- Cisco Community
- Technology and Support
- Security
- VPN
- Help with configuring - SSL VPN Configuration on ISR 4331.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2022 01:23 PM
Cisco 4000 Series ISRs Software Configuration Guide, Cisco IOS XE 17.
According to this release of IOS-XE SSL VPN is supported. See the following link...
aaa new-model
!
aaa authentication login default local
aaa authentication login ech-list local
aaa authorization exec default local
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EST recurring
!
ip nbar http-services
!
ip name-server 68.237.161.12 71.250.0.12
ip domain name
ip ddns update method dyndns
HTTP
add http://echcomm:xxxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
login on-success log
!
multilink bundle-name authenticated
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-356902xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-356902xxxx
revocation-check none
rsakeypair TP-self-signed-356902xxxx
!
crypto pki certificate chain xxxxxxxxx
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
quit
crypto pki certificate chain TP-self-signed-356902xxxx
certificate self-signed 02
30820330 30820218 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353639 30323230 3030301E 170D3232 31313133 30363335
31365A17 0D333231 31313230 36333531 365A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35363930
32323030 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100B08D F5D676CF 828ABB17 6987ADFC CB2C1B65 1056AC68 DE5795AB
54FB0862 4D395BC2 8E6BE253 A2430510 E6AD2805 AEACA241 1B814876 1D22F1A7
2F97915B 1B136377 B0D90F29 3172FB4C 4AAC177F 603F34FC 28DAFBF8 E7148C52
073F92DC 8DC39BA8 CBCE43BE FD8BED7E 3CA17808 2B2F1791 50A3B6F3 151E5615
4302049E AD28FBC2 2E82133A F2E2AEB4 EEA80219 64B5F291 380AE580 7F53E06D
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
enable secret 9 xxxxxxxxxxx
!
username admin privilege 15 password 7 xxxxxxxx
username xxxxxxx privilege 15 password 7 xxxxxxxxx
!
redundancy
mode none
!
crypto ikev2 keyring ECH-ISR4331-138
!
crypto ikev2 profile ECH-ISR4331-138
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint ECH-SSLVPNSERVERCERT
aaa authorization group cert list ECH-IKEv2_AUTH ECH-ISR4331-138
virtual-template 3
!
no crypto ikev2 http-url cert
!
crypto ssl proposal test-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy auth-test-policy
rekey time 1110
client profile client-profile
mtu 1400
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
include-local-lan
pool ECH-ISR4331-138-SSL-VPN
dns 68.237.161.12 71.250.0.12
banner This is a SSL VPN Tunnel for ECH-ISR4331-138
route set access-list ECH-ISR4331-138-SSL-VPN
timeout disconnect 10000
!
crypto ssl policy test-policy
ssl proposal test-proposal
pki trustpoint TP-self-signed-356902xxxx sign
ip interface GigabitEthernet0/0/0 port 443
!
crypto ssl profile test-profile
match policy test-policy
aaa authentication user-pass list ech-list
aaa authorization user user-pass list ech-list
aaa accounting user-pass list ech-list
authentication remote user-pass
!Profile Incomplete (MUST have a policy matched and ssl authorization policy configured)
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.10.05095-webdeploy-k9.pkg sequence 1
!
interface Loopback0
no ip address
!
interface Loopback1
description Do Not Delete - WebVPN Interface
ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet0/0/0
description Verizon FIOS Outside
ip ddns update hostname xxxxxxxxx
ip ddns update dyndns
ip address dhcp
ip nbar protocol-discovery
ip nat outside
media-type rj45
negotiation auto
crypto map CMAP
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface Virtual-Template2 type vpn
ip unnumbered Loopback1
ip mtu 1400
ip tcp adjust-mss 1300
!
ip local pool ECH-ISR4331-138-SSL-VPN 172.168.100.230 172.168.100.240
no ip http server
ip http authentication local
no ip http secure-server
!
ip access-list standard ECH-ISR4331-138-SSL-VPN
10 remark ECH-ISR4331-138-SSL-VPN
10 permit 172.168.100.0
20 permit 172.168.101.0
30 permit 172.168.102.0
40 permit 172.168.103.0
50 permit 172.168.104.0
60 permit 172.168.105.0
70 permit 172.168.110.0
80 permit 172.168.138.0
90 permit 172.168.140.0
100 permit 172.168.150.0
!
