12-13-2012 08:38 AM - edited 03-21-2019 06:44 AM
I have configured sslvpn on uc560.and when i connect anyconnect vpn on iphone its asking the username and password.after i giving the correct username and password it saying " error processing data recieved from secure gateway".what i wrong with the configuration ?
webvpn gateway GWa
ip address 203.169.115.179 port 443
ssl trustpoint TP-self-signed-1454133144
inservice
!
webvpn context WAterlier
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "new" netmask 255.255.255.0
default-group-policy policy_1
gateway GWa
max-users 100
inservice
!
thanks
kavi
12-13-2012 07:08 PM
The following is the cirtificate created on the router.Is there any wrong with this?
crypto pki trustpoint TP-self-signed-1454133144
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1454133144
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1454133144
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343534 31333331 3434301E 170D3132 31313034 30383535
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353431
33333134 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A129 7D0B1AFD 27F76715 FD67C326 3793ED4A 0F020474 A5569920 E23D5763
9053FF84 874F18F6 36CD0E4D DE089D85 FD96BC3B FDD05852 525FD07A 4AF0EB08
691B6F06 68DF9331 8AA08133 14291DF4 A9BF487A C79BA2EB 10198984 F1EB94A5
6D8D8935 CF5B75A2 2E50E5C0 68360623 698C5CA5 122416CD C50B2938 63175225
14710203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E496E68 77612D48 512D5543 35363030 1F060355 1D230418
30168014 AF16B750 9579CA17 8B3D63F7 F102E39E 2288D1AD 301D0603 551D0E04
160414AF 16B75095 79CA178B 3D63F7F1 02E39E22 88D1AD30 0D06092A 864886F7
0D010104 05000381 810033CC CD94A6F7 205A3D6B 06F4197A E86DC593 388510A1
E6F80544 2071F6F0 09C50A1C 7F8F4187 EEF3800A B49BB6A0 107D6F4F 3943FFAC
56EEFE67 D94B7E6C A89281C0 F637E398 B664C82F 6F57B587 91F22AE4 E2BC5F69
328FD547 64ED419C EE90FF20 A34EE95F BDD432AD 84F7BA47 8B889B0C 52F4CEFE
512DCBA2 652E858D 72D5
quit
12-13-2012 07:15 PM
The following is the cirtificate created on another uc560 and here the anyconnect vpn is working.and i can see there is a different between these two cirtificate.one command is missing on the uc560 whish is not working for anyconnect vpn.
( "rsakeypair TP-self-signed-560388261"). i couldnt add this command manually.
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-560388261
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-560388261
revocation-check none
rsakeypair TP-self-signed-560388261
!
!
crypto pki certificate chain TP-self-signed-560388261
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35363033 38383236 31301E17 0D313230 39303832 32343133
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3536 30333838
32363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A729A166 CEAB6F28 1A7A9EBA 1F9895BF 95C0549D 00553EA4 AB7B3407 608B9971
943E641C 7A3A23EE 49521D97 292F2A9E DB4157D0 00AF2CBB 63B2AFD5 00DAD135
7AD3BBE3 91D655BA BC7F5A26 F666A773 819ED2A3 9BB5B5F3 40DD8125 49E2443D
C1072E30 5425A994 47A90E03 89215139 C28EF2A2 6EFD9AEE E6B30B14 245A2A37
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801433 2A317577 81BD9A7C 00CA4025 8DE8DF9A CC278230 1D060355
1D0E0416 0414332A 31757781 BD9A7C00 CA40258D E8DF9ACC 2782300D 06092A86
4886F70D 01010505 00038181 00A0BFF4 87DC8608 4707DCA3 BAAD8FA5 C8C1E88B
EFB6BB44 5A0DB98E 4547EE8C DC36EEB5 4021F2B1 746A19A7 C9350ED7 BE38115E
C2DCF2CD 03722455 39148A8E 7CE86E48 D96672D3 336FDF3F 8CF52754 FD64427E
95E2C88B E25DD9B4 CA88F41E F9066B07 B810050B 53D2B49D B2FAAB6B 137AB78C
0069E66D B85F8488 3D7AD176 A6
quit
12-15-2012 01:40 AM
Hi Kavithas,
You need to zeroize the rsa keypair and recreate it - use lenght 1024. then recreate the certificate and add
rsakeypair with the new rsa key with lenght 1024.
HTH,
Alex
*Please rate helpful posts
12-16-2012 08:28 PM
Hi Alexander,
I havent create the certificate manualy.when i enter the command " ip http secure-server",the certificate,trustpoint are created automatically.when i enter the command no ip http secure-server",the certificate,trustpoint are not romved.so i manualy removed and then enterd the commands
1.crypto key zerosize rsa
2.crypto key generate rsa(key length 1024)
then entered the command " ip http secure-server"
but rsakeypair is not added to the crypto pki trustpoint.
could you explain it how to create this?
thanks
kavi
12-17-2012 01:20 PM
Hi Kavi,
You may follow the following procedure from "Delete and Rebuild Trustpoint" part:
https://supportforums.cisco.com/docs/DOC-18980
On step 5 add the lenght 1024 at the end of "rsakeypair
" command.
Remember to change the rsa key name and the certificate name with the ones you have in your system.
Thank you for the rating!
Please ask if you have further questions.
HTH,
Alex
12-17-2012 10:50 PM
I have solved the issue of key but now also couldnt connect.now when i use this command "debug ssl openssl errors"
the following error occurs.
193705: Dec 18 06:46:39.214: 0:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:1062:SSL alert number 46
193706: Dec 18 06:46:39.214: 0:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:847:
following is the ssl vpn configuration
webvpn gateway GWa
ip address 203.169.115.179 port 443
http-redirect port 80
ssl trustpoint TP-Self-Signed-9999999999
inservice
!
webvpn context WAterlier
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "new1" netmask 255.255.255.0
default-group-policy policy_1
gateway GWa
max-users 10
inservice
12-17-2012 11:16 PM
I can able to connect using browser.but cannot connect using anyconnect on the iphone and also couldnt start
Tunnel connection (Anyconnect) on the browser.
12-19-2012 12:54 PM
Hi Kavi,
Are you able to connect with the AnyConnect client (or Tunnel connection) on a Windows PC? The reason I ask is I don't see the AnyConnect package installed in your webvpn configuration. You should see something like this:
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1
Can you confirm you have that in your configuration?
Also, AnyConnect on iPhone is not currently supported on IOS. It is currently on the roadmap, but is not there yet. Please see the following:
CSCtx24822 - ENH: IOS SSL support for Anyconnet on mobile platforms
Thanks,
Brandon
12-19-2012 08:29 PM
Hi Brandon,
I havent have the following configuration.
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1.
I can able to connect using browser.but not through the anyconnect client.To connect through the anyconnect client need to configure this
"webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3046-k9.pkg sequence 1" command as you mentioned.but my purpose is anyconnect on iphone.
For anyconnect on iphone , without this configuration i have configured some other UC560(Version 15.1(4)M4b).its working fine
Now i am using Version 15.1(2)T4.I am wondering that Doesnt this version supported.
thanks
kavi
12-20-2012 08:40 AM
Hi Kavi,
Clientless webvpn will work without an AnyConnect package, but to have full client connectivity (AnyConnect client), a package needs to be installed.
That's interesting that you have been able to get AnyConnect on iphone to work, especially if you didn't have an AnyConnect package installed. I just wanted to point out that AnyConnect on iphone is currently not officially supported in IOS. My understanding is some people have been able to get it to work, but it's inconsistent and I'm not sure what package they used.
If you have been able to get it to work in 15.1(4)M4b, then you may want to upgrade the other box to that or 15.1(4)M5 and see if it works.
Thanks,
Brandon
12-20-2012 06:28 PM
Thanks Bradon.
Let me try with the 15.1(4)M5 version
kavi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide