topic Problems enabling WEBVPN on 871W in VPN

Problems enabling WEBVPN on 871W

Illini79 — Mon, 09 Sep 2013 06:08:42 GMT

Hello All,

I am experiencing issues configuring WebVPN on a cisco 871W. Would someone be able to point out the problems in my configuration?

Thanks

aaa new-model

aaa authentication login sslvpn local

ip domain name LAKEVIEW

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate

revocation-check crl

rsakeypair my-rsa-keys

webvpn gateway MY-CISCO-WEBVPN-GATEWAY

ip address 192.168.0.1 port 443

ssl encryption aes-sha1

ssl trustpoint my-trustpoint

inservice

webvpn install svc usbflash0:/webvpn/svc.pkg

webvpn context Cisco-WebVPN

title "Tyson's home VPN"

ssl authenticate verify all

policy group WEBVPNPOLICY

functions svc-enabled

svc address-pool "webvpn-pool"

svc rekey method new-tunnel

svc split include 192.168.0.0 255.255.255.0

default-group-policy WEBVPNPOLICY

aaa authentication list sslvpn

gateway MY-CISCO-WEBVPN-GATEWAY domain webvpn

inservice webvpn gateway MY-CISCO-WEBVPN-GATEWAY
ip address 50.174.58.233 port 443
ssl encryption aes-sha1
ssl trustpoint my-trustpoint
inservice
!

Re: Problems enabling WEBVPN on 871W

czaja0000 — Tue, 10 Sep 2013 13:27:17 GMT

Hi,

1. You have to enable SSL on this router.

Check it.

ip http secure-server

2. I have verified your configuration. You have entered the two defined webvpn gateways with the same name?

In my opinion, correct configuration should look like this:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate

revocation-check crl

rsakeypair my-rsa-keys

webvpn gateway MY-CISCO-WEBVPN-GATEWAY

ip address 50.174.58.233 port 443

ssl encryption aes-sha1

ssl trustpoint my-trustpoint

inservice

webvpn install svc usbflash0:/webvpn/svc.pkg

webvpn context Cisco-WebVPN

title "Tyson's home VPN"

ssl authenticate verify all

policy group WEBVPNPOLICY

functions svc-enabled

svc address-pool "webvpn-pool"

svc rekey method new-tunnel

svc split include 192.168.0.0 255.255.255.0

default-group-policy WEBVPNPOLICY

aaa authentication list sslvpn

gateway MY-CISCO-WEBVPN-GATEWAY

domain webvpn

inservice

Try it out.

3. Put the results of the commands:

show webvpn gateway

show webvpn install status svc

show webvpn context

________________

Best regards,
MB

Problems enabling WEBVPN on 871W

Illini79 — Tue, 10 Sep 2013 21:06:48 GMT

Hey MB thanks for the reply!

When I get home I will try this in about 8 hours.

I was also wondering if you know where I can find documentation to implement this feature. I have actually just been scrouging through various internet sites to find information, but I really don't have a solid idea what all the commands are actually doing.

For example, I am really blurry about what the following commands are accomplishing:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate = = = > What is this line doing?

revocation-check crl

rsakeypair my-rsa-keys

Re: Problems enabling WEBVPN on 871W

czaja0000 — Wed, 11 Sep 2013 10:38:23 GMT

Hello

Interesting article (you have read it already )

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/904-cisco-router-anyconnect-webvpn.html

D'Juan Tyson napisano:

For example, I am really blurry about what the following commands are accomplishing:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

serial-number

subject-name CN=firewallcx-certificate = = = > What is this line doing?

revocation-check crl

rsakeypair my-rsa-keys

The subject-name subcommand allows you to specify other options in the certificate.

For example, you can sets the fields:

C= (Country)

CA= (Certificate authority)

CN= (Common Name)

O= (Organization)

OU= (Organizational Unit)

ST= (State)

If the subject-name subcommand is not used, by default, the router Fully Qualified Domain Name (FQDN) is used.

For example:

ip hostname webvpn

ip domain-name company.com

the FQDN in the certificate will be: webvpn.company.com

P.S.

If https is already running on the router - it means that the self-signed certificate is created, because the router generates it automatically.

Or you can generate it now (enter the command: ip http secure-server)

You can use this certificate, read below article:

http://tekcert.com/blog/2011/08/05/configuring-clientless-ssl-vpn-webvpn-cisco-ios-routers

At section: "A key point to make here is that enabling http secure-server (https) forces the router to create a self-signed certificate if it hasn't already done so."

________________

Best regards,
MB

Problems enabling WEBVPN on 871W

Illini79 — Thu, 12 Sep 2013 06:47:42 GMT

Hey MB,

The output you request is below:

My871W#show webvpn context

Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host

Context Name        Gateway Domain/VHost      VRF      AS    OS
------------        ------- ------------      ------- ---- --------
Cisco-WebVPN        MY-CISCO webvpn            -        up    up

My871W#show webvpn install status svc

SSLVPN Package SSL-VPN-Client version installed:

CISCO STC win2k+

3,1,03103

Hostscan Version 3.1.03103

Tue 03/26/2013 8:55:10.17 J

My871W#show webvpn gateway

Gateway Name                       Admin Operation
------------                       ----- ---------
MY-CISCO-WEBVPN-GATEWAY            up     up

Re: Problems enabling WEBVPN on 871W

czaja0000 — Thu, 12 Sep 2013 09:11:47 GMT

Hi,

The results - here everything looks fine.

To verify if the certificate is correctly installed on the router, paste the output:

sh crypto pki certificates

So what is the issue?

Please explain it or provide more information.

Problems enabling WEBVPN on 871W

Illini79 — Fri, 13 Sep 2013 03:47:44 GMT

Hey MB,

My certifcate output is below. I really appreciate you helping me with this becuase I have no idea where to luck. It seems that I followed all the commands correctly but when I try to connect to the firewall using my iphone app "anyconnect" , I cannot form a VPN connection. Maybe you have some more troubleshooting steps I can perform. Were you able to get this working on your 871W?

My871W#sh crypto pki certificates

Router Self-Signed Certificate

Status: Available

Certificate Serial Number: 02

Certificate Usage: General Purpose

Issuer:

serialNumber=FHK100850LZ+hostname=My871W.LAKEVIEW

cn=firewallcx-certificate

Subject:

Name: My871W.LAKEVIEW

Serial Number: FHK100850LZ

serialNumber=FHK100850LZ+hostname=My871W.LAKEVIEW

cn=firewallcx-certificate

Validity Date:

start date: 04:34:42 UTC Nov 5 2002

end date: 00:00:00 UTC Jan 1 2020

Associated Trustpoints: my-trustpoint

Storage: nvram:FHK100850LZh#5702.cer

Problems enabling WEBVPN on 871W

Illini79 — Fri, 13 Sep 2013 03:53:35 GMT

MB,

When I try to connect to the VPN the anyconnect app says that it cannot verify the certificate?

Re: Problems enabling WEBVPN on 871W

czaja0000 — Fri, 13 Sep 2013 09:00:04 GMT

Hey DT,

I'm not sure if this is the problem.

Not enough information. Maybe this?

"Untrusted VPN Server Certificate!, AnyConnect cannot verify the VPN server: ........"

Server Certificates

A valid, trusted server certificate configured on the secure gateway provides an easy and safe VPN connection for the user.

AnyConnect on mobile devices provides improved security protection when accessing a secure gateway by blocking the VPN connection if the certificate presented by the secure gateway is invalid or untrusted, or both.

A new Block Untrusted Servers application setting determines how AnyConnect blocks connections if it cannot identify the secure gateway. This protection is ON by default; it can be turned OFF by the user, but this is not recommended.

AnyConnect uses the digital certificate received from the server to verify its identify. If the certificate is invalid (there is a certificate error due to an expired or invalid date, wrong key usage, or a name mismatch), or if it is untrusted (the certificate cannot be verified by a Certificate Authority), or both, the connection is blocked. A blocking message displays, and the user must choose how to proceed.

When Block Untrusted Servers is ON, a blocking Untrusted VPN Server notification alerts the user to this security threat. The user can choose:

•Keep Me Safe to terminate this connection and remain safe.
•Change Settings to turn the Block Untrusted Servers application preference OFF, but this is not recommended. After the user disables this security protection, they must reinitiate the VPN connection.

When Block Untrusted Servers is OFF, a nonblocking Untrusted VPN Server notification alerts the user to this security threat. The user can choose to:

•Cancel the connection and remain safe.
•Continue the connection, but this is not recommended.

•View Details of the certificate.

If the certificate that the user is viewing is valid but untrusted, the user can:

–Import the server certificate into the AnyConnect certificate store for future use and continue the connection by selecting Import and Continue. Once this certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.

–Go back to the previous screen and choose Cancel or Continue.

If the certificate is invalid, for any reason, the user can only return to the previous screen and choose Cancel or Continue.

Leaving the Block Untrusted Servers setting ON, having a valid, trusted server certificate configured on your secure gateway, and instructing your mobile users to always choose Keep Me Safe is the safest configuration for VPN connectivity to your network.

Try it, and reply.

Please, enter the full error message or attach example (screen) from the Internet.

________________

Best regards,

Please rate all helpful posts

Re: Problems enabling WEBVPN on 871W

czaja0000 — Fri, 13 Sep 2013 10:49:50 GMT

Hi,

Specify your IOS version.

Cisco IOS recommendation: "An advanced image of Cisco IOS Software Release 12.4(6)T or later"

Troubleshooting:

1. Check the SSL VPN clientless mode

Open the web portal: "https://IP_of_your_WebVPN_gateway" and verify that you can log.

2. SSL VPN Debug Commands

Here is available one command with many options.

We'll use it without options:

- enable debugging

debug webvpn

- do try connect from AnyConnect and collect the logs

- turn off debugging

no debug all

Do analize the logs or paste here

________________

Best regards,

Please rate all helpful posts