Solved: Re: Trying to set up a VPN - Page 2

jsandau · ‎09-02-2010

I thought an SSL VPN would be good but everytime I go to connect to it I have click through security warnings and install a securty certificate. Other than that the VPN works, however there will be less tech savy (and paitent) users using this vpn, and they will not want to have to click through a bunch of security warnings to get to the VPN. So is there a way I can have the user connect to a web portal once and that will download the VPN any connect software on thier computer then after that all they have to do is open the any connect software and type in a username and password and preferably have the vpn software remember the ip address for them? Also if this could be done via CCP that would be great, I'm new to Cisco routers and don't know the command line yet. If it can't be done via ccp then I guess I'll have to bite the bullet and do it via command line. Thanks.

Yudong Wu · ‎09-09-2010

Well, you might need to read the config guide and command ref if you would like to learn how to use command line.

Yudong Wu · ‎09-10-2010

Ok, this is the only link which I found on CCO about using CCP to configure Anyconnect on the router.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml

But it does not inclued info of generating certificate. If you would like to get rid of those certifcate popup windows, you have to generate the self-signed certificate like what I mentioned before. Sorry, I never play with CCP before. But it should be doable on CCP as well.

jsandau · ‎09-10-2010

I think I follow what I need to do here except for one detail. When you are saying stuff like fqdn 172.16.182.87 and subject-name CN=172.16.182.87 what is the 172.16.182.87 address? is that where I would put the ip address my ISP assigned to me?

Yudong Wu · ‎09-10-2010

Yes, that's the public IP address which you got from your ISP.

Anyconnect client will use it to connect to your router.

Do you have a static public IP? I saw your router is configured as DHCP client.

jsandau · ‎09-10-2010

yes it is a static ip assigned by the isp.

Yudong Wu · ‎09-10-2010

Ok, that's good. Otherwise, you have to use DNS name.

jsandau · ‎09-10-2010

I'm making progress here. I get to this step "4. crypto pki enroll self-signed" I enter in crypto pki enroll TP-self-signed-41228344 and the message that comes back is:

CA server trustpoint 'TP-self-signed-41228344' is not known.

What am I doing wrong?

Yudong Wu · ‎09-10-2010

What trustpoint name did you configured in step 2?

You need use the same trustpoint name in "crypto pki enroll "

You need check the following configuration as well to use the same trustpoint name which you configured in step 2.

webvpn gateway gateway_1

ssl trustpoint TP-self-signed-4112746227 <<<<< Replace "TP-self-signed-4112746227" with new trustpoint name.

jsandau · ‎09-13-2010

here are the exact steps I followed:

I changed the host name from yourdomain.com to *external IP address*

crypto pki trustpoint TP-self-signed-4112746227

(TP-self-signed-4112746277 was already there, I guess that is the one that CCP created, so I just wanted to edit that one)

enrollment selfsigned

fqdn *external IP Address*

subject-name CN=*external IP address*

rsakeypair test

crypto pki enroll self-signed rypto pki enroll TP-self-signed-4112746227

That's when I get the error. Alos now i don't seem to have nay vpn access. when I go to https://*external ip address* I get a page cannot be displayed error.

Yudong Wu · ‎09-13-2010

Can you send me the following output?

show crypto ca cert

show crypto key mypub rsa

show run

jsandau · ‎09-13-2010

Show Crypto ca cert:

Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Issuer:
    cn=IOS-Self-Signed-Certificate-4112746227
Subject:
    Name: IOS-Self-Signed-Certificate-4112746227
    cn=IOS-Self-Signed-Certificate-4112746227
Validity Date:
    start date: 14:15:27 PCTime Sep 10 2010
    end   date: 17:00:00 PCTime Dec 31 2019
Associated Trustpoints: TP-self-signed-4112746227
Storage: nvram:IOS-Self-Sig#8.cer

Show crypto key mypub rsa:

% Key pair was generated at: 15:33:19 PCTime Jun 9 2010
Key name: TP-self-signed-4112746227
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E0195E
CA90611B 264BA900 CB9644F5 5859F7E8 B6291611 FF750CC1 F84F99BB 531024D9
0BDF1AC4 FE58417F C2F5124B 62F7B945 5C58D8DF F4EE8042 EB09AE50 BF3B9027
5BF68D01 D18313CE 3BC743E0 BA0AEDF1 DC52142F 2DB892B3 877BCC06 68D12049
9FE43AC5 4B0E7939 459CAD8C 5ADB8529 F24C6B1C 2C06E347 DC26DC42 45020301 0001
% Key pair was generated at: 14:44:41 PCTime Sep 10 2010
Key name: HTTPS_SS_CERT_KEYPAIR
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 0096B970 35F7601D
5274FE99 104D332A C184E1B8 7B6E80DB F021329A 4060E954 73BD204D E7D1BC8A
F7B970D7 C8641C3F 0FB1C343 3FBB92AD AFC8077A 74DAE087 65365BE2 C9EAD501
6D4B606D 16F4F69A 95E3E11C A75DE920 CA733FAC E6024DE1 51020301 0001
% Key pair was generated at: 11:00:11 PCTime Sep 13 2010
Key name: TP-self-signed-4112746227.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E0F3E5 188FF4A3
43B34598 BF62BBFA 839B6511 529DB9C2 7B71EAD3 EAF6D5FA 595C3601 360CD573
4AA3B205 025FA0E7 633BC1A6 C3C34CE9 92D37B8E F2DD3C0D 4DD4FD3A 9CB18FAF
1EF79244 03490CB8 C148A736 37879D87 D1C57580 FE8B3136 49020301 0001

show run:

Building configuration...

Current configuration : 15678 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *host name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret *password*

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint TP-self-signed-4112746227

enrollment selfsigned

fqdn *external ip address*

subject-name CN=*external ip address*

revocation-check none

rsakeypair test

!

crypto pki trustpoint tp-self-signed-4112746277

enrollment selfsigned

fqdn *external ip address*

subject-name CN=*external ip address*

revocation-check crl

rsakeypair test

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain TP-self-signed-4112746227

certificate self-signed 02

30820257 308201C0 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34313132 37343632 3237301E 170D3130 30393130 32313135

32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313237

34363232 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100E019 5ECA9061 1B264BA9 00CB9644 F55859F7 E8B62916 11FF750C C1F84F99

BB531024 D90BDF1A C4FE5841 7FC2F512 4B62F7B9 455C58D8 DFF4EE80 42EB09AE

50BF3B90 275BF68D 01D18313 CE3BC743 E0BA0AED F1DC5214 2F2DB892 B3877BCC

0668D120 499FE43A C54B0E79 39459CAD 8C5ADB85 29F24C6B 1C2C06E3 47DC26DC

42450203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603

551D1104 23302182 1F4C6574 68627269 6467655F 53434144 412E796F 7572646F

6D61696E 2E636F6D 301F0603 551D2304 18301680 149F4E46 8DB29BD6 9657D5DD

D700A6F8 DC4D7E28 9D301D06 03551D0E 04160414 9F4E468D B29BD696 57D5DDD7

00A6F8DC 4D7E289D 300D0609 2A864886 F70D0101 04050003 81810050 8CA99031

63FDE47E 1211CABE F928262D 0B5A0F98 5E0AC93D 3E66CDCF 1E0C376F 3ED388E8

A1278120 46022932 DB449A54 7EA9138F 47478F6A AFDCA706 F3E9206E 718F668C

1605681B B77BA23B 1B9DD266 FCC57E97 EE835F5B 60546C0C 12E0BB4B D72600E0

ED01F4DB B6880EA6 246C4502 73CCAB49 7787CB05 BC38D2CC 78FD41

quit

crypto pki certificate chain tp-self-signed-4112746277

dot11 syslog

no ip source-route

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.11.100.1 10.11.100.99

!

ip dhcp pool ccp-pool1

import all

network 10.11.100.0 255.255.255.0

default-router 10.11.100.1

!

no ip bootp server

ip domain name *external ip address*

!

multilink bundle-name authenticated

!

username administrator privilege 15 secret *password*

username VPNuser privilege 7 secret 5 *password*

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco1811VPN address *external ip address 2*

crypto isakmp key Cisco1811VPN address *external ip address 3*

!

crypto isakmp client configuration group VPN_users

key *shared key*

pool VPN_Pool

crypto isakmp profile ciscocp-ike-profile-1

match identity group VPN_users

client authentication list ciscocp_vpn_xauth_ml_2

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*external ip address 2*

set peer *external ip address 2*

set transform-set ESP-3DES-SHA

match address 102

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to*external ip address 3*

set peer *external ip address 3*

set transform-set ESP-3DES-SHA1

match address 106

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 110

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all SDM_VPN_PT0

match access-group 108

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-cls-sdm-permit-ip-1

match access-group name VNC

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect sdm-cls-VPNOutsideToInside-2

inspect

class type inspect sdm-cls-VPNOutsideToInside-3

inspect

class type inspect CCP_PPTP

pass

class type inspect sdm-cls-VPNOutsideToInside-4

inspect

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT0

pass

class type inspect SDM_EASY_VPN_SERVER_PT

pass

class type inspect SDM_DHCP_CLIENT_PT

pass

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class type inspect sdm-cls-VPNOutsideToInside-4

inspect

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_2

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool VPN_Pool10.11.100.50 10.11.100.99

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended VNC

remark CCP_ACL Category=128

permit ip any host 10.11.100.101

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.100.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host *external ip address*

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host *external ip address 2* any

access-list 103 permit ip host *external ip address 3* any

access-list 104 remark CCP_ACL Category=0

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark CCP_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 105 remark IPSec Rule

access-list 105 deny ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 105 permit ip 10.11.100.0 0.0.0.255 any

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 107 remark CCP_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 108 remark CCP_ACL Category=128

access-list 108 permit ip host *external ip address 3* any

access-list 109 remark CCP_ACL Category=0

access-list 109 remark IPSec Rule

access-list 109 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 110 remark CCP_ACL Category=0

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.11.100.0 0.0.0.255 10.11.100.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address *external ip address* port 443

http-redirect port 80

ssl trustpoint TP-self-signed-4112746227

inservice

!

webvpn install svc flash:/webvpn/svc.pkg

!

webvpn context VPN_Pool

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

policy group policy_1

functions svc-enabled

svc address-pool "VPN_Pool"

svc keep-client-installed

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

Yudong Wu · ‎09-13-2010

The problem is that you configured to use keypair "test" in the trustpoint but you did not generate the key with label "test".

Please following the extactly steps below.

1. generate a key with name "test"

crypto key generate rsa modulus 1024 label test

2. remove "ip domain name" If it is configured

no ip domain name xxxx.xxx

3. configure your trustpoint like following

crypto pki trustpoint self-signed
enrollment selfsigned
fqdn
subject-name CN=
rsakeypair test

4. change your host name to IP address.

hostname

5. crypto pki enroll self-signed

6. change your hostname back to its previous name.

7. add "ip domain name" back

8. change webvpn config to point to the new trustpoint

webvpn gateway gateway_1

ssl trustpoint self-signed

Then try the webvpn by using your public IP.

jsandau · ‎09-13-2010

I'm following your steps exactly but wehen I get to

4. change your host name to IP address.

hostname

I get an error that syas hostname contains illegal characters. There dosen't seem to be be any other errors so I continue on. I'm still not getting the web page when I type in the ip address, I'm still getting a page cannot be displayed error. Also the hostname and domain name are mixed up. The hostname is the external IP address and the domain name is Cisco_Router. Should it be this way?

jsandau · ‎09-13-2010

Nevermind the part about the hostname and domain name being mixed up I got that fixed, but the ssl VPN still

isn't working.

Yudong Wu · ‎09-13-2010

can you paste the following again?

show crypto ca cert

show crypto key mypub rsa

show run