Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3089
Views
0
Helpful
10
Replies

AnyConnect configuration using IPSec

Go to solution
zrunner626
Level 1
Level 1

‎06-18-2014 02:20 PM - edited ‎02-21-2020 07:41 PM

I have configured our ASA running 8.4(7) for the AnyConnect client (using IPSec). It prompted me to create an identity certificate when running the VPN wizard, which I did. We use AAA to authenticate so I didn't create a CA certificate. Is this required anyways for AnyConnect? When I try to connect from a pre-deployed AnyConnect client, I get an error: "Untrusted VPN Server Certificate". If I ignore and choose to connect anyway, the Login Fails. What am I missing?
 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-19-2014 07:10 AM

In addition to the IPsec IKEv2 VPN, there is a client services bit that runs when you first connect. that is used to verify the AnyConnect package version and distribute and changes to the client profile (and a few more obscure things). It is done via SSL and as such uses the ASA's certificate to validate the server. If your client doesn't trust the certificate you will get the error.

You can disable client services by changing the default command:

crypto ikev2 enable outside client-services port 443

to simply read

crypto ikev2 enable outside

The best path though is to enable it and setup the ASA with a proper trusted certificate.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-19-2014 07:10 AM

In addition to the IPsec IKEv2 VPN, there is a client services bit that runs when you first connect. that is used to verify the AnyConnect package version and distribute and changes to the client profile (and a few more obscure things). It is done via SSL and as such uses the ASA's certificate to validate the server. If your client doesn't trust the certificate you will get the error.

You can disable client services by changing the default command:

crypto ikev2 enable outside client-services port 443

to simply read

crypto ikev2 enable outside

The best path though is to enable it and setup the ASA with a proper trusted certificate.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎06-19-2014 07:48 AM

 

Hi Marvin,

 

If we disable client services on 443 then we will not get error

untrusted vpn server?

 

Regards

Mahesh

0 Helpful

Go to solution
zrunner626
Level 1
Level 1
In response to Marvin Rhoads

‎06-19-2014 08:21 AM

Can it not use the identity certificate that was generated during the VPN wizard setup? or do I need to generate a CA certificate?

How do I get the client to trust the ASA certificate? Where do I install it on the client pc?

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zrunner626

‎06-19-2014 08:31 AM

The identity certificate generated during setup is OK as long as you want to manually install it as follows below.

to establish trust, install it on the client PC in the trusted root CA store. You need to browse to the ASA and use your browser tools to download the certificate to your computer. (i.e click on lock icon in your browser bar, select certificate information, copy to file). Then import it - in windows this is the default action for a .cer file. You should override the default store to make sure it is installed n the trusted root store.

Avoiding that complexity is why Cisco recommends getting a certificate issued by a trusted 3rd party CA. Most organizations don't want to have to explain all the above to their users as it doesn't scale very well support-wise.

0 Helpful

Go to solution
zrunner626
Level 1
Level 1
In response to Marvin Rhoads

‎06-25-2014 07:37 AM

Thanks for the help! Sorry for the delay in responding. I have exported the self-signed cert from the ASA. Imported it into my Windows 7 PC using Certmgr.msc into the Trusted Root Certificates but I still get an error that the server is untrusted. Any thoughts?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zrunner626

‎06-25-2014 07:55 AM

Check that same certificate is both specified for use with client services as well as bound to your outside interface on the ASA.

0 Helpful

Go to solution
zrunner626
Level 1
Level 1
In response to Marvin Rhoads

‎06-26-2014 06:26 AM

I checked, as far as I can tell it is setup this way. I did notice that AnyConnect seems to be trying port 80 on the ASA...see the attached log. Also, getting a Key Exchange error.
 

Preview file
80 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zrunner626

‎06-26-2014 11:43 AM

I don't know why AnyConnect would be trying to use port 80.

On the certificate - have you compared what shows up in the details pane when you open the imported certificate in certmgr.msc against the one that is presented when you browse to the ASA outside interface via https? (You can inspect an SSL certificate pretty easily using the Chrome browser by clicking on the lock icon in the URL bar.)

0 Helpful

Go to solution
zrunner626
Level 1
Level 1
In response to Marvin Rhoads

‎06-26-2014 12:26 PM

Thanks that helped me fix my self-signed cert so that I was able to connect successfully.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zrunner626

‎06-26-2014 02:25 PM

You're welcome - good to hear it's working now.

Thanks for marking as correct.

0 Helpful
Customers Also Viewed These Support Documents