cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2066
Views
7
Helpful
6
Replies

IOS SSL VPN PKI portion

newtwork1
Level 1
Level 1

I'm trying to setup an SSL VPN on a 2811. I believe I have the SSL VPN portion understood, but I can't tell because I keep getting stuck on the Certificate Server, ca trustpoint and identity trustpoint configuration.

Does anyone know of a guide that walks you through the CA cert, Cert Server, ca trustpoint and identitiy trustpoint to ios SSL VPN? For some reason I'm having a problem grasping the certificate configuration.

Thanks for the help

Newt.

1 Accepted Solution

Accepted Solutions

Please do the following:

> Add SSLVPN.securemeinc.com to the user's (client's) host file

> When you open the SSL VPN page on the user's browser; right click ..select 'Properties' .... 'View Ceriticate' and then save/open the certificate on the lcoal machine.

> Make sure the date/time is synced between the VPN server and client


Regards

Farrukh

View solution in original post

6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

Hello

Which certificate vendor are you using? Almost every vendor will have an example for Cisco on their website; if you can let me know the name I can get a link for you.

For Cisco IOS CA, you may follow the steps given at the top of this link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00807be6bc.shtml

For IOS SSL configuration examples there are many examples on CCO:

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml

Refer to Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM in order to learn more about the thin-client SSL VPN.

Refer to SSL VPN Client (SVC) on IOS with SDM Configuration Example in order to learn more about the SSL VPN Client.

Please rate if you find the input helpful, Regards

Farrukh

Farrukh Thanks for the response.

I've worked on this for 5 hours today and I've made some headway.

Farruk the articles were insightful, but for some reason I had a hard time piecing it together for my use, until I found


this article by Paul Stewart http://packetu.com/content/view/48/

after that, the PKI configuration was easier. Until the end...

So here I am, I've configured clientless at first and was able to connect even though I received certificate errors. I installed Anyconnect 2.5 into flash and have been trying to
connect.


I receive an error stating:


AnyConnect was not able to establish a connection to the specified secure gateway. Please try connection again. OK
A certificate problem has been encountered. A VPN connection will not be established.

http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml

Q. When I attempt to connect with AnyConnect VPN Client version 2.4, I receive this error message: A certificate problem has been encountered. A VPN connection will not be established. How can I resolve this issue?

A. This error occurs due to an issue documented in Cisco bug ID CSCtb73337 (registered customers only) . AnyConnect Client version 2.4 does not work with Cisco IOS headend when a certificate is used that is not trusted or there is mismatch in the host name entered in the URL to that to the CN (common name) or SAN (subject alternative name) in the Cisco IOS router certificate.

AnyConnect 2.4 fails to connect with Cisco IOS headend due to certificate verify fail error.

This issue can be resolved through one of these workarounds:

Make sure that the router certificate is trusted (import into certificate store) and then match the CN/SAN on the certificate to that of the URL. If there is no DNS entry, then you can use a local DNS entry by updating the host file for the host name in certificate.

Downgrade AnyConnect to a previous version: 2.3.

MY QUESTIONS
When I configure SSL how would I match my identity t certificate and the CN associated with the trustpoint with the IP address of headend ssl router? On an ASA I configure the issuer-name cn=IP for the Idnetity Certificate and I don't have any problems.
During the crypto ca enroll TRUSTPOINTNAMEyou can specify an IP address associated with the enrollment and I specified the headend ip thinking this would be associated with the site.

After I got the problem I place subject-name cn=172.16.40.2in the ID trustpoint and still received the same errors?


Any thoughs on where where I went wrong.


Certificates
SSLVPN#sh crypto pki certificates
Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-3473297385
  Subject:
    Name: IOS-Self-Signed-Certificate-3473297385
    cn=IOS-Self-Signed-Certificate-3473297385
  Validity Date:
    start date: 15:46:34 UTC Mar 10 2011
    end   date: 00:00:00 UTC Jan 1 2020
  Associated Trustpoints: TP-self-signed-3473297385
  Storage: nvram:IOS-Self-Sig#1.cer

Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=MyCA
    dc=mylab
    dc=com
  Subject:
    Name: SSLVPN.securemeinc.com
    IP Address: 172.16.40.2
    ipaddress=172.16.40.2+hostname=SSLVPN.securemeinc.com
  Validity Date:
    start date: 15:42:12 UTC Mar 10 2011
    end   date: 15:42:12 UTC Mar 9 2012
  Associated Trustpoints: SecureMeTrustpoint
  Storage: nvram:MyCA#2.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=MyCA
    dc=mylab
    dc=com
  Subject:
    cn=MyCA
    dc=mylab
    dc=com
  Validity Date:
    start date: 15:35:48 UTC Mar 10 2011
    end   date: 15:35:48 UTC Mar 9 2014
  Associated Trustpoints: SecureMeTrustpoint MyCA
  Storage: nvram:MyCA#1CA.cer


Trustpoints
SSLVPN#sh crypto pki trustpoints
Trustpoint MyCA:
    Subject Name:
    cn=MyCA
    dc=mylab
    dc=com
          Serial Number (hex): 01
    Certificate configured.


Trustpoint SecureMeTrustpoint:
    Subject Name:
    cn=MyCA
    dc=mylab
    dc=com
          Serial Number (hex): 01
    Certificate configured.


Trustpoint TP-self-signed-3473297385:
    Subject Name:
    cn=IOS-Self-Signed-Certificate-3473297385
          Serial Number (hex): 01
    Persistent self-signed certificate trust point

SH RUN

SSLVPN#sh run
Building configuration...