ntp server ip time-a-wwv.nist.gov prefer source GigabitEthernet0/0/0
ntp server ip time-b-wwv.nist.gov source GigabitEthernet0/0/0
ntp server ip time-d-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-a-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-b-g.nist.gov source GigabitEthernet0/0/0
ntp server ip time-c-g.nist.gov source GigabitEthernet0/0/0
This configuration guide is so vague. I followed the documented steps and still no luck in trying to get the tunnel established. Here is my truncated configuration that matches the documentation. The Virtual Template configuration wasn't provided in the script but yet is shown in the example configuration. Which interface IP unnumbered interface is it mapped to? Loopback or the WAN interface? According to the documentation the tunnel was established according to their configuration but how? am I missing some steps in mine? The following are my show commands and I noticed in my show crypto ssl profile test-profile the Interface : SSLVPN-VIF0 is showing as Disable and in the documentation it's Enable. why? what am I missing in my configuration?
ECH-ISR4331-138#show crypto ssl proposal test-proposal
SSL Proposal: test-proposal
Protection: RSA-3DES-SHA1 RSA-RC4-MD5 RSA-AES128-SHA1 RSA-AES256-SHA1
ECH-ISR4331-138(config-if)#do show crypto ssl profile test-profile
SSL Profile: test-profile
Status: ACTIVE
Match Criteria:
URL: none
Policy: test-policy
AAA accounting List : ech-list
AAA Authentication List : ech-list
AAA Authorization User List : ech-list
User :
Cached : False
AAA Authorization Group List : none
Authentication Mode : user credentials
Interface : SSLVPN-VIF0
Status: DISABLE
Max Users : 10000
ECH-ISR4331-138#show crypto ssl policy test-policy
SSL Policy: test-policy
Status : ACTIVE
Proposal : test-proposal
IP Address : 162.84.130.90
Port : 443
fvrf :
Trust Point: TP-self-signed-3569022000
Redundancy : none
ECH-ISR4331-138#
ECH-ISR4331-138#show crypto ssl policy test-policy
SSL Policy: test-policy
Status : ACTIVE
Proposal : test-proposal
IP Address : 162.84.130.90
Port : 443
fvrf :
Trust Point: TP-self-signed-3569022000
Redundancy : none
ECH-ISR4331-138#show crypto ssl proposal test-proposal
SSL Proposal: test-proposal
Protection: RSA-3DES-SHA1 RSA-RC4-MD5 RSA-AES128-SHA1 RSA-AES256-SHA1
ECH-ISR4331-138#show crypto ssl authorization policy auth-test-policy
SSL Auth Policy: auth-test-policy
V6 Parameter:
Address Pool: none
Prefix: none
Route ACL : none
DNS : none
V4 Parameter:
Address Pool: ECH-ISR4331-138-SSL-VPN
Netmask: 255.255.255.0
Route ACL : ECH-ISR4331-138-SSL-VPN
DNS :
68.237.161.12
71.250.0.12
WINS : none
Banner : This is a SSL VPN Tunnel for ECH-ISR4331-138
Home Page : none
Idle timeout : 1800
Disconnect Timeout : 10000
Session Timeout : 43200
Keepalive Interval : 500
Client DPD Interval : 1000
Gateway DPD Interval : 300
Rekey
Interval: 1110
Method : New Tunnel
Split DNS: none
Default domain : none
Proxy Settings
Server: none
Option: NULL
Exception(s): none
Anyconnect Profile Name : client-profile
Module : Gina
MAX MTU : 1400
Smart Card
Removal Disconnect : NO
Include Local LAN : YES
Disable Always On : NO
Thanks In Advance for your answer.....
Solved! Go to Solution.
- Labels:
-
AnyConnect
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2022 04:56 PM
Thank you for your quick response and the links for FlexVPN configuration but they definitely should have waited until the solution was more baked to put out the documentation because it causes more confusion than anything.
I looked at the second link for the configuration of FlexVPN with IOS-XE and i was confused with this config statement. Where do I import the following file from? or how do I create it to import it into my router?
crypto pki import IKEv2-TP pkcs12 bootflash:IKEv2-TP.p12 password cisco123
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2022 02:12 PM
@Elito Haylett unfortunately, yes the documentation is extremely lacking for SSL-VPN on IOS, it's not a configuration that is encouraged and there is very little community knowledge on it. The recommended Remote Access VPN solution on IOS-XE hardware is FlexVPN, which is IKEv2/IPSec based VPN, instead of SSL-VPN.
Examples of FlexVPN:
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2022 04:56 PM
Thank you for your quick response and the links for FlexVPN configuration but they definitely should have waited until the solution was more baked to put out the documentation because it causes more confusion than anything.
I looked at the second link for the configuration of FlexVPN with IOS-XE and i was confused with this config statement. Where do I import the following file from? or how do I create it to import it into my router?
crypto pki import IKEv2-TP pkcs12 bootflash:IKEv2-TP.p12 password cisco123
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2022 12:13 AM
@Elito Haylett well the guide doesn't cover the steps to create the certificate, it links to the cisco guide to create certificates.
Here is a guide to configure a certificate on an IOS router. And another guide to configure for use with FlexVPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2022 05:50 PM
Thank you very much for this information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2023 04:20 PM
Hello all,
I'm revisiting this again. I tried to use follow the steps to configure the IKEv2-AnyConnect VPN according to the examples outlined in the following documentation provided by Rob Ingram and I'm still not able to connect.
The following is configuration that's specific to the RSA/Certificate and VPN. If any other part of it is needed please let me know and I'll include it.
aaa new-model
!
!
aaa authentication login default local
aaa authentication login a-eap-authen-local local
aaa authorization console
aaa authorization exec default local
aaa authorization network a-eap-author-grp local
ip name-server 68.237.161.12 71.250.0.12
ip domain name dyndns.org
crypto key generate rsa general-keys modulus 4096 exportable label IKEv2-CA
crypto pki trustpoint ECH-IKEv2-TP
enrollment selfsigned
subject-alt-name ECH-IKEv2-CA
revocation-check crl
rsakeypair ECH-IKEv2-CA 4096
hash sha512
ECH-ISR4431-138(config)#crypto pki enroll ECH-IKEv2-TP
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
crypto pki certificate chain ECH-IKEv2-TP
certificate self-signed 01
3082053D 30820325 A0030201 02020101 300D0609 2A864886 F70D0101 0D050030
2B312930 2706092A 864886F7 0D010902 161A4543 482D4953 52343433 312D3133
382E6479 6E646E73 2E6F7267 301E170D 32333130 30343034 31303434 5A170D33
33313030 33303431 3034345A 302B3129 30270609 2A864886 F70D0109 02161A45
43482D49 53523434 33312D31 33382E64 796E646E 732E6F72 67308202 22300D06
092A8648 86F70D01 01010500 0382020F 00308202 0A028202 0100A9F5 BB86CAD5
DC8FB937 59496A88 91FE221F B6C0064D 09267A89 395D01CF 5E43A23B 0BB5F468
BDBD678C B30E4C48 320FB9CF 5874BC7E 8EDBCF1F 59E4FDFD 6B9E5DE6 DAE84587
A5CD7FFD 72FB9452 5DB19CD7 19913040 443C6FFB 3DCEFEFD 39321C5B DDAEBD0C
F1D4BEB9 D09E73EC 2929A78E C73993E6 7C1EE6E4 E7BB26C4 CA0C772A F54A0634
A06174E8 EDAB3D34 AFA1FF82 AA8C2715 56140526 00DC3718 881C7F79 A87B3777
4617D07F C6A8FE97 B0C2706E B8FA18D7 F82649EE 360FA744 14E7245B AF43712F
B24DF194 C5F5783D CD414DC1 A3F0B627 456234F4 C081BBCB C9873344 835B060F
5A1423AA 23421DBA D276E7D2 2CE207F9 1068F4CE 6C620829 EED20DEF 2766BA32
8686E5F5 2E02E7BF 359C96B0 021CA99A 61CC36E5 A7BF4E34 2F5088F4 86DFB5D7
2BFF16B9 95B103A1 55C67C17 5CF7CE02 D8485DAB AAF8F99B ED938127 5675DB5A
954DC5C5 52CAF488 02056EB8 41BA171F B40E57DC B0A0E751 E42152E1 09672E67
5DE5900B A2E84DE3 B2675E3C 3196CFB2 D135D252 450C6026 B3B1DB71 AC25F884
2E61AD24 745DB42E B61BFD59 1DE2C17B 6C65123D 17F69F0C 3A587BFB 5C5DDA02
228EC8BB 61F70832 AC531B82 09440E01 A7E93F7F 70727CBD 03BD3118 8BD9A687
3B1DC23D A1FE7AD7 645C8AFE C85C11E6 E2BFF2FD 495FD180 EDED9931 D63F1C13
D0F4C8B4 F3878EC4 F1AEB0CE 9BE882F4 48A66185 FC8B6109 38290203 010001A3
6C306A30 0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82
0C454348 2D494B45 76322D43 41301F06 03551D23 04183016 8014E42E CE9D1197
C4D327DB 1359B64A 7D3958E1 F648301D 0603551D 0E041604 14E42ECE 9D1197C4
D327DB13 59B64A7D 3958E1F6 48300D06 092A8648 86F70D01 010D0500 03820201
00A1F234 EB23FAC0 8315C2A5 80B3189B 3F76EE68 9CA705A8 15E19F14 A3409A5D
F2E63B8B 81436BF9 6FAF1223 D244C4CC C8991A79 2B3C35EC CCFFEA50 1CB29BAB
A6587D4E 326D1991 64780C37 8AC06C4E 7B77EC4A 67E6665E 84FC7160 725FB69B
76520D47 9B9B9202 69CB213C CD5A74AE 6C1EA75C 32BEFF1B B1F02897 1727F61A
572DF751 442C18D1 581AE29D 0CA50867 1051FA78 04D2784F 1C4736F2 2E4EA329
7AE524AC 057DCC86 BD8FA332 60A0F5D7 49A0C17A E9559193 C69FDEA9 EAAEAA78
4AFB0CF1 665CA034 031246F2 1BC0412C 7ACC13F4 858166EA 7897BC02 AFAA77D5
8496B0F3 CDB41C46 DCA98D89 CFEB504E 693FE9B5 0DB6F690 00ECDC5C 1FB1607F
05A0A7AE FA91664B 2A6AA482 7559312D 523A6183 E7D15C9C D7CB16B1 563E4374
37837F0B 3DEFEBA8 39879B6D 92B4D2C0 6A6503F1 DB31E4A5 B2E74661 4D63AC88
BB69E528 301FEB1C DFB0E560 3FB2E2F5 539FC8FC 4E7C7D4F 8C76D33B C254AA5E
1417A79C 23E9B43A EF433FBE 679E2DA5 0AB3C0E4 0C996DEA C28711F3 BC7E163A
28451276 78433E12 A7D0708E 01506896 299302C9 1EFC8AEC 51744238 C9687491
E72619D9 D8A51DD6 47EC73BE AEF28ACF A3A2A99C 44F9E85F F3C224DA 8410FD58
7D886405 265CB248 AE12E062 DEDDFEBD EF9F3050 646FFC69 D383DC56 005EC830
255B489D C026C6F6 79D99A05 F82C922A 75033D2C 3170EE2E 3D547681 C367988C 5F
quit
ECH-ISR4431-138(config)#crypto pki export ECH-IKEv2-TP pem url bootflash: 3des password "omitted"
% Exporting Self-signed CA certificate...
Destination filename [ECH-IKEv2-TP.ca]?
% File 'ECH-IKEv2-TP.ca' already exists.
% Do you really want to overwrite it? [yes/no]: y
Writing file to bootflash:ECH-IKEv2-TP.ca
% Key name: ECH-IKEv2-CA
Usage: Signature Key
% Exporting private key...
Destination filename [ECH-IKEv2-TP-sign.prv]?
% File 'ECH-IKEv2-TP-sign.prv' already exists.
% Do you really want to overwrite it? [yes/no]: y
Writing file to bootflash:ECH-IKEv2-TP-sign.prv
% Exporting router certificate...
Destination filename [ECH-IKEv2-TP-sign.crt]?
% File 'ECH-IKEv2-TP-sign.crt' already exists.
% Do you really want to overwrite it? [yes/no]: y
Writing file to bootflash:ECH-IKEv2-TP-sign.crt
% Key name: ECH-IKEv2-CA
Usage: Encryption Key
% Exporting private key...
Destination filename [ECH-IKEv2-TP-encr.prv]?
% File 'ECH-IKEv2-TP-encr.prv' already exists.
% Do you really want to overwrite it? [yes/no]: y
Writing file to bootflash:ECH-IKEv2-TP-encr.prv% Error: failed to find router certificate.
% PEM: CA, Router Cert and Key are exported successfully
ECH-ISR4431-138(config)#
Oct 3 04:56:17.573: private key parsing failed
crypto ikev2 authorization policy IKEv2-auth-policy
pool ECH-VPN-POOL
dns 68.237.161.12 71.250.0.12
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19
!
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 profile ECH-AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint ECH-IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 1
anyconnect profile acvpn
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
crypto ipsec transform-set ECH-TS esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec profile ECH-AnyConnect-EAP
set transform-set ECH-TS
set ikev2-profile ECH-AnyConnect-EAP
interface Loopback0
ip address 10.0.0.1 255.255.255.255
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile ECH-AnyConnect-EAP
ip local pool ECH-VPN-POOL 172.168.100.240 172.168.100.250
ECH-ISR4431-138#show crypto key mypubkey rsa
Key name: IKEv2-CA
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00A5D3AC E2B4D275 947B1565 1F3EB313 9D46232F A59B6258 932E38C8 34D9DE03
1DE05577 1D54E41F 51C0848C 6A99286F 2752E4DC 5201ACCD 0D347F8E 817D88F8
BEE10F1E F2A3C40D 86977073 5E2E1AD9 019D8894 750A63A0 2C844C74 C37B9E39
768D7740 FDF0F3C7 E4AA5A63 D337EF84 5CB4DB8A 3E418CDA AFE51D61 AD013239
F5E236C0 1BDDFED0 028D9C27 232AB389 E6E71C89 19A1E9E2 E1B9BDD6 F4FFB4D5
CD4598AB A704FAA1 BEB6607A F944D687 EBFF9CFC 363E9895 F09517AB F1827149
5B82CAF6 CA899A96 908C833B 93B3AF5A 3F20CC95 9D88B949 8A492ADA 7C3045C8
2BE5FA88 4B8656D5 7AE8A9BC 5CF83D8F ED468BC6 8BA8C9C6 5BBF2CA0 A21A615A
1FE709F5 5F9C1115 BF23FB75 7D17FBC7 B04507D4 D703E0C6 955DFEFE FC77A94B
D426BBB9 7EC25EF3 ED6B2764 D40B23B3 F3FA529A F9FD91C5 60B44778 4FB47EF5
7D80B466 16A1D58F 8CEB7E60 234E5BDF 9BC046E2 C8FF8F3C C1D51572 61ABD3E6
750B7361 19C68238 2970539C 296B6EF9 DEF82C09 6C08943A 5E70B580 B7FB8B9E
7B96D889 3551E415 825DBA26 ACCAC1C5 46EE31D9 8DED3CE1 6E58EFAB C5F14451
C75C6B7C FBA245F8 71DE7D34 9C6E5697 FD67D2C1 3E14302F CB56E07D C68928FC
6549597A 577C8EEB 74D8AC0C F034653E F352BCDE 5A95558D 15733F71 10BFE4C0
7C3A2ED8 0AAE2071 A0F64C2E A05E6E7C 5BD3BEEA C6B918DD 290F997D B957B1B6
03020301 0001
% Key pair was generated at: 00:10:32 est Oct 4 2023
Key name: ECH-IKEv2-CA
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00A9F5BB 86CAD5DC 8FB93759 496A8891 FE221FB6 C0064D09 267A8939 5D01CF5E
43A23B0B B5F468BD BD678CB3 0E4C4832 0FB9CF58 74BC7E8E DBCF1F59 E4FDFD6B
9E5DE6DA E84587A5 CD7FFD72 FB94525D B19CD719 91304044 3C6FFB3D CEFEFD39
321C5BDD AEBD0CF1 D4BEB9D0 9E73EC29 29A78EC7 3993E67C 1EE6E4E7 BB26C4CA
0C772AF5 4A0634A0 6174E8ED AB3D34AF A1FF82AA 8C271556 14052600 DC371888
1C7F79A8 7B377746 17D07FC6 A8FE97B0 C2706EB8 FA18D7F8 2649EE36 0FA74414
E7245BAF 43712FB2 4DF194C5 F5783DCD 414DC1A3 F0B62745 6234F4C0 81BBCBC9
87334483 5B060F5A 1423AA23 421DBAD2 76E7D22C E207F910 68F4CE6C 620829EE
D20DEF27 66BA3286 86E5F52E 02E7BF35 9C96B002 1CA99A61 CC36E5A7 BF4E342F
5088F486 DFB5D72B FF16B995 B103A155 C67C175C F7CE02D8 485DABAA F8F99BED
93812756 75DB5A95 4DC5C552 CAF48802 056EB841 BA171FB4 0E57DCB0 A0E751E4
2152E109 672E675D E5900BA2 E84DE3B2 675E3C31 96CFB2D1 35D25245 0C6026B3
B1DB71AC 25F8842E 61AD2474 5DB42EB6 1BFD591D E2C17B6C 65123D17 F69F0C3A
587BFB5C 5DDA0222 8EC8BB61 F70832AC 531B8209 440E01A7 E93F7F70 727CBD03
BD31188B D9A6873B 1DC23DA1 FE7AD764 5C8AFEC8 5C11E6E2 BFF2FD49 5FD180ED
ED9931D6 3F1C13D0 F4C8B4F3 878EC4F1 AEB0CE9B E882F448 A66185FC 8B610938
29020301 0001
ECH-ISR4431-138# show crypto pki certificate verbose ECH-IKEv2-TP
Router Self-Signed Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
hostname=ECH-ISR4431-138.dyndns.org
Subject:
Name: ECH-ISR4431-138.dyndns.org
hostname=ECH-ISR4431-138.dyndns.org
Validity Date:
start date: 00:10:44 est Oct 4 2023
end date: 00:10:44 est Oct 3 2033
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA512 with RSA Encryption
Fingerprint MD5: 5C2EE3D7 6E7051CA 6F17C31C CD0499C8
Fingerprint SHA1: 5CC74FF9 5CD69A89 F21339AA 0C920EC3 5B4247A2
X509v3 extensions:
X509v3 Subject Key ID: E42ECE9D 1197C4D3 27DB1359 B64A7D39 58E1F648
X509v3 Basic Constraints:
CA: TRUE
X509v3 Subject Alternative Name:
ECH-IKEv2-CA
IP Address :
OtherNames :
X509v3 Authority Key ID: E42ECE9D 1197C4D3 27DB1359 B64A7D39 58E1F648
Authority Info Access:
Cert install time: 00:10:44 est Oct 4 2023
Associated Trustpoints: ECH-IKEv2-TP
These are the certificate files created in bootflash
312 4096 Oct 01 2023 22:38:02.0000000000 +00:00 /bootflash/ca
313 4096 Oct 01 2023 22:43:29.0000000000 +00:00 /bootflash/ECH-CA
314 1879 Oct 04 2023 00:20:43.0000000000 +00:00 /bootflash/ECH-IKEv2-TP.ca
315 68 Oct 01 2023 23:04:03.0000000000 +00:00 /bootflash/1.cnm
316 135 Oct 01 2023 23:27:38.0000000000 +00:00 /bootflash/2.cnm
317 111 Oct 02 2023 00:39:59.0000000000 +00:00 /bootflash/3.cnm
318 3021 Oct 04 2023 17:24:15.0000000000 +00:00 /bootflash/acvpn.xml
319 123 Oct 02 2023 18:22:54.0000000000 +00:00 /bootflash/4.cnm
320 3311 Oct 03 2023 00:55:31.0000000000 +00:00 /bootflash/ECH-IKEv2-TP-sign.prv
321 1846 Oct 03 2023 00:55:38.0000000000 +00:00 /bootflash/ECH-IKEv2-TP-sign.crt
322 3311 Oct 03 2023 00:55:44.0000000000 +00:00 /bootflash/ECH-IKEv2-TP-encr.prv
This is the error I received trying to export the trustpoint to PKCS12 which is the reason I exported to PEM.
ECH-ISR4431-138(config)#crypto pki export ECH-IKEv2-TP pkcs12 tftp://tftpserver password "omitted"
% Can not export a self-signed-trustpoint via pkcs#12.
% Please use 'pem'
The attached is the error fom the client side and output of ACVPN that was tftp to the router.
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>ECH-ISR4331-138</HostName>
<HostAddress>ECH-ISR4331-138.dyndns.org</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
I just can't connect to the VPN gateway with that message and I don't even know where to start troubleshooting because I tried the following debug commands on the router and there's no output.
debug crypto ikev2
debug crypto ikev2 packet
debug crypto ikev2 error
Please help. I need to have this up and running before I leave my office next week to remotely manage it.
Thanks for any help or feed back provided.
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide