01-18-2006 04:58 AM - edited 02-21-2020 02:12 PM
Hi!
I'm testing webvpn to a CS2801 IOS router with version 12.3(16)T. I'm not able to access my router via https or http. Heres what o get:
*Jan 18 12:52:55.163: SSLVPN: SSL Handshake Not done yet.. :
*Jan 18 12:52:55.163: SSLVPN: SSL Handshake Failed : No Certificate
*Jan 18 12:52:55.163: SSLVPN: Deleting Context : 0x63AF94C8,
*Jan 18 12:52:55.171: SSLVPN: SSL Handshake Not done yet.. :
*Jan 18 12:52:55.171: SSLVPN: SSL Handshake Failed : -6996
*Jan 18 12:52:55.171: SSLVPN: Deleting Context : 0x63AF94C8,
Since i've installed the certificate i don't see where the problem is.
Regards.
01-24-2006 06:57 AM
SSL VPNs require configuration of a public key infrastructure (PKI) trustpoint.
One of the first things checked within a certificate is the expiration. A valid date is required, and the router has to have the correct time. To configure the router as an NTP client, use the following configuration:
Ceritificate Expiration and Auto-Enroll (Automatic Re-Enrollment) Feature FAQ :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_q_and_a_item09186a00802149a8.shtml
Configuring Cisco IOS Certificate Enrollment Using Enhanced Enrollment Commands :
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801405ac.shtml
01-24-2006 09:24 AM
Hi! I have the same problem. Must the router and the CA Server (for example: MS w2k3) have the exactly same time inclunding seconds?
Thanks,
JP
01-31-2006 04:27 PM
I think the original poster wanst to know what I want to know. Can I use a self generated/ self signed certificate to enable wenVPN? And if so, what is the procedure to do this process and enable the cert on the router?
01-31-2006 08:23 PM
Hi,
I have tested it long back and it worked with Cisco self generated certificate.
Below is the transcript for webvpn setup, which I did it before:
aaa new-model
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa session-id common
ip domain name xyzadb.com
ip name-server A.B.C.D
webvpn enable gateway-addr X.Y.Z.42
!
webvpn
title "Secure Corporate Access: Unauthorized users prohibited"
title-color blue
secondary-color white
text-color black
idle-timeout 300
ssl encryption xxxx
ssl trustpoint xxxxx
url-list "weblist"
heading "WEB ACCESS"
url-text "web" url-value "http://www.xyzadb.com"
url-text "web2" url-value "https://as.xyzadb.com/"
!
crypto pki trustpoint TP-self-signed-3344843329
enrollment selfsigned xxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto pki certificate chain TP-self-signed-3344843329
certificate self-signed 01 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto isakmp client configuration group web
key web
dns A.B.C.D A.B.H.22
domain xyzadb.com
pool SDM_POOL_1
acl 100
include-local-lan
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 client configuration address respond
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
ip local pool SDM_POOL_1 p.q.r.s
ip http server
ip http secure-server
HTH. Please rate posts that helps.
02-03-2006 03:52 PM
I am confused on how to set the router to use its self signed cert for WebVPN. How do I set the trustpoint? Do I use my own IP address?
02-04-2006 03:32 AM
Can you post your current router config by changing the password`s and gloabal ip address.
The trustpoint is auto generated by router, when you enable "ip http secure-server".
After seting up the webvpn in your router. You can access the site from a pc from Internet side with https://
Then it will ask for authentication, enter the useid/pass, which you have set in the router.
HTH. Rate the posts which helped you.
02-07-2006 11:14 AM
Ok, I have it working now but I have a new issue. I am unable to run "webvpn enable" by itself without specifying the "gateway-addr". See this message:
goremote(config)#webvpn enable
Use gateway-addr to specify IP address for WebVPN if "ip http secure-server" is configured
I need it to run without requiring the "gateway-addr" option because my sites are dhcp and get their IP's via DHCP. I use Cisco's New DDNS capability to get to the box and since I do not know the IP I use the DDNS hostname.
Anyone have success getting the IOS to work with "webvpn enable" alone?
Thanks
02-07-2006 11:40 PM
Disable the ip http secure-server with command "no ip http secure-server".
Make sure that the "crypto pki trustpoint" is not deleted.
You can generate key maually also. Please refer the link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cac.html
Webvpn link:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008044b201.html
Enable the webvpn with out any gateway address.
Then try to access the webvpn.
HTH. Please rate posts that helps.
02-08-2006 01:12 PM
Here is my config. It will never go into "router(config-webvpn)" mode unless I have assigned a "gateway-addr". I show the output at the very bottom of this config showing what I get if I do not define the gateway in the webvpn enable command vs. when I do define the gateway-addr option. Notice that "no ip http secure-server" is defined in my config.
hostname goremote
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login ssh local enable
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.99.1
!
ip dhcp pool 192.168.99.0/24
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
lease 0 1
!
!
ip domain name tzo.com
ip ips sdf location flash://128MB.sdf
ip ips notify SDEE
ip ddns update method tzo
HTTP
add jexxxxx@tzo.com&TZOKey=1234567&B1=Sign+On&TZOKey=1234567&B1=Sign+On')">http://cgi.tzo.com/webclient/tzoperl.html?TZOName=goremote.tzo.com&Email=jexxxxx@tzo.com&TZOKey=1234567&B1=Sign+On&TZOKey=1234567&B1=Sign+On
interval maximum 0 0 10 0
!
!
!
crypto pki trustpoint TP-self-signed-3493937278
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3493937278
revocation-check none
rsakeypair TP-self-signed-3493937278
!
!
crypto pki certificate chain TP-self-signed-3493937278
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343933 39333732 3738301E 170D3036 30323038 32303535
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393339
33373237 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CB08 76092FFF 9FE63CEF 9BA269C3 5F08D35A B8D7F8F4 4BC70BE4 12587524
0DD11201 E605EB05 9692308F C6C17A18 1CA3912A 0DF18A98 49E07A8C 1C872526
4C5FB259 D3DEF100 6635F001 8992FD29 74E99CD6 661DA726 794C93B8 C2F652FE
CF89F672 0F8E3E95 EF8DA4D6 687010BD C8CB2F02 06A5C0FB E12D0969 102343E7
BBC70203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10676F72 656D6F74 652E747A 6F2E636F 6D301F06 03551D23
04183016 8014D80C 46ED8D3C 71DF98A2 801157E1 D2D7D213 6397301D 0603551D
0E041604 14D80C46 ED8D3C71 DF98A280 1157E1D2 D7D21363 97300D06 092A8648
86F70D01 01040500 03818100 6EE82101 BACA4B48 E98DBC41 17F43B09 22438D4F
quit
file prompt quiet
username xxx password 0 xxx
!
!
!
!
!
!
interface FastEthernet0
ip ddns update xxx
ip address dhcp
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Async1
no ip address
encapsulation slip
!
ip classless
ip route 0.0.0.0 0.0.0.0 65.165.xxx.xxx
!
!
ip http server
no ip http secure-server
!
!
goremote(config)#webvpn enable
Use gateway-addr to specify IP address for WebVPN if "ip http secure-server" is configured
goremote(config)#webvpn
(Prompt should have changed here but never does)
(Now with the gateway-addr option added below)
goremote(config)#webvpn enable gateway-addr 65.165.xxx.xxx
goremote(config)#webvpn
goremote(config-webvpn)#
goremote(config-webvpn)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide