems enabling WEBVPN on 871W

Hey MB thanks for the reply!

When I get home I will try this in about 8 hours.

I was also wondering if you know where I can find documentation to implement this feature. I have actually just been scrouging through various internet sites to find information, but I really don't have a solid idea what all the commands are actually doing.

For example, I am really blurry about what the following commands are accomplishing:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate  = = = > What is this line doing?

revocation-check crl

rsakeypair my-rsa-keys

Community Member

Re: Problems enabling WEBVPN on 871W

Hello

Interesting article (you have read it already  )

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html

D'Juan Tyson napisano:

For example, I am really blurry about what the following commands are accomplishing:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate  = = = > What is this line doing?

revocation-check crl

rsakeypair my-rsa-keys

The subject-name subcommand allows you to specify other options in the certificate.

For example, you can sets the fields:

C=  (Country)

CA= (Certificate authority)

CN= (Common Name)

O=  (Organization)

OU= (Organizational Unit)

ST= (State)

If the subject-name subcommand is not used, by default, the router Fully Qualified Domain Name (FQDN) is used.

For example:

ip hostname webvpn

ip domain-name company.com

the FQDN in the certificate will be: webvpn.company.com

P.S.

If https is already running on the router - it means that the self-signed certificate is created, because the router generates it automatically.

Or you can generate it now (enter the command: ip http secure-server)

You can use this certificate, read below article:

http://tekcert.com/blog/2011/08/05/configuring-clientless-ssl-vpn-webvpn-cisco-ios-routers

At section: "A key point to make here is that enabling http secure-server (https) forces the router to create a self-signed certificate if it hasn't already done so."

________________

Best regards,
MB

________________ Best regards, MB
Community Member

Problems enabling WEBVPN on 871W

Hey MB,

The output you request is below:

My871W#show webvpn context

Codes: AS - Admin Status, OS - Operation Status
       VHost - Virtual Host

Context Name        Gateway  Domain/VHost      VRF      AS    OS
------------        -------  ------------      -------  ----  --------
Cisco-WebVPN        MY-CISCO webvpn            -        up    up 

My871W#show webvpn install status svc

SSLVPN Package SSL-VPN-Client version installed:

CISCO STC win2k+

3,1,03103

Hostscan Version 3.1.03103

Tue 03/26/2013  8:55:10.17 J

 

My871W#show webvpn gateway

Gateway Name                       Admin  Operation
------------                       -----  ---------
MY-CISCO-WEBVPN-GATEWAY            up     up 

Community Member

Re: Problems enabling WEBVPN on 871W

Hi,

The results - here everything looks fine. 

To verify if the certificate is correctly installed on the router, paste the output:

sh crypto pki certificates

So what is the issue?

Please explain it or provide more information.

________________ Best regards, MB
Community Member

Problems enabling WEBVPN on 871W

Hey MB,

My certifcate output is below.  I really appreciate you helping me with this becuase I have no idea where to luck.  It seems that I followed all the commands correctly but when I try to connect to the firewall using my iphone app "anyconnect" , I cannot form a VPN connection.  Maybe you have some more troubleshooting steps I can perform.  Were you able to get this working on your 871W?

My871W#sh crypto pki certificates

Router Self-Signed Certificate

  Status: Available

  Certificate Serial Number: 02

  Certificate Usage: General Purpose

  Issuer:

    serialNumber=FHK100850LZ+hostname=My871W.LAKEVIEW

    cn=firewallcx-certificate

  Subject:

    Name: My871W.LAKEVIEW

    Serial Number: FHK100850LZ

    serialNumber=FHK100850LZ+hostname=My871W.LAKEVIEW

    cn=firewallcx-certificate

  Validity Date:

    start date: 04:34:42 UTC Nov 5 2002

    end   date: 00:00:00 UTC Jan 1 2020

  Associated Trustpoints: my-trustpoint

  Storage: nvram:FHK100850LZh#5702.cer

Community Member

Re: Problems enabling WEBVPN on 871W

Hi,           

Specify your IOS version.

Cisco IOS recommendation: "An advanced image of Cisco IOS Software Release 12.4(6)T or later"

Troubleshooting:

1. Check the SSL VPN clientless mode

Open the web portal: "https://IP_of_your_WebVPN_gateway" and verify that you can log.

2. SSL VPN Debug Commands

Here is available one command with many options.

We'll use it without options:

- enable debugging

debug webvpn

- do try connect from AnyConnect and collect the logs

- turn off debugging

no debug all

Do analize the logs or paste here

________________

Best regards,

MB

Please rate all helpful posts

________________ Best regards, MB
Community Member

Problems enabling WEBVPN on 871W

MB,

When I try to connect to the VPN the anyconnect app says that it cannot verify the certificate?

DT

Community Member

Re: Problems enabling WEBVPN on 871W

Hey DT,

I'm not sure if this is the problem.

Not enough information. Maybe this?

"Untrusted VPN Server Certificate!,  AnyConnect cannot verify the VPN server: ........"

Server Certificates


A valid, trusted server certificate configured on the secure gateway provides an easy and safe VPN connection for the user.


AnyConnect on mobile devices provides improved security protection when  accessing a secure gateway by blocking the VPN connection if the  certificate presented by the secure gateway is invalid or untrusted, or  both.


A new Block Untrusted Servers application setting determines how AnyConnect blocks connections if it  cannot identify the secure gateway. This protection is ON by default; it  can be turned OFF by the user, but this is not recommended.


AnyConnect uses the digital certificate received from the server to  verify its identify. If the certificate is invalid (there is a  certificate error due to an expired or invalid date, wrong key usage, or  a name mismatch), or if it is untrusted (the certificate cannot be  verified by a Certificate Authority), or both, the connection is  blocked. A blocking message displays, and the user must choose how to  proceed.


When Block Untrusted Servers is ON, a blocking Untrusted VPN Server notification alerts the user to this security threat. The user can choose:

Keep Me Safe to terminate this connection and remain safe.
Change Settings to turn the Block Untrusted Servers  application preference OFF, but this is not recommended. After the user  disables this security protection, they must reinitiate the VPN  connection.

When Block Untrusted Servers is OFF, a nonblocking Untrusted VPN Server notification alerts the user to this security threat. The user can choose to:

Cancel the connection and remain safe.
Continue the connection, but this is not recommended.

View Details of the certificate.

If the certificate that the user is viewing is valid but untrusted, the user can:

Import the server certificate into the AnyConnect certificate store for future use and continue the connection by selecting Import and Continue.  Once this certificate is imported into the AnyConnect store, subsequent  connections made to the server using this digital certificate are  automatically accepted.

Go back to the previous screen and choose Cancel or Continue.

If the certificate is invalid, for any reason, the user can only return to the previous screen and choose Cancel or Continue.

Leaving the Block Untrusted Servers  setting ON, having a valid, trusted server certificate configured on  your secure gateway, and instructing your mobile users to always choose Keep Me Safe is the safest configuration for VPN connectivity to your network.


Try it, and reply.

Please, enter the full error message or attach example (screen) from the Internet.

________________

Best regards,

MB

Please rate all helpful posts

________________ Best regards, MB
856
Views
0
Helpful
9
Replies
CreatePlease to create content