ā06-17-2010 06:51 AM
Hi im trying to build an ssl vpn connection with my cisco 878 router... however
when im trying to make an vpn connection, i get the error message "Certificate received has a common name that does not match the server name."
Which name does he have to match with? and how can i solve this??
Thanks
ā06-17-2010 09:38 AM
The Common Name (CN) on the certificate needs to match what you type on the browser when connecting to the SSL router or if you use
standalone AnyConnect client, it needs to match the CN name on the certificate.
For example:
If your certificate CN name is sslvpn.abc.com, that needs to resolve to the router ip address, and that is what you should enter on your browser:
If your certificate CN name is sslvpn.abc.com, and you enter https://
Hope that helps.
ā06-17-2010 12:26 PM
Ok.. i removed and create the certficate again with the global ip address from the outside interface.....no more certificate errors
However.. i don't have any experience with webvpn and stuff like this.. but now when im trying to make a webvpn connection by the website
a get the error "the ssl VPN HTTP response code recieved from the gateway indicates an error"
What does this mean??? i already add a link that i want to use when im connected...
Thanks again
ā06-18-2010 05:57 AM
The website needs to resolve to the same ip address (global outside interface ip address) to be able to connect using name. However, if you connect using name then you would have certificate error because you have changed it to CN=ip address.
Can you confirm that you can connect via ip address, and the SSL VPN is connected, and you can access resources behind the router?
ā06-18-2010 12:06 PM
I use now het global ip address and no name at this moment..
so no certificate problems anymore.. that part is solved now.. only i can't make a vpn connection
because of the error im getting.. so also no connection to my resource behind the vpn router..
ā06-18-2010 08:18 PM
If you can't even connect to the SSL VPN, you won't be able to access the resources behind the router.
On the webvpn gateway, and context, please disable the service (no inservice), and re-enable it (inservice), and try to connect again.
If still does not work, pls share your router configuration.
ā06-19-2010 02:26 AM
After reset the webvpn gateway (no inservice) inservice... nothing changed...
Here is my config.. (i changed the global ip address of my router for security issue's on this page to (global ip address)
but this is off course in the real config my global ip..
Thanks again...
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 878
!
boot-start-marker
boot system tftp c870-advipservicesk9-mz.124-15.T5.bin 172.16.250.24
boot-end-marker
!
no logging buffered
enable secret 5 *******
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint entrust
enrollment terminal
revocation-check none
!
crypto pki trustpoint (global ip address)
enrollment selfsigned
serial-number none
ip-address none
subject-name CN=(global ip address)
revocation-check crl
rsakeypair (global ip address)_RSAKey 512
!
!
crypto pki certificate chain entrust
crypto pki certificate chain (global ip address)
certificate self-signed 03
308201AC 30820156 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
2C311630 14060355 0403130D 38372E32 31312E31 30382E36 36311230 1006092A
864886F7 0D010902 16033837 38301E17 0D313030 36313732 30323933 385A170D
32303031 30313030 30303030 5A302C31 16301406 03550403 130D3837 2E323131
2E313038 2E363631 12301006 092A8648 86F70D01 09021603 38373830 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 AD0FE269 E3CEC51B 5AC3C446
4F9B1AC7 C017B0AC 8774D197 76463086 52EAFA67 60B61C28 AF8CDC9B 9043F5F9
E998FFE5 57DC58C7 A6480965 69F13582 8E79D0AB 02030100 01A36330 61300F06
03551D13 0101FF04 05300301 01FF300E 0603551D 11040730 05820338 3738301F
0603551D 23041830 16801441 E406E4E8 C538DD9B F0D187EA 3478276C 37D6EB30
1D060355 1D0E0416 041441E4 06E4E8C5 38DD9BF0 D187EA34 78276C37 D6EB300D
06092A86 4886F70D 01010405 00034100 130209B4 EC8ABD9F 7F1B8705 3C7084D8
79B26C08 A975090B B0CB721D 740BC229 2E9C952D 1989268B 8951302D D37B45B7
74178A30 3F58D724 7208A90D BC3A48DD
quit
dot11 syslog
ip cef
!
!
!
!
ip name-server 62.58.50.5
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username blomk privilege 15 password 7 *******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key *****
dns 62.58.50.5 62.58.50.6
pool SDM_POOL_1
include-local-lan
backup-gateway 172.16.250.253
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
controller DSL 0
line-term cpe
!
!
!
!
interface Loopback0
ip address 172.16.252.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description *** Port Outside ***
switchport access vlan 10
!
interface FastEthernet1
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet2
description *** Inside ***
switchport access vlan 11
!
interface FastEthernet3
description *** Inside ***
switchport access vlan 11
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan11
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Vlan11
description *** Inside ***
ip address 172.16.250.253 255.255.255.0
ip directed-broadcast 101
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description *** Outside ***
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 172.16.251.240
ip forward-protocol nd
ip forward-protocol udp echo
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface Vlan10 overload
ip nat inside source static udp 172.16.250.255 7 interface Vlan11 7
ip nat inside source static tcp 172.16.250.24 3389 interface Vlan10 3389
ip nat inside source static udp 172.16.250.24 7 interface Vlan10 7
ip nat inside source static tcp 172.16.252.1 443 interface Vlan10 443
!
access-list 100 permit ip any any
access-list 101 permit udp any any eq echo
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn gateway gateway_1
ip address 172.16.252.1 port 443
http-redirect port 80
ssl trustpoint (global ip address)
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context kennis
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
url-list "test"
heading "test"
url-text "kennis" url-value "http://172.16.250.24/c"
!
!
policy group policy_1
functions svc-enabled
svc address-pool "SDM_POOL_1"
svc keep-client-installed
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_5
gateway gateway_1
inservice
!
end
ā06-19-2010 02:45 AM
The following is incorrectly configured:
ip nat inside source static tcp 172.16.252.1 443 interface Vlan10 443
You don't need to configure NAT translation for the loopback address. Please kindly remove it and clear the NAT translation.
The following second line also needs to be changed:
webvpn gateway gateway_1
ip address 172.16.252.1 port 443
You are currently using the loopback address for the ssl vpn connection, not sure whether you are trying to connect using the loopback address, or the outside global ip address. Guessing from the NAT translation configurated, I assume that you are connecting to VLAN 10 global ip address. Therefore on the above ip address configuration on webvpn gateway, you would need to configure the following:
webvpn gateway gateway_1
ip address
Then, pls disable and reenable the service --> "no inservice", then "inservice".
Hope that resolves the issue.
ā06-19-2010 07:52 AM
Correct the reason why i make a nat translation rule to the 172.16.252.1 ip address is that i also use SDM on my router.
and if i configure the webvpn gateway to the global ip address then the sdm is responding on this and not the ssl vpn.
that's why im made the loopback interface and the nat translation..
So perhaps i can block the sdm from the outside global ip address.. so that the webvpn response again.
ā06-19-2010 08:07 AM
Ah some new information....
Im still getting now an error "an error has been found in the vpn server certificate, certificate received has a common name that does not match the server name"press yes to view the certificate or no to terminate..
Need the router to have the same name as the certificate then?? because the hostname is now 878
Can you finf anaything based uppon the config i send you earlier today..??
Thanks
ā06-19-2010 08:12 AM
Unfortunately that is not a supported configuration. You can't translate ip address configured on the router itself.
If your SDM is using TCP port 443, you can use a different port for the SSL VPN:
webvpn gateway gateway_1
ip address
When you connect, you also need to connect on port 8443, eg: https://
OR alternatively, you can change the SDM port to a different port too.
ā06-19-2010 09:15 AM
Hmm ok... after i changed the ip address on the webvpn gateway to the ip address of vlan 10 (192.168.1.2) no global ip because there i another
nat device in front of the cisco.
and also i removed the nat translation..
The page doen't repsonf anymore... so even no login screen anymore...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide