Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
5
Helpful
8
Replies

Minimum setup for SSL VPN via command line, IOS 12.4.

RvdKraats
Level 1
Level 1

‎03-08-2016 07:21 AM

Hi All,

I'd like to try and connect my Chromebook to my 1811 ISR via VPN; no IPSEC client exists, so I'm using the Anyconnect SSL client. On the ISR I've already sucessfully set up an 'classic' IPSEC VPN, but I'm new to the SSL variant.

I've already searched through this site, and read some PDF's about this, but none has really answered my two questions:

- Can SSL VPN and IPSEC VPN co-exist on my ISR?

- What is the minimum setup required to get SSL VPN running? The Chromebook (and my other machines) already has the Anyconnect client installed, so I don't need to deliver any client from the ISR. I'd like to use tunnel mode: all traffic has to go through the tunnel, no exceptions.

Hopefully someone can help me with this :)

Regards,

Rene.

Labels:
0 Helpful
8 Replies 8

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-08-2016 07:38 AM


- Can SSL VPN and IPSEC VPN co-exist on my ISR?
Yes, it can coexist.

- What is the minimum setup required to get SSL VPN running?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

RvdKraats
Level 1
Level 1
In response to Dinesh Moudgil

‎03-08-2016 10:27 AM

Hello Dinesh,

thanks for your reply. I already found those links, but I wasn't sure if these settings were the minimum necessary, or that they include unnecessary 'extras'. Still, the first link looks the most promising, might give it a try :)

Regards,

Rene.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to RvdKraats

‎03-08-2016 10:31 AM

Glad to address your query mate !

Let me know if you run into any issues.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

RvdKraats
Level 1
Level 1
In response to Dinesh Moudgil

‎03-08-2016 11:13 AM

I'm not there yet apparently. Tried a basic setup, port 443 is open according to portscan, but I don't even see any webvpn debug info scrolling by.

This should be easier than 'classic' IPSEC, but for me it's more difficult it seems.

Mind you, I'm using the command line here...I don't like all the extra mess the GUI-based tools make ;)

Rene.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to RvdKraats

‎03-08-2016 11:22 AM

Whatever suits you, Rene, as long as we are able to accomplish the task :)

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

RvdKraats
Level 1
Level 1
In response to Dinesh Moudgil

‎03-09-2016 10:59 AM

Hi Dinesh,

I was tinkering with the setup this evening, and it still didn't work.

I get the feeling I'm forgetting something.

The commands I added:

crypto pki trustpoint ssl_vpn_trustpoint
enrollment selfsigned
serial-number
revocation-check crl
rsakeypair TP-self-signed-3174529880

crypto pki certificate chain ssl_vpn_trustpoint
certificate self-signed 02
30820256 308201BF A0030201 02020102 300D0609 2A864886 F70D0101 04050030
37313530 12060355 0405130B 46484B31 34343037 30455230 1F06092A 864886F7
0D010902 16124369 73636F5F 31383131 2E686F6D 652E6E6C 301E170D 31363033
30393138 32353030 5A170D32 30303130 31303030 3030305A 30373135 30120603
55040513 0B46484B 31343430 37304552 301F0609 2A864886 F70D0109 02161243
6973636F 5F313831 312E686F 6D652E6E 6C30819F 300D0609 2A864886 F70D0101
01050003 818D0030 81890281 8100C46D 6C3D90DC A958BF5E D132E271 ACB64B20
430DDB8E E3165F67 34FEDCF8 502A2CF9 2C374CA4 4981D27D 3593CABB 6C9D3A1F
20E59F21 3625AE6D 12471D2A 1978D3CC 50F072B0 D4E99F7D DD41721A 67634450
--More-- C8C225F7 B094B12D BF7241A6 1C49E0FE C0C1D885 DEC6C97A 8A42BCEC FDCE89B6
C897D2F5 47A92900 06AE81D9 34550203 010001A3 72307030 0F060355 1D130101
FF040530 030101FF 301D0603 551D1104 16301482 12436973 636F5F31 3831312E
686F6D65 2E6E6C30 1F060355 1D230418 30168014 4459338A E95EFE89 F8319311
33681B48 7A3BCA01 301D0603 551D0E04 16041444 59338AE9 5EFE89F8 31931133
681B487A 3BCA0130 0D06092A 864886F7 0D010104 05000381 81003FF4 8BC9CC81
77BCFC97 EF9D09A1 7C9D3DDB 52BCE0CA 3F497FF0 DBA782ED F173921E F5C3E8C9
32781463 88B27FAB F0E70947 8A6A3516 5FABD6FE 155E97EE 0897E53D 01664C2F
C197EFBC 32D697A6 0C3B932A F045131B 4F776C91 DB0E1EFD 481F017D 8BC367F9
9B034B02 3E7D057F A8CF7B09 DA3B73E8 8B995D57 A113AEFB 71C4
quit

ip local pool vpn_address_pool x.x.x.x x.x.x.x

webvpn gateway ssl_vpn_gateway
ip interface Dialer0 port 443
ssl encryption aes-sha1
ssl trustpoint ssl_vpn_trustpoint
inservice
!
webvpn context ssl_vpn_context
ssl authenticate verify all
!
!
policy group ssl_vpn_policy
functions svc-required
svc address-pool "vpn_address_pool"
svc keep-client-installed
default-group-policy ssl_vpn_policy
gateway ssl_vpn_gateway
max-users 2
inservice

Now that I'm typing this, I noticed there was still a 'no ip http secure-server' command; I'll remove it and see if that changes anything.

Do you see if I'm missing something? Because of the already existing IPSEC setup, the aaa authentication/authorization commands are already there.

Regards,

Rene.

0 Helpful

RvdKraats
Level 1
Level 1
In response to RvdKraats

‎04-13-2016 11:03 AM

Bah, I officially hate AnyConnect! It should be called Noconnect!

It should be 'easy', turns out I figured out IPSEC in a few evenings, and still no luck with Anyconnect after about half a months of fiddling :(

Client type doesn't matter; I've tried the Anyconnect client from Win7 (I know, troublesome), Win2000, Android, Chrome OS...nothing works.

For the love of God I hope Cisco will keep supporting IPSEC, that's up and running in no-time.

Closest I got was a user/password prompt, then nothing, and the next message on the Cisco's terminal:

*Apr 13 17:43:23.398: WV: Fragmented App data - buffered
*Apr 13 17:43:23.398: WV: server side not ready to send.

I think I'll stick with the Cisco VPN client as long as I can.

0 Helpful

RvdKraats
Level 1
Level 1

‎03-11-2016 01:18 AM

Well,

I've gotten a bit further, but we're not there yet.

The Chromebook's Anyconnect client at least responds now and let's me log in, but there's an network address failure. Windows 7 with the Anyconnect client does nothing, but I've already found out that Win7 + Anyconnect isn't really a nice combination.

Anyway, the stuff I've added so far:

============================================================

aaa session-id common
!
crypto pki trustpoint TP-self-signed-3174529880
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3174529880
revocation-check none
rsakeypair TP-self-signed-3174529880
!
!
crypto pki certificate chain TP-self-signed-3174529880
certificate self-signed 01

<crypto key here>

quit

webvpn gateway ssl_vpn_gateway
ip interface Dialer0 port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-3174529880
inservice
!
webvpn context ssl_vpn_context
ssl authenticate verify all
!
!
policy group ssl_vpn_policy
functions svc-enabled
svc address-pool "ssl_vpn_pool"
svc keep-client-installed
svc rekey method new-tunnel
default-group-policy ssl_vpn_policy
aaa authentication list vpn_authen_list
gateway ssl_vpn_gateway
max-users 5
inservice

========================================================================

Anyone has any idea what's wrong?

The 'ssl_vpn_pool' is the same pool that I'm also using for the 'classic' IPSEC VPN.

0 Helpful
Customers Also Viewed These Support Documents