03-05-2017 09:52 PM - edited 02-21-2020 09:10 PM
Hi all,
I read some articles that I could have IPSec IKE client VPN configured on IOS router (2921), using AnyConnect for Windows/Mac as client...
Did anyone have success doing it?
Client would prefer IPSec IKE over SSL WebVPN...
Any configuration examples you could recommend?
Thanks,
Alex
03-05-2017 11:45 PM
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
03-06-2017 02:15 AM
Thanks Karsten,
good article.
Issue is, I'm not too experienced with managing certificates, also I got only one router on site...
Is there something more similar to having local user authentication on the router and pre-shared keys?
Thanks,
Alex
03-06-2017 04:13 AM
well,
I was doing some research and I came across this article, which describes how you can make Anyconnect work on a single router being CA and Headend:
http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html
...but I'm not able to progress to much further, as I hit the issue with
RTR(config)#crypto pki authenticate ROUTER
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
then
RTR(config)#crypto pki enroll ROUTER
% You must authenticate the Certificate Authority before
you can enroll with it.
RTR#show crypto pki server
Certificate Server CA-SERVER:
Status: disabled, Storage not accessible
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA-SERVER
CA cert fingerprint: A3232C42 D7C6252A 51ABBBD3 B81D2BBE
Granting mode is: manual
Last certificate issued serial number (hex): 0
CA certificate expiration timer: 10:00:00 AEST Jan 1 1970
CRL not present.
Current primary storage dir: flash:ca
Database Level: Names - subject name data written as <serialnum>.cnm
Auto-Rollover configured, overlap period 365 days
ntp is synchronized etc...
What do you suggest looking at next?
Thanks,
Alex
05-15-2017 12:21 AM
Hi Alex,
Did you manage to have a fully working config?
I have running now in my lab but the problem is that i cannot "kick out" users that connect with cert, i can revoke the cert but connection still working.
Regards,
08-15-2017 12:21 AM
Did you manage to get this working? I have the same requirement, to use Anyconnect client with an IPSec connection.
I found the same document on ifm.net referred to above, and magaed to get a bit furthur than Alex, my CA server on the router was running:
R1#sh crypto pki server
Certificate Server CA_SERVER:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA_SERVER
But I fail at the next step, creating a trustpoint on the router:
crypto key generate rsa general modulus 2048 exportable label ROUTER_KEY
crypto pki trustpoint ROUTER
enrollment url http://<my ip addr>:80
ip-address <my ip addr>
subject-name CN=Hut,OU=user-vpn,O=UWRFA
revocation-check crl
rsakeypair ROUTER_KEY
auto-enroll regenerate
hash sha512
exit
sh crypto pki trustpoints
Trustpoint CA_SERVER:
Subject Name:
cn=CA_SERVER
Serial Number (hex): 01
Certificate configured.
Trustpoint ROUTER:
This section is empty, so I assume something is missing when I tried to configure the trustpoint!
And therefore the authenticate step fails:
crypto pki authenticate ROUTER
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0
I'm still working on this, currently I cannot establish where I've gone wrong.
08-15-2017 01:45 AM
The error message seems to be generic - but a couple of things to check, it could be the http server is not enabled (ip http server) on the PKI server or the client router enrolling for the certificate cannot establish connectivity to the PKI server.
Your trustpoint configuration looks good enough to enrol for a certificate. Can you provide the configuration for the PKI Server?
Is there any more output from the command sh crypto pki server?
Can you ping the PKI server?
Any ACLs?
Is http server enabled?
08-15-2017 06:46 AM
Hi Rob,
Following your reply I realised that the router has zone based Firewall configured, and that was preventing the router communicating with the server on the same router.
Now I'm getting furthur.
I've run the crypto pki authernicate ROUTER comand, which was succesfull as far as I can tell.
But when I get to the enrollment stage, crypto pki enroll ROUTER, I'm seeing
Error: There is an auto enrollment transaction in progress.
Please wait until the current auto enrollment to finish before
starting a new enrollment transaction.
A quick check on Google reveals:
CSCuo50815 IOS PKI: auto-renewal fails if the first renewal attempt is inturrupted
Workaround is a reboot, which I've tried, made no difference, got the same error message.
I'm not sure if I've hit this bug, as the reload made no difference.
My server config is:
crypto pki server CA_SERVER
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
auto-rollover 365
eku server-auth client-auth
database url flash:ca
Any more thoughts?
08-15-2017 10:00 AM
I think there might be an pending certificate request on the CA Server for that router.
On the PKI server if you run the command show crypto pki server CA_SERVER requests does it show any pending requests?
If yes, run crypto pki server CA_SERVER grant X - where X is the ID of the pending request.
It may take up to 30 seconds to send the certificate to the client router.
You can automatically grant certificates by adding the command grant auto under the CA_SERVER, which I noted you don't currently have.
08-15-2017 12:28 PM
I checked this earlier, and have just had another look:
sh crypto pki server CA_SERVER req
The Enrollment Request Database is empty.
R1#
Here is my complete crypto config:
crypto pki server CA_SERVER
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
auto-rollover 365
eku server-auth client-auth
database url flash:ca
!
crypto pki trustpoint CA_SERVER
revocation-check crl
rsakeypair CA_SERVER
!
crypto pki trustpoint ROUTER
enrollment url http://<my pub ip>:80
ip-address <my pub ip>
subject-name CN=Hut,OU=user-vpn,O=UWRFA
revocation-check crl
rsakeypair ROUTER_KEY
auto-enroll regenerate
hash sha512
crypto pki certificate chain CA_SERVER
certificate ca 01
30820506 308202EE A0030201 02020101.......
crypto pki certificate chain ROUTER
certificate ca 01
30820506 308202EE A0030201 02020101........
The trustpoints are:
sh crypto pki trustpoints
Trustpoint CA_SERVER:
Subject Name:
cn=CA_SERVER
Serial Number (hex): 01
Certificate configured.
Trustpoint ROUTER:
Subject Name:
cn=CA_SERVER
Serial Number (hex): 01
Certificate configured.
SCEP URL: http://<my pub ip>:80/cgi-bin
Trustpoint TP-self-signed-2069616539:
Subject Name:
cn=IOS-Self-Signed-Certificate-2069616539
Serial Number (hex): 01
Persistent self-signed certificate trust point
Using key label TP-self-signed-2069616539
08-15-2017 12:50 PM
What is the output from the command show crypto pki certificates? I assume just 1 certificate - the CA certificate?
I can see no obvious issues with your CA configuration, it's similar to what I have in the lab.
What IOS version are you using?
08-16-2017 10:33 PM
Hi Rob,
The output of show crypto pki certificates, I'm not sure why there are 3, and/or if they are all relevant to my current setup, or hangovers from previous configuration attempts:
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2069616539
Subject:
Name: IOS-Self-Signed-Certificate-2069616539
cn=IOS-Self-Signed-Certificate-2069616539
Validity Date:
start date: 14:30:27 BST Aug 15 2017
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: TP-self-signed-2069616539
Storage: nvram:IOS-Self-Sig#2.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=CA_SERVER
Subject:
cn=CA_SERVER
Validity Date:
start date: 07:08:13 BST Aug 15 2017
end date: 00:38:57 BST Jul 11 1901
Associated Trustpoints: ROUTER CA_SERVER
Storage: nvram:CA_SERVER#1CA.cer
Certificate
Subject:
Name: R1.uwfra.org.uk
IP Address: <my public IP>
Status: Pending
Key Usage: General Purpose
Certificate Request Fingerprint MD5: AA4A383C 2C6B21E3 19D6D1CF 589665C6
Certificate Request Fingerprint SHA1: E401C1C1 8B1C263A CCF976D2 A0B4D402 BA43E9FB
Associated Trustpoint: ROUTER
The image is:
System image file is "flash:c860vae-advsecurityk9-mz.155-3.M.bin"
The router is an old c860:
Cisco 867VAE-K9 (revision 0.3)
I'm thinking of going for an ASA instead for my RA termination, have you got Anyconnect working over IPSec to a router? I'm sure this should work!
08-17-2017 12:26 PM
I notice the certificate status is pending, yet there is no pending request on the PKI server. How about you remove the certificates (crypto key zeroize rsa) and recreate from scratch? I assume nothing else uses the other certificiate and there will not be an issue in removing?
Once the certificates have been removed, run show crypto pki certificates and confirm no certificates are present and then start again and generate a rsa keypair, authenticate and enrol.
I certainly don't have a self signed certificate on my routers, as you do.
Yes, I use FlexVPN IKEv2 on a 1921 router with AnyConnect - although I am using a certificate issued by a Windows PKI server on the router and windows laptop. I don't see any reason why this should not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide