05-06-2019 03:59 AM - edited 02-21-2020 09:38 PM
Hello, as part of my training for a CCNA Security Cert, I'm trying to setup a vpn Client to Site. But I'm failing connecting in remotely. My expurged Conf follow :
version 15.7 aaa new-model ! ! aaa authentication login local_access local aaa authentication login SSLVPN local ! ! ! ! ! ! aaa session-id common clock timezone LAUSANN 1 0 ! crypto pki trustpoint mytrustpoint enrollment selfsigned serial-number subject-name CN=firewallcx-certificate revocation-check crl rsakeypair RSAVPN ! ! crypto pki certificate chain mytrustpoint certificate self-signed 01 3082038C 30820274 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 5F311F30 1D060355 04031316 66697265 77616C6C 63782D63 65727469 66696361 quit ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username bob privilege 15 secret 9 $9$m0khQs19TuR2Kk$oByHQdYyNNgXFJJLAwNGCIPwaCb/lE0ABpBVfFJcKoE username bobvpn secret 9 $9$84m1uDxNJ5IS7n$vG8YPz3N1OC9aZdw//ftPJNyO6pnJ2dfJ8oBcGU7IoM ! redundancy ! ! ! ! ! controller VDSL 0 ! ! ! ! ! ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface Ethernet0 description PrimaryWANDesc_ ip dhcp client class-id 100008,0001 ip ddns update OVH ip address dhcp ip mtu 1492 ip nat outside ip virtual-reassembly in ip tcp adjust-mss 1452 ! ! interface Vlan1 ip address 10.0.1.1 255.255.255.0 ip pim sparse-mode ip nat inside ip virtual-reassembly in ip igmp helper-address 1.1.1.1 ! interface Vlan2 ip address 10.0.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan3 no ip address ! ! ip local pool VPNpool 10.0.10.1 10.0.10.254 ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ! ! ip nat inside source list MAIN interface Ethernet0 overload ip ssh version 2 ! ip access-list standard MAIN permit 10.0.222.2 permit 10.0.1.0 0.0.0.255 permit 10.0.2.0 0.0.0.255 ! ! ipv6 ioam timestamp ! access-list 1 permit 10.0.0.0 0.255.255.255 ! ! ! control-plane ! ! ! ! ! ! vstack ! ! ! ! ! ! ! webvpn gateway Cisco-WebVPN-Gateway ip interface Ethernet0 port 443 ssl encryption rc4-md5 rsa-dhe-aes256-sha1 ssl trustpoint mytrustpoint inservice ! webvpn context Cisco-WebVPN title "La Maison" ! acl "SSLACL" permit ip 10.0.10.0 255.255.255.0 any login-message "Login VPN" aaa authentication list SSLVPN gateway Cisco-WebVPN-Gateway max-users 2 ! ssl authenticate verify all inservice ! policy group webvpnpolicy functions svc-enabled functions svc-required filter tunnel SSLACL svc address-pool "VPNpool" netmask 255.255.255.0 svc rekey method new-tunnel svc split include acl 1 svc dns-server primary 8.8.8.8 default-group-policy webvpnpolicy ! end
Would you have an idea knowing I can log in but obtain this message :
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
And a show WebVPN give this output :
Cisco#show webvpn session user bobvpn context Cisco-WebVPN detail Session Type : Clientless Client User-Agent : AnyConnect Darwin_i386 4.6.02074 Username : bobvpn Num Connection : 0 Public IP : 46.14.227.54 VRF Name : None Context : Cisco-WebVPN Policy Group : webvpnpolicy Last-Used : 00:00:41 Created : 11:56:11.950 LAUSANN Mon May 6 2019 Session Timeout : Disabled Idle Timeout : 2100 DNS primary serve : 8.8.8.8 Citrix : Disabled Citrix Filter : None Capabilites : svc-required svc-enabled
It seems no Ip has been assigned to the vpn user ?
Thanks
Solved! Go to Solution.
05-07-2019 07:16 AM
05-06-2019 12:33 PM
Hi,
Looks like you are missing a VTI (virtual-template interface), reference here. The VTI would be then referenced under the policy group.
HTH
05-07-2019 01:23 AM
Thanks !
I can now connect through the iPhone AnyConnect client, but still not with my computer :
Session Type : Full Tunnel Client User-Agent : AnyConnect AppleSSLVPN_Darwin_ARM (iPhone) 4.7.02025 Username : bob Num Connection : 1 Public IP : 46.xxx.xxx.53 VRF Name : None Context : Cisco-WebVPN Policy Group : webvpnpolicy Last-Used : 00:00:01 Created : 09:10:00.264 LAUSANN Tue May 7 2019 Session Timeout : Disabled Idle Timeout : 2100 DNS primary serve : 8.8.8.8 DPD GW Timeout : 300 DPD CL Timeout : 300 Address Pool : VPNpool MTU Size : 1406 Rekey Time : 3600 Rekey Method : new-tunnel Lease Duration : 43200 Tunnel IP : 10.0.10.1 Netmask : 255.255.255.0 Tunnel-mode filte : SSLACL Rx IP Packets : 96 Tx IP Packets : 177 CSTP Started : 00:00:04 Last-Received : 00:00:01 CSTP DPD-Req sent : 0 Virtual Access : 1 Msie-ProxyServer : None Msie-PxyPolicy : Disabled Msie-Exception : Split Include : ACL 1 Client Ports : 53639 Session Type : Clientless Client User-Agent : AnyConnect Darwin_i386 4.6.02074 Username : bob Num Connection : 1 Public IP : 46.xxx.xxx.54 VRF Name : None Context : Cisco-WebVPN Policy Group : webvpnpolicy Last-Used : 00:00:11 Created : 09:15:35.697 LAUSANN Tue May 7 2019 Session Timeout : Disabled Idle Timeout : 2100 DNS primary serve : 8.8.8.8 Citrix : Disabled Citrix Filter : None Url List : rewrite Capabilites : svc-required svc-enabled Client Ports : 62296
Is there anything to setup on the computer itself ? Maybe through an xml file ?
05-07-2019 01:34 AM
05-07-2019 06:37 AM
Actually, as I already installed the client on the computer, I switched this part, would it be the reason it doesn't work ?
When I try to connect from a computer, the logs states "No valide certificates available for authentication"
Maybe something to change in the profile of the client ?
05-07-2019 07:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide