SSL VPN second try!

Hi Folks,

I am quite new to crypto.
What’s absolute necessary that an IOS Router answers a TCP connect request by an AnyConnect client?
I had an running config, had a router crash and can’t get it work again.
When it worked, I was able to authenticate with username and password.
My goal is SSL VPN full tunnel.

Regards, Hannes

Hello Johann

The following documentation from Cisco details the creation of a basic SSL VPN for Cisco IOS routers using clients with AnyConnect. Take a look at this and if you have questions, please let us know!

I hope this has been helpful!

Laz

Which documentation do you mean?

Hello Johann

I’m so sorry I forgot to add the link! :open_mouth: Here it is:

I hope this has been helpful!

Laz

Thanks!

Unfortunately, these examples don’t really help.
I did a lot of debugging and searching of debugging messages in the net.
At the moment I have no idea.
After the crash of the router I can not get again what has work before.

Cheers, Hannes

Hi @hannes.1967.hiller ,

WebVPN can be complex. There are many parameters you can configure.

I created a config from the link @lagapides sent to create a config where the virtual-access interface comes up.

enable AAA:

aaa new-model
aaa authentication login SSLVPN local

Set hostname and domain:

hostname R1
ip domain-name NETWORKLESSONS.COM

Generate RSA keypair:

crypto key generate rsa label my-rsa-keys modulus 1024  

Set client username:

username VPN_USER secret MY_PASSWORD

Set anyconnect package for Windows clients:

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.10.06079-k9.pkg sequence 1

Configure trustpoint and generate self signed certificate:

R1(config)#crypto pki trustpoint MY_TRUSTPOINT
R1(ca-trustpoint)#enrollment selfsigned
R1(ca-trustpoint)#subject-name CN=WEBVPN-NETWORKLESSONS
R1(ca-trustpoint)#rsakeypair MY_RSA_KEYPAIR

Configure a webpool for clients:

ip local pool WEBVPN_POOL 192.168.10.10 192.168.10.100

Configure webvpn gateway (you can also specify interface instead of ip address):

webvpn gateway WEBVPN_GATEWAY
 ip address 1.2.3.4 port 443  
 ssl encryption aes128-sha1
 ssl trustpoint MY_TRUSTPOINT
 inservice

Configure WebVPN context:

webvpn context WEBVPN_CONTEXT
 title "WEBVPN NETWORKLESSONS FOR REMOTE USERS"
 login-message "ONLY FOR AUTHORIZED USERS"
 aaa authentication list SSLVPN
 gateway WEBVPN_GATEWAY
 !        
 ssl authenticate verify all
 inservice
 !        
 policy group WEBVPN_POLICY
   functions svc-enabled
   functions svc-required
   svc address-pool "WEBVPN_POOL" netmask 255.255.255.0
   svc rekey method new-tunnel

Once configured, I see this:

Line protocol on Interface Virtual-Access1, changed state to up

And I see the port is listening:

R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                       *:443                         *:0             TCP Listener   LISTEN

You can use some show webvpn commands to check specifics about anyconnect.

I hope this helps.

For backups, I like to use oxidized for my Cisco devices:

Rene

Thank you very much!
I don’t know what’s the difference between versions of routers or router software.
I only have cry ssl commands, not webvpn commands.
I have already posted my configuration, I think.

Thanks for all the effort!
Cheers, Hannes

Which router do you use @hannes.1967.hiller ?

C1111#sh version
Cisco IOS XE Software, Version 17.06.04
Cisco IOS Software [Bengaluru], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Sun 14-Aug-22 08:10 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License (“GPL”) Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or “License Notice” file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 17.5(1r)

It seems, that my configured port 44443 is not listening.
How can I check this?

Now, I try a minimum configuration to check, if TCP Port is answering.
62.178.173.16:55555

SSL Profile: spr
 Status: ACTIVE
 Match Criteria:
   URL: none
   Policy: spo
 AAA accounting List      : local
 AAA Authentication List  : none
 AAA Authorization User List   : none
 AAA Authorization Group List  : none
 Authentication Mode      : user credentials
 Interface                : SSLVPN-VIF1
   Status: DISABLE
 Max Users                : 10000

C1111#sh cry ssl pol spo

SSL Policy: spo
  Status     : ACTIVE
  Proposal   : default
  IP Address : 62.178.173.16
  Port       : 55555
  fvrf       : 
  Trust Point: C1111TP
  Redundancy : none

Hello Johann

As stated in this post below, the WebVPN feature is approaching its end of life, and is not available in the c1111 platform. That’s why you don’t see the webvpn commands.

I hope this has been helpful!

Laz

Hello Hannes

You can check what ports a Cisco IOS router is listening on by using the following command:

show control-plane host open-ports

More about this can be found in this NetworkLessons note on the topic.

I hope this has been helpful!

Laz

Thanks!

I don’t have this commands on my router, but I can check with telnet and appropriate port number, if router is answering.
Can’t get an answer from the router interface.
No idea!

Update!!!

Now, I tested a Cisco sandbox csr Router with following config:

csr1000v-1#sh cry ssl pol

SSL Policy: spol
  Status     : ACTIVE
  Proposal   : default
  IP Address : 10.10.20.48
  Port       : 11111
  fvrf       : 
  Trust Point: TP-self-signed-807034967
  Redundancy : none

On this router it was possible to do a “telnet 10.10.20.48 11111”
On my router the connection always get refused!

Regards, Hannes

Hello Johann

It seems that your specific router and platform are causing issues. If the IOS and router model you have should be supporting these features, then you may want to open a TAC case with Cisco to see why it is behaving in this way.

I wish we could have been more help!

Laz