cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
4
Replies

Help with configuring - SSL VPN Configuration on ISR 4331.

Elito Haylett
Beginner
Beginner

Cisco 4000 Series ISRs Software Configuration Guide, Cisco IOS XE 17.

According to this release of IOS-XE SSL VPN is supported. See the following link...

https://www.cisco.com/c/en/us/td/docs/routers/access/isr4400/software/configuration/xe-17/isr4400-sw-config-xe-17/m_sec-conn-sslvpn-ssl-vpn-xe.html 

aaa new-model
!
aaa authentication login default local
aaa authentication login ech-list local
aaa authorization exec default local
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EST recurring
!
ip nbar http-services
!
ip name-server 68.237.161.12 71.250.0.12
ip domain name
ip ddns update method dyndns
HTTP
add http://echcomm:xxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
login on-success log
!
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-356902xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-356902xxxx
revocation-check none
rsakeypair TP-self-signed-356902xxxx
!
crypto pki certificate chain xxxxxxxxx
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7

quit
crypto pki certificate chain TP-self-signed-356902xxxx
certificate self-signed 02
30820330 30820218 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353639 30323230 3030301E 170D3232 31313133 30363335
31365A17 0D333231 31313230 36333531 365A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35363930
32323030 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100B08D F5D676CF 828ABB17 6987ADFC CB2C1B65 1056AC68 DE5795AB
54FB0862 4D395BC2 8E6BE253 A2430510 E6AD2805 AEACA241 1B814876 1D22F1A7
2F97915B 1B136377 B0D90F29 3172FB4C 4AAC177F 603F34FC 28DAFBF8 E7148C52
073F92DC 8DC39BA8 CBCE43BE FD8BED7E 3CA17808 2B2F1791 50A3B6F3 151E5615
4302049E AD28FBC2 2E82133A F2E2AEB4 EEA80219 64B5F291 380AE580 7F53E06D
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
enable secret 9 xxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxx
username xxxxxxx privilege 15 password 7 xxxxxxxxx
!
redundancy
mode none
!
crypto ikev2 keyring ECH-ISR4331-138
!
crypto ikev2 profile ECH-ISR4331-138
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint ECH-SSLVPNSERVERCERT
aaa authorization group cert list ECH-IKEv2_AUTH ECH-ISR4331-138
virtual-template 3
!
no crypto ikev2 http-url cert
!
crypto ssl proposal test-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy auth-test-policy
rekey time 1110
client profile client-profile
mtu 1400
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
include-local-lan
pool ECH-ISR4331-138-SSL-VPN
dns 68.237.161.12 71.250.0.12
banner This is a SSL VPN Tunnel for ECH-ISR4331-138
route set access-list ECH-ISR4331-138-SSL-VPN
timeout disconnect 10000
!
crypto ssl policy test-policy
ssl proposal test-proposal
pki trustpoint TP-self-signed-356902xxxx sign
ip interface GigabitEthernet0/0/0 port 443
!
crypto ssl profile test-profile
match policy test-policy
aaa authentication user-pass list ech-list
aaa authorization user user-pass list ech-list
aaa accounting user-pass list ech-list
authentication remote user-pass
!Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.10.05095-webdeploy-k9.pkg sequence 1
!
interface Loopback0
no ip address
!
interface Loopback1
description Do Not Delete - WebVPN Interface
ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet0/0/0
description Verizon FIOS Outside
ip ddns update hostname xxxxxxxxx
ip ddns update dyndns
ip address dhcp
ip nbar protocol-discovery
ip nat outside
media-type rj45
negotiation auto
crypto map CMAP
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface Virtual-Template2 type vpn
ip unnumbered Loopback1
ip mtu 1400
ip tcp adjust-mss 1300
!
ip local pool ECH-ISR4331-138-SSL-VPN 172.168.100.230 172.168.100.240
no ip http server
ip http authentication local
no ip http secure-server
!
ip access-list standard ECH-ISR4331-138-SSL-VPN
10 remark ECH-ISR4331-138-SSL-VPN
10 permit 172.168.100.0
20 permit 172.168.101.0
30 permit 172.168.102.0
40 permit 172.168.103.0
50 permit 172.168.104.0
60 permit 172.168.105.0
70 permit 172.168.110.0
80 permit 172.168.138.0
90 permit 172.168.140.0
100 permit 172.168.150.0
!
ntp server ip time-a-wwv.nist.gov prefer source GigabitEthernet0/0/0
ntp server ip time-b-wwv.nist.gov source GigabitEthernet0/0/0
ntp server ip time-d-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-a-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-b-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-c-g.nist.gov source GigabitEthernet0/0/0

This configuration guide is so vague. I followed the documented steps and still no luck in trying to get the tunnel established. Here is my truncated configuration that matches the documentation. The Virtual Template configuration wasn't provided in the script but yet is shown in the example configuration. Which interface IP unnumbered interface is it mapped to? Loopback or the WAN interface? According to the documentation the tunnel was established according to their configuration but how? am I missing some steps in mine? The following are my show commands and I noticed in my show crypto ssl profile test-profile the Interface : SSLVPN-VIF0 is showing as Disable and in the documentation it's Enable. why? what am I missing in my configuration?

ECH-ISR4331-138#show crypto ssl proposal test-proposal

SSL Proposal: test-proposal
Protection: RSA-3DES-SHA1 RSA-RC4-MD5 RSA-AES128-SHA1 RSA-AES256-SHA1

ECH-ISR4331-138(config-if)#do show crypto ssl profile test-profile
SSL Profile: test-profile
Status: ACTIVE
Match Criteria:
URL: none
Policy: test-policy
AAA accounting List : ech-list
AAA Authentication List : ech-list
AAA Authorization User List : ech-list
User :
Cached : False
AAA Authorization Group List : none
Authentication Mode : user credentials
Interface : SSLVPN-VIF0
Status: DISABLE
Max Users : 10000

ECH-ISR4331-138#show crypto ssl policy test-policy

SSL Policy: test-policy
Status : ACTIVE
Proposal : test-proposal
IP Address : 162.84.130.90
Port : 443
fvrf :
Trust Point: TP-self-signed-3569022000
Redundancy : none
ECH-ISR4331-138#

ECH-ISR4331-138#show crypto ssl policy test-policy

SSL Policy: test-policy
Status : ACTIVE
Proposal : test-proposal
IP Address : 162.84.130.90
Port : 443
fvrf :
Trust Point: TP-self-signed-3569022000
Redundancy : none
ECH-ISR4331-138#show crypto ssl proposal test-proposal

SSL Proposal: test-proposal
Protection: RSA-3DES-SHA1 RSA-RC4-MD5 RSA-AES128-SHA1 RSA-AES256-SHA1
ECH-ISR4331-138#show crypto ssl authorization policy auth-test-policy

SSL Auth Policy: auth-test-policy
V6 Parameter:
Address Pool: none
Prefix: none
Route ACL : none
DNS : none
V4 Parameter:
Address Pool: ECH-ISR4331-138-SSL-VPN
Netmask: 255.255.255.0
Route ACL : ECH-ISR4331-138-SSL-VPN
DNS :
68.237.161.12
71.250.0.12
WINS : none
Banner : This is a SSL VPN Tunnel for ECH-ISR4331-138
Home Page : none
Idle timeout : 1800
Disconnect Timeout : 10000
Session Timeout : 43200
Keepalive Interval : 500
Client DPD Interval : 1000
Gateway DPD Interval : 300
Rekey
Interval: 1110
Method : New Tunnel
Split DNS: none
Default domain : none
Proxy Settings
Server: none
Option: NULL
Exception(s): none
Anyconnect Profile Name : client-profile
Module : Gina
MAX MTU : 1400
Smart Card
Removal Disconnect : NO
Include Local LAN : YES
Disable Always On : NO

Thanks In Advance for your answer.....

1 Accepted Solution

Accepted Solutions

Elito Haylett
Beginner
Beginner

Thank you for your quick response and the links for FlexVPN configuration but they definitely should have waited until the solution was more baked to put out the documentation because it causes more confusion than anything.

I looked at the second link for the configuration of FlexVPN with IOS-XE and i was confused with this config statement. Where do I import the following file from? or how do I create it to import it into my router?

crypto pki import IKEv2-TP pkcs12 bootflash:IKEv2-TP.p12 password cisco123

 thanks

 

View solution in original post

4 Replies 4

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Elito Haylett unfortunately, yes the documentation is extremely lacking for SSL-VPN on IOS, it's not a configuration that is encouraged and there is very little community knowledge on it. The recommended Remote Access VPN solution on IOS-XE hardware is FlexVPN, which is IKEv2/IPSec based VPN, instead of SSL-VPN.

Examples of FlexVPN:

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

 

Elito Haylett
Beginner
Beginner

Thank you for your quick response and the links for FlexVPN configuration but they definitely should have waited until the solution was more baked to put out the documentation because it causes more confusion than anything.

I looked at the second link for the configuration of FlexVPN with IOS-XE and i was confused with this config statement. Where do I import the following file from? or how do I create it to import it into my router?

crypto pki import IKEv2-TP pkcs12 bootflash:IKEv2-TP.p12 password cisco123

 thanks

 

@Elito Haylett well the guide doesn't cover the steps to create the certificate, it links to the cisco guide to create certificates.

Here is a guide to configure a certificate on an IOS router. And another guide to configure for use  with FlexVPN.

Thank you very much for this information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers