The Cisco IP Phone now has a built in VPN client based on SSL TLS/DTLS, the phone can directly establish a VPN connection (using anyconnect) to a ASA or IOS headend. This requires that the phone establish the initial connection inside of the corporate network to retrieve the phone configuration, then subsequent connections can be made using VPN as the configuration is retrieved on the phone. On IOS Cisco Ip phone client is supported starting 15.(1)2T.
Only the following phones are currently supported 7942 / 7962 / 7945 / 7965 / 7975
You can use Cisco Unified Reporting to determine which Cisco Unified IP Phones support the VPN client. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature, choose Virtual Private Network Client from the pull-down menu. The system displays a list of products that support the feature. For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.
The phone should be running load 9.0(2)SR1S - SCCP or later version.
CUCM should be running 22.214.171.124000-4 or greater.
IOS should be running 15.1(2)Tor later
The following document provides a complete set of configuration tasks required to configure CUCM for this feature:
Note: Please make sure the URL for the VPN Gateway contains the full URI including the path to reach the right context on the router. Example https://172.18.124.236/phonevpn
1. Use a supported phone model per the CUCM release notes
2. Configure the IP Phone with a TFTP server manually.
3. Import the root certificate or identity certificate used by the router into to phone via CUCM
Use this as a baseline for router configuration:
Use this as a baseline for router configuration:
This is a snippet of the configuration that pertains to webvpn/anyconnect on the router.
aaa authentication login default local
webvpn gateway mygateway
! The ip address should match that of your router public interface
ip address 172.18.124.236 port 443
! The trustpoint will vary depending on your router- use show cry ca cert to find out
ssl trustpoint TP-self-signed-743301245
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1
webvpn context mycontext
ssl authenticate verify all
policy group default
svc address-pool "mypool"
svc split include 192.168.88.0 255.255.255.0
! Dtls is required
aaa authentication list default
1) The gateway ip address should be changed to your router public interface ip address
2) The trustpoint will be different for each router. Use "show crypto ca cert" to see whats the router cert
3) SVC DTLS is a required command to enable DTLS, which is required for vpn phone due to the delay sensitivity for VOIP traffic.
This is enabled by default in the ISR G2 platforms:
C3900, C2951, C2900, C1900, CGR2010, C1906C, C890, C880
Other platforms, it will use software crypto. Use caution when enabling svc dtls when using software crypto
and high number of sessions as it may result in a high CPU condition affecting overall performance.
The phone will not connect to any headend (ASA or IOS), unless the id cert of the router or the issuer cert (CA ) is imported into the call manager and configured on the vpn gateway on CM.
The first step is to get the router identity certificate or the issuing CA certificate as a file in base64 format so that it can be imported into CUCM. One way to get the certificate is to use a browser and browse to the IOS router URL configured for anyconnect in the previous step as show below using Internet Explorer:
1) Open IE and browse to the URL of the router configured for webvpn/anyconnect.
2) On the upper right corner you will see a "Certificate Error" with a cross icon or a pad-lock icon (if the certificate is trusted by your browser). Click on the red cross icon or the pad-lock icon and you will see a popup window like below.
3) Click on View Certificates
4) Go to the details page.
Here, you can also see the CN (common name) and subject alternative name of router identity certificate. This can be used for verification that the router webvpn URL matches with the CN or SAN.
5) Click on "Copy to File" to copy the certificate to a file.
6) Select Base-64 as this is the format that CUCM will accept when importing.
7) Click Next and then select a file name for the certificate.
Once the certificate file is saved in base 64 format, the next step is to import it into CUCM.
1) Log on to the CUCM administration page. Select "Cisco Unified OS Administration" from the Navigation drop down list.
2)Select Security--->Certificate Management
3)Click on Upload certificate
4)For Certificate Name, Select Phone-VPN-trust and then select the base 64 file name for router that you get in earlier steps above. Then click on "upload file"
5) Now go back to the certificate list and click "find" to verify the id certificate of router exists on the CUCM.
Use this a reference, when configuring CUCM: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/8_0_1/secugd/secuvpn.html
1. Login to CUCM Administration page
2.Configuring the VPN Gateway
Go to Advanced Features > VPN > VPN Gateway
Click Add to add a new VPN Gateway.
Enter a vpn gateway name and description. Enter VPN gateway URL https://172.18.124.236/ , this should match with the group-url created on the router. Now, select the rutercertificate that was imported earlier and move it to the "VPN Certificates in this Location" container, so that the ceritificate is put in the phone trusted list.
Note: Here we are using the default URL without a path, for this it work , hence the gateway URL configured on CUCM should have a slash "/" at the end: https://172.18.124.236/. This is a specific requirement for the phone when using the default URL.
3. Adding the VPN Group
In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Group. Click add to add a new vpn group.
Select and move the VPN Gateway vpngateway_ios that was created in step2 to the "Selected VPN Gateways in this VPN Group" container.
4.Configuring the VPN Profile
In Cisco Unified Communications Manager Administration, choose Advanced Features > VPN > VPN Profile.
Click "Add New" to create a new profile.
Select the default values .
Note: if the CN/SAN of the router certificate does not match the FQDN or ip address configured on the gateway under CUCM, then the "Enable Host ID Check" should be unchecked
If the gateway url configured on CUCM does not match with the gateway URL configured on IOS router, then the phone VPN will fail to connect.
The phone when using username/password, will just attempt to connect and then fail and prompt again for username/password.
The phone will not connect to any headend (ASA or IOS), unless the id cert of the router or the issuer cert (CA ) is imported into the call manager and configured on the vpn gateway on CM. The message on the phone is VPN Authentication failed Required Action: Please follow the steps in the Sample configuration above to import the certificates.
By default in the VPN profile "Enable Host Id Check" is enabled, where the gateway certificate subjectAltName or CN must match the URL to which the VPN client is connected.If they dont, match you will get a "Authentication Failed" message
Suggested Action :
1) Modify the URL configured on CM to match the CN / SAN of the ceritificate. You can also create a new certificate that matches the URL configured
2) Unselect "Enabled Host ID check" from the VPN profile configuration.
Make sure there is routing / network connectivity between the two phones