Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3411
Views
15
Helpful
8
Replies

Register IPPhone with advanced feature VPN

Arturo Alejandro Mendoza Rodriguez
Level 1
Level 1

‎01-26-2011 02:29 PM - edited ‎03-16-2019 03:06 AM

Hello,

I need some clue to configure the VPN feature on CUCM 8.0.2 with ASA 8.0.5

I got the the guidelines but i need the more info about the config on the ASA.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_2/secugd/secvpfet.html

How can I get this ?

Uploading VPN Concentrator Certificates
Cisco recommends that you generate a certificate on the ASA when you set it up to support the VPN
feature. Download the generated certificate to your PC or workstation and then upload it to Cisco Unified
Communications Manager using the procedure in this section. Cisco Unified Communications Manager
saves the certificate in the Phone-VPN-trust list.

Please Help

thanks from now!

Alex

Labels:
0 Helpful
8 Replies 8

jomcgaug
Level 4
Level 4

‎02-02-2011 01:16 PM

Hi Alex,

Here's some useful links.

https://supportforums.cisco.com/docs/DOC-9124

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

Here's a step by step guide.  Let me know if this helps.


Download the Cisco_Manufacturing_CA and CAPF certs from CUCM.  This is only needed for device level certificate authentication.  If the cluster is in Mixed Mode, you’ll need to add the CallManager cert as well.

Download certificates from CUCM

1.       Go to the Cisco UCM Operating System Administration web page.

2.       Choose Security > Certificate Management. (this location may change based on the UCM version)

3.       Find the certificates CallManager, Cisco_Manufacturing_CA, and CAPF. Download the .pem file and save as .txt file

Import certificates into the ASA

1.       Create the CallManager trustpoint.

hostname(config)# crypto ca trustpoint CallManager

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate CallManager

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CallManager.pem file along with the BEGIN and END lines.

2.       Create the Cisco_Manufacturing_CA trustpoint.

hostname(config)# crypto ca trustpoint Cisco_Manufacturing_CA

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate Cisco_Manufacturing_CA

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded Cisco_Manufacturing_CA.pem file along with the BEGIN and END lines.

3.       Create the CAPF trustpoint.

hostname(config)# crypto ca trustpoint CAPF

hostname(config-ca-trustpoint)# enrollment terminal

hostname(config)# crypto ca authenticate CAPF

When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded CAPF.pem file along with the BEGIN and END lines.

Create the VPN trustpoint and generate self-signed certificate

1.       Create ssl keypair.

hostname(config)# crypto key generate rsa label sslvpnkeypair modulus 1024

2.       Create the VPN trustpoint.

hostname(config)# crypto ca trustpoint ASA_VPN

hostname(config-ca-trustpoint)# enrollment self

hostname(config-ca-trustpoint)# keypair sslvpnkeypair

!---For the CallManager certificate to work with host-id check enabled on the VPN profile in CUCM, the following should be added.

hostname(config-ca-trustpoint)# fqdn

hostname(config-ca-trustpoint)# subject-name CN=, CN=

hostname(config)# crypto ca enroll ASA_VPN

3.       Assign trustpoint to outside interface.

ssl trust-point ASA_VPN outside

Export the VPN certificate and upload to CUCM.

1.       Export the VPN certificate.

hostname(config)#crypto ca export ASA_VPN identity-certificate

2.       Upload certificate to CUCM.

Go to the Cisco UCM Operating System Administration web page.

Choose Security > Certificate Management. (this location may change based on the UCM version)

Click Upload Certificate and select the Phone-VPN-Trust store.

Browse to the exported VPN certificate file and click Upload File.

That covers the cert part.  Here’s snippets from the VPN parts of the config.

crypto ca trustpoint CallManager

enrollment terminal

crl configure

crypto ca trustpoint CiscoMfgCert

enrollment terminal

crl configure

crypto ca trustpoint UCM_CAPF_Cert

enrollment terminal

crl configure

crypto ca trustpoint ASA_VPN

enrollment self

keypair sslvpnkeypair

crl configure

crypto ca certificate chain CallManager

certificate ca 459b7a30cc05688e

crypto ca certificate chain CiscoMfgCert

certificate ca 6a6967b3000000000003

crypto ca certificate chain UCM_CAPF_Cert

certificate ca 5b0656231631591d

crypto ca certificate chain ASA_VPN

certificate 2509c62b000000000021

ssl trust-point ASA_VPN outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.1025-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLCLientPolicy internal

group-policy SSLCLientPolicy attributes

dns-server value 10.1.1.1

vpn-tunnel-protocol IPSec svc webvpn

default-domain value cisco.com

address-pools value SSLClientPool

webvpn

  svc dtls enable

  svc keep-installer installed

  svc keepalive 120

  svc rekey time 4

  svc rekey method new-tunnel

  svc dpd-interval client none

  svc dpd-interval gateway 300

  svc compression deflate

  svc ask none default webvpn

!---Username+password authentication example

username vpnuser password i5k2dTp7PNxLQwDy encrypted

username vpnuser attributes

vpn-group-policy SSLCLientPolicy

service-type remote-access

!---Device+password authentication example

username CP-7975G-SEP001AE2BC16CB password k1kLGQIoxyCO4ti9 encrypted

username CP-7975G-SEP001AE2BC16CB attributes

vpn-group-policy SSLCLientPolicy

service-type remote-access

username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

address-pool SSLClientPool

default-group-policy SSLCLientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

group-url https://172.16.1.1/SSLClientProfile enable

John

Hythim Ali El Hadad
Level 6
Level 6
In response to jomcgaug

‎08-28-2011 04:48 PM

Hi John,


I have ip phones in remote sites

Cisco said you should register your ip phones localy before sending them to remote sites

But i'm trying to configure them remotly

I have an external tftp server, and can successfuly send the configuration file to the ip phone at remote sites, also i'm able to upgrade and downgrade the phone

The problem is that i can't send the needed certificate to the ip phone, so the phone can't connect.

Is there any way to send the certificate to the phone without connecting it to the call manager ??


Regards
Haitham

0 Helpful

jomcgaug
Level 4
Level 4
In response to Hythim Ali El Hadad

‎08-28-2011 06:56 PM

Hi Haitham,

Unfortunately the only way to get the VPN cert on the phone is to register the phone to the CallManager first.

The only time I've seen someone configure the phone for VPN while it was remote, was by first registering the phone via ASA Phone Proxy.  This particular cusotmer was migrating from Phone Proxy to the VPN client.  Because the phone was registered via Phone Proxy, they could enable VPN and this would push the cert to the phone.  Not sure if that's an option for you.

John

Hythim Ali El Hadad
Level 6
Level 6
In response to jomcgaug

‎08-28-2011 07:44 PM

No,

the remote phones is new and will need to have a new fw upgrade also for its conf also for the certificate

I'm thinking for something

If I do NAT for the call manager ip address with public one

then have this ip as tftp server ip add on the remote phone

Could the phone download the certificate at this time or as i though also the certificate isn't given to the phone via tftp ??

Thanks & Best Regrads

Haitham

0 Helpful

jomcgaug
Level 4
Level 4
In response to Hythim Ali El Hadad

‎08-28-2011 08:43 PM

The phone needs to register to CallManager in order for it to get the VPN cert.  That's the key.  If you can do so using NAT, then it should work.

John

0 Helpful

paul beach
Level 1
Level 1
In response to jomcgaug

‎05-30-2012 09:16 AM

jomcgaug,

the step by step you listed is the exact opposite of what cisco recommends. Cisco recommends that you create a cert on the ASA and import that into CUCM.

How do i do what cisco recommends?

"Cisco recommends that you generate a certificate on the ASA when you set it up to support the VPN

feature. Download the generated certificate to your PC or workstation and then upload it to Cisco Unified

Communications Manager using the procedure in this section. Cisco Unified Communications Manager

saves the certificate in the Phone-VPN-trust list."

0 Helpful

jomcgaug
Level 4
Level 4
In response to paul beach

‎05-30-2012 09:45 AM

The step by step procedure covers that part.  Look for the "Create the VPN trustpoint and generate self-signed certificate" and "Export the VPN certificate and upload to CUCM" sections.

Is that what you are looking for?

John

0 Helpful

paul beach
Level 1
Level 1
In response to jomcgaug

‎05-30-2012 10:51 AM

Ok Thanks John!

I'll pick it up from that point in the step by step.

PB

0 Helpful
Customers Also Viewed These Support Documents