Current configuration : 7745 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SSLVPN
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login SSLUSERS local
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name securemeinc.com
!
multilink bundle-name authenticated
!
!
!
crypto pki server MyCA
database level complete
issuer-name cn=MyCA,dc=mylab,dc=com
hash sha1
lifetime crl 96
!
crypto pki trustpoint MyCA
revocation-check crl
rsakeypair MyCA
!
crypto pki trustpoint SecureMeTrustpoint
enrollment terminal
ip-address 172.16.40.2
subject-name cn=172.16.40.2
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3473297385
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3473297385
revocation-check none
rsakeypair TP-self-signed-3473297385
!
!
crypto pki certificate chain MyCA
certificate ca 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  3B311330 11060A09 92268993 F22C6401 19160363 6F6D3115 3013060A 09922689
  93F22C64 01191605 6D796C61 62310D30 0B060355 04031304 4D794341 301E170D
  31313033 31303135 33353438 5A170D31 34303330 39313533 3534385A 303B3113
  3011060A 09922689 93F22C64 01191603 636F6D31 15301306 0A099226 8993F22C
  64011916 056D796C 6162310D 300B0603 55040313 044D7943 4130819F 300D0609
  2A864886 F70D0101 01050003 818D0030 81890281 8100D01B 9C020E06 001BF706
  F9B44EA1 0F99EC82 84366798 D08728F6 6BA43006 4AF9428D 8D55D042 2FA4B5E8
  6A40151C FAB32AEE CC863391 8C0129A4 1D7F0DB8 314418A1 59F29883 EC50DFDE
  3DA77BBB CBCBF28F D65DC02F DAB5B337 C393FE4E 461C4083 291B980A 2F677E27
  C56BC1ED 80D312F4 5559BBFB BF49A116 4B771A02 40DB0203 010001A3 63306130
  0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
  301F0603 551D2304 18301680 1449688A AE634293 CADB2C7F 52206ACC 17D48396
  EF301D06 03551D0E 04160414 49688AAE 634293CA DB2C7F52 206ACC17 D48396EF
  300D0609 2A864886 F70D0101 05050003 81810079 191C5C33 51853901 DABB5F8C
  0153F9B0 EB9D1C31 333E5DED E4C71E4D 0AA9BD99 4ECCBE2B 94760820 DCAEF360
  A9C9DCC1 0FA1AFBF 7E71B410 9A1748D2 F98D4D26 AE37D0AC 718C8188 0E55EBC9
  9FB37B75 BAB6805D F70832E0 45F57066 0A4BADDD 6B13B2A3 BA2C7571 1ACAD942
  5976A2E6 12AAA5CD 3CC7A61A 2D17AABD 330D82
        quit
crypto pki certificate chain SecureMeTrustpoint
certificate 02
  30820200 30820169 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  3B311330 11060A09 92268993 F22C6401 19160363 6F6D3115 3013060A 09922689
  93F22C64 01191605 6D796C61 62310D30 0B060355 04031304 4D794341 301E170D
  31313033 31303135 34323132 5A170D31 32303330 39313534 3231325A 3041313F
  30180609 2A864886 F70D0109 08130B31 37322E31 362E3430 2E323023 06092A86
  4886F70D 01090216 1653534C 56504E2E 73656375 72656D65 696E632E 636F6D30
  5C300D06 092A8648 86F70D01 01010500 034B0030 48024100 D4740B32 4DED711B
  3C696318 468387DD 3F2EE058 4A180B1E 790FF573 4057690A EE9B7017 DC1FA0C1
  FF2527D9 D1BEC5D7 201CBAB5 07B5745B 17D4E632 5F0C8CDB 02030100 01A35230
  50300E06 03551D0F 0101FF04 04030205 A0301F06 03551D23 04183016 80144968
  8AAE6342 93CADB2C 7F52206A CC17D483 96EF301D 0603551D 0E041604 14F37019
  BF95B164 9DF8BABD EE36385B 5F0CB1E3 BA300D06 092A8648 86F70D01 01050500
  03818100 215D92F4 287725E9 24C1BB2B 683E8901 D85C5791 971661A9 9293CBE0
  6E73E10B D205E216 811154CE 77C3A74E 2ADC48D5 887E966E 2986A9E9 1F9111F6
  B03F4195 998521D4 5C4C8838 48EBB9B9 5743E3E5 10713F3F 62179997 66A206B8
  A59E5061 0F8A829F 3F7FFC00 5D78955C 8358693B E742CE18 0AC027A4 700F33C9 35261A23
        quit
certificate ca 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  3B311330 11060A09 92268993 F22C6401 19160363 6F6D3115 3013060A 09922689
  93F22C64 01191605 6D796C61 62310D30 0B060355 04031304 4D794341 301E170D
  31313033 31303135 33353438 5A170D31 34303330 39313533 3534385A 303B3113
  3011060A 09922689 93F22C64 01191603 636F6D31 15301306 0A099226 8993F22C
  64011916 056D796C 6162310D 300B0603 55040313 044D7943 4130819F 300D0609
  2A864886 F70D0101 01050003 818D0030 81890281 8100D01B 9C020E06 001BF706
  F9B44EA1 0F99EC82 84366798 D08728F6 6BA43006 4AF9428D 8D55D042 2FA4B5E8
  6A40151C FAB32AEE CC863391 8C0129A4 1D7F0DB8 314418A1 59F29883 EC50DFDE
  3DA77BBB CBCBF28F D65DC02F DAB5B337 C393FE4E 461C4083 291B980A 2F677E27
  C56BC1ED 80D312F4 5559BBFB BF49A116 4B771A02 40DB0203 010001A3 63306130
  0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
  301F0603 551D2304 18301680 1449688A AE634293 CADB2C7F 52206ACC 17D48396
  EF301D06 03551D0E 04160414 49688AAE 634293CA DB2C7F52 206ACC17 D48396EF
  300D0609 2A864886 F70D0101 05050003 81810079 191C5C33 51853901 DABB5F8C
  0153F9B0 EB9D1C31 333E5DED E4C71E4D 0AA9BD99 4ECCBE2B 94760820 DCAEF360
  A9C9DCC1 0FA1AFBF 7E71B410 9A1748D2 F98D4D26 AE37D0AC 718C8188 0E55EBC9
  9FB37B75 BAB6805D F70832E0 45F57066 0A4BADDD 6B13B2A3 BA2C7571 1ACAD942
  5976A2E6 12AAA5CD 3CC7A61A 2D17AABD 330D82
        quit
crypto pki certificate chain TP-self-signed-3473297385
certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343733 32393733 3835301E 170D3131 30333130 31353436
  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373332
  39373338 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BB9C 3B3D73A2 D41A1D21 3EC0F379 99AC2688 9993F802 34B2160D 24C263CE
  EC2AD80B 5A625294 54460EA8 BDEDAACD 828709EE 82D8F7F4 D3E51EA0 63189DFA
  D57C3943 4747360C 55B01514 FFA35337 663CEC2B E82015F7 E9E59E91 EC37E299
  CE962A1E B502F0D8 104BD7FB 8528339E B64D1BDF 059FE7DE A7F96838 444A2E3E
  A8550203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
  551D1104 1A301882 1653534C 56504E2E 73656375 72656D65 696E632E 636F6D30
  1F060355 1D230418 30168014 F976872A F98EA458 423C4F4D F1B192A5 83CD119C
  301D0603 551D0E04 160414F9 76872AF9 8EA45842 3C4F4DF1 B192A583 CD119C30
  0D06092A 864886F7 0D010104 05000381 8100327A 3B276768 EFD11CED ACFCFA16
  B47D52FF 1BD0727E 071588D1 7D56AA40 20C959D5 90B65709 6514262B 98BCEE7C
  9EB7BBB7 8E499FFD 3542382C 0B8B7B48 B711090E 5B8DD4B6 7E9ED4CA 692A2972
  88100162 67F9D3F2 B3212CDA 8ECA9B23 FB453E99 B68AF483 CD985330 F6B36E57
  8B1963B7 B14A81AE EC170C17 AA3094CE 408F
        quit
!
!
username ssluser privilege 15 password 0 ssluser
username admin privilege 15 secret 5 $1$h5hf$/VQmCwuupBfoeeRIF79GM/
archive
log config
  hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.16.40.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip local pool sslvpnpool 192.168.50.2 192.168.50.5
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
webvpn gateway SecureMeGW
ip address 172.16.40.2 port 443
http-redirect port 80
ssl trustpoint SecureMeTrustpoint
inservice
!
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.2001-k9.pkg sequence 1
!
webvpn context SecureMeContext
ssl authenticate verify all
!
!
policy group SecureMeDP
   functions svc-required
   svc address-pool "sslvpnpool"
   svc keep-client-installed
   svc split exclude 4.2.2.2 255.255.255.255
default-group-policy SecureMeDP
aaa authentication list SSLUSERS
gateway SecureMeGW
max-users 10
inservice
!
end


Please do the following:

> Add SSLVPN.securemeinc.com to the user's (client's) host file

> When you open the SSL VPN page on the user's browser; right click ..select 'Properties' .... 'View Ceriticate' and then save/open the certificate on the lcoal machine.

> Make sure the date/time is synced between the VPN server and client


Regards

Farrukh

Farrukh thanks for the response

I was thinking modifying the host file may work, but I would think Cisco would have a recommended configuration not requiring a modification to the host file. My only concern with the modification of the host file is when this is in production I will be accessing this from multiple computers and I will have to modify all their host files.  Once again Farrukh thanks for the help.

Newt

Hello Newt

The host file solution was only suggested as a temporary work-around. Once we are sure that this issue is related to name resolution; the appropriate configuration can be done on the DNS server to rectify the problem.

I would suggesst it to try it on one box and take it from there.

How are you opening the SSL VPN page on the client...using the IP address or hostname (as mentioned in the certificate)?

Regards

Farrukh

Farrukh,

I updated the HOSTS file on my win7 machine and was still unable to connect using Anyconnect2.5. I received the same errors and the connection was stopped.

With the HOSTS file still modified I connected with Anyconnect2.3 using the IP 172.16.40.2. I still got the requests to install the certificate (I've installed 50 times (clicked Yes)), but I was able to fully connect to the SSL VPN. I disconnected and relaunch Anyconnnect2.3 and the HOSTS file had already resolved the IP to fqdn in the "Connect To" login box.

I then removed my change (172.16.40.2     SSLVPN.securemeinc.com) to the HOSTS file and was still able to connect to the SSL VPN using IP.

So that's where I'm at. Thanks for the help to get this far!.

I would like to get this resolved to run with Anyconnect2.5, since that is the client we have installed on our laptops and the default for our ASAs.

Newt.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: