To allow clientless remote access users permission to corporate applications, the security appliance (ISR) acts as a proxy. It converts web and even some non-web applications so that they can be protected by SSL. The Cisco ISR offers the following techniques to provide resource and application access:
* URL and Common Internet File System (CIFS) file access: When the client browser establishes the SSL session and the user is authenticated, the gateway can present a page with resource bookmarks. These allow the user to access pre-configured web pages or file shares. The user can also enter an address of a resource and access it that way if it is within the user's permission.
* Port forwarding: Provide access to TCP-based applications by mapping application-specific ports on the remote computer to application-specific ports on the internal servers. Port forwarding requires that a Java applet be downloaded to the client. This applet listens on ports on the client machine and forwards the connection to the gateway.
Deployment Tasks
The basic deployment tasks for creating a basic Cisco IOS Software SSL VPN with either client-based or clientless solution are as follows:
Task 1: Configure the ISR with basic SSL VPN gateway features to include provisioning a certificate to enable SSL/TLS server authentication.
Task 2: Configure basic user authentication by adding user accounts with passwords and creating an access policy for all remote users.
Task 3: (Optional) Configure full tunneling VPN access to internal resources if the connection requires access that is like being connected to the internal network directly.
Task 4: (Optional) Deploy the Cisco AnyConnect VPN client if full tunneling is required.
Task 5: (Optional) Configure clientless VPN access to internal resources if the connection only requires browser-based access.
In this scenario, I've used my 1841 router with Advance Security IOS as the SSL VPN gateway since this device have enough space on its flash memory to load the Cisco AnyConnect file.
R1#show flash
-#- --length-- -----date/time------ path
1 1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2 861696 Nov 19 2007 23:57:20 +00:00 es.tar
3 1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4 1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5 113152 Nov 19 2007 23:58:30 +00:00 home.tar
6 21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin
R1#copy tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg flash
Destination filename [anyconnect-win-2.5.1025-k9.pkg]?
Accessing tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg...
Loading anyconnect-win-2.5.1025-k9.pkg from 172.16.1.50 (via FastEthernet0/1): !!!!!!!!!!!!!!!!!!
[OK - 4436544 bytes]
4436544 bytes copied in 19.988 secs (221960 bytes/sec)
R1#show flash
-#- --length-- -----date/time------ path
1 1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2 861696 Nov 19 2007 23:57:20 +00:00 es.tar
3 1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4 1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5 113152 Nov 19 2007 23:58:30 +00:00 home.tar
6 21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin
7 4436544 Jan 27 2013 02:00:54 +00:00 anyconnect-win-2.5.1025-k9.pkg
4718592 bytes available (27197440 bytes used)
R1#configure terminal
R1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
R1(config)#aaa new-model
R1(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
pod POD processing
route Static route downloading
session-id AAA Session ID
session-mib AAA session MIB options
traceback Traceback recording
user AAA user definitions
R1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
R1(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION local
R1(config)#username vpnuser password cisco123
R1(config)#ip http ?
access-class Restrict http server access by access-class
active-session-modules Set up active http server session modules
authentication Set http server authentication method
client Set http client parameters
help-path HTML help root URL
max-connections Set maximum number of concurrent http server
connections
path Set base path for HTML
port Set http port
secure-active-session-modules Set up active http secure server session
modules
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port number for
listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server certificate trustpoint
server Enable http server
session-module-list Set up a http(s) server session module list
timeout-policy Set http server time-out policy parameters
R1(config)#ip http server
R1(config)#ip http secure-server
Jan 27 02:52:22.947: %PKI-6-AUTOSAVE: Running configuration saved to NVRAM
R1(config)#ip local ?
policy Enable policy routing
pool IP Local address pool lists
R1(config)#ip local pool ?
WORD Create named local address pool
default Create default local address pool
R1(config)#ip local pool SSL_VPN_POOL ?
A.B.C.D First IP address of range
cache-size Number of free entries to search
group Create ip local pool group
<cr>
R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 ?
A.B.C.D Last IP address of range
cache-size Number of free entries to search
group Create ip local pool group
<cr>
R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
R1(config)#webvpn ?
context Specify webvpn context
gateway Virtual Gateway configuration
install Install package command
R1(config)#webvpn install ?
csd Install a Secure Desktop package
svc Install a SSLVPN Client package
<cr>
R1(config)#webvpn install svc ?
WORD Filename of installing package
R1(config)#webvpn install svc anyconnect-win-2.5.1025-k9.pkg
SSLVPN Package SSL-VPN-Client : installed successfully
SSL_VPN_GW(config)#webvpn gateway ?
WORD Name of virtual gateway
R1(config)#webvpn gateway SSL_VPN_GW
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config-webvpn-gateway)#
Jan 27 02:44:43.279: %SSH-5-ENABLED: SSH 1.99 has been enabled
Jan 27 02:44:44.827: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
R1(config-webvpn-gateway)#do write memory
Building configuration...
[OK]
R1(config-webvpn-gateway)#?
SSLVPN Gateway Submode commands:
exit Exit from gateway configuration mode
hostname Hostname used in URL & Cookie mangling
http-redirect enable HTTP redirect feature
inservice Enable webvpn gateway
ip Virtual Gateway IP config
no Negate or set default values of a command
ssl SSL configurations for front end client connections
R1(config-webvpn-gateway)#ip ?
address Virtual Gateway IPaddr
R1(config-webvpn-gateway)#ip address ?
A.B.C.D Gateway IP address
R1(config-webvpn-gateway)#ip address 172.16.1.254 ?
port port configuration
secondary configure gateway as secondary IP
<cr>
R1(config-webvpn-gateway)#ip address 172.16.1.254 port ?
443 Default secure port
<1025-65535> Port number
R1(config-webvpn-gateway)#ip address 172.16.1.254 port 443
R1(config-webvpn-gateway)#http-redirect ?
port port number to redirect
<cr>
R1(config-webvpn-gateway)#http-redirect port ?
80 Default redirect port
<1025-65535> Port number
R1(config-webvpn-gateway)#http-redirect port 80
R1(config-webvpn-gateway)#ssl ?
encryption SSL transforms
trustpoint SSL trustpoint
R1(config-webvpn-gateway)#ssl encryption ?
3des-sha1 3DES and SHA1
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
R1(config-webvpn-gateway)#ssl encryption 3des-sha1 ?
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
<cr>
R1(config-webvpn-gateway)#ssl encryption 3des-sha1 aes-sha1
R1(config-webvpn-gateway)#inservice
R1(config-webvpn-gateway)#exit
R1(config)#do show webvpn gateway
Gateway Name Admin Operation
------------ ----- ---------
SSL_VPN_GW up up
R1(config)#webvpn context ?
WORD Name of webvpn context
R1(config)#webvpn context SSL_VPN_CONTEXT
R1(config-webvpn-context)#?
SSLVPN Submode commands:
aaa AAA config for context
csd Cisco Secure Desktop config
default-group-policy Default group policy
exit Exit from SSLVPN mode
gateway Associate gateway to context
inservice Bring context to inservice
login-message Login messsage to be displayed
logo Logo file to be displayed
max-users Maximum users for this context
nbns-list NBNS list configuration submode
no Negate or set default values of a command
policy Policy configuration
port-forward Port-forward list config submode
secondary-color Secondary color for the browser
secondary-text-color Secondary text color for the browser
ssl SSL configurations for backend server connections
text-color Text color for the browser
title Title to be displayed on the browser
title-color Title color for the browser
url-list URL list configuration submode
vrf-name VRF associated to context
R1(config-webvpn-context)#gateway SSL_VPN_GW
R1(config-webvpn-context)#policy ?
group Group Policy configuration
R1(config-webvpn-context)#policy group ?
WORD Group Policy name
R1(config-webvpn-context)#policy group SSL_VPN_POLICY
R1(config-webvpn-group)#?
SSLVPN Group Policy Configuration Commands:
banner Specify the banner to be used
citrix Citrix configuration
exit Exit from group-policy configuration mode
filter Network ACL
functions Configuring VPN features
hide-url-bar Disable URL bar on portal page
nbns-list NBNS list
no Negate a command or set its defaults
port-forward Port-forward list
svc Tunnel specific configuration
timeout WebVPN timeout values
url-list URL list
R1(config-webvpn-group)#banner ?
WORD Banner string
R1(config-webvpn-group)#banner "Welcome to SSL VPN Lab"
R1(config-webvpn-group)#functions ?
file-access Enable File Access
file-browse Allow File Browsing
file-entry Allow File Entry
svc-enabled Enabled to run tunnel-mode
svc-required Required to run tunnel-mode
R1(config-webvpn-group)#functions svc-enabled
R1(config-webvpn-group)#svc ?
address-pool Assign addresses from the pool to remote users
default-domain Specify the default domain
dns-server DNS Server
dpd-interval WebVPN dpd interval
homepage Specify the homepage to be used
keep-client-installed Keep tunnel client installed after termination
msie-proxy Microsoft Internet Explorer browser proxy settings
rekey SSLVPN Client rekey command
split Split Tunnel configuration commands
wins-server WINS Server
R1(config-webvpn-group)#svc keep-client-installed
R1(config-webvpn-group)#svc address-pool ?
WORD Address pool name
R1(config-webvpn-group)#svc address-pool SSL_VPN_POOL
R1(config-webvpn-group)#exit
R1(config-webvpn-context)#default-group-policy ?
WORD default group policy name
R1(config-webvpn-context)#default-group-policy SSL_VPN_POLICY
R1(config-webvpn-context)#aaa ?
accounting accounting parameters
authentication authetication parameters
R1(config-webvpn-context)#aaa authentication ?
domain domain to be used for authentication
list authetication list
R1(config-webvpn-context)#aaa authentication list ?
WORD list name
R1(config-webvpn-context)#aaa authentication list SSL_VPN_AUTHENTICATION
R1(config-webvpn-context)#inservice
Jan 27 03:12:21.843: %SSLVPN-5-UPDOWN: sslvpn context : SSL_VPN_CONTEXT changed state to UP
R1(config-webvpn-context)#do show webvpn context
Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host
Context Name Gateway Domain/VHost VRF AS OS
------------ ------- ------------ ------- ---- --------
SSL_VPN_CONTEXT SSL_VPN_ - - up up
For some reason the SSL VPN connection initially didn't work. So I ran some debugs on R1 and found the error. My Google search has led me that the error is due to an incompatible cipher algorithm. I've changed it to another type and it was loading successfully afterwards.
R1#debug ssl openssl errors
<output truncated>
Jan 27 06:40:00.854: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:00.858: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.846: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.850: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
Data buffer(buffer: 0x649035D8, data: 0xE75BD078, len: 1,
offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Fragmented App data - buffered
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
Data buffer(buffer: 0x649035B8, data: 0xE7204718, len: 483,
offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Appl. processing Failed : 2
Jan 27 06:40:02.978: SSLVPN: server side not ready to send.
SSL_VPN_GW#show run | sec webvpn
webvpn gateway SSL_VPN_GW
ip address 172.16.1.254 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint TP-self-signed-514137430
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context SSL_VPN_CONTEXT
ssl authenticate verify all
!
!
policy group SSL_VPN_POLICY
functions svc-enabled
banner "Welcom to SSL VPN Lab"
svc address-pool "SSL_VPN_POOL"
svc keep-client-installed
default-group-policy SSL_VPN_POLICY
aaa authentication list SSL_VPN_AUTHENTICATION
gateway SSL_VPN_GW
inservice
SSL_VPN_GW#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SSL_VPN_GW(config)#webvpn gateway SSL_VPN_GW
SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption ?
3des-sha1 3DES and SHA1
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5
SSL_VPN_GW#show webvpn session context all
WebVPN context name: SSL_VPN_CONTEXT
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
vpnuser 172.16.1.50 2 00:01:50 00:01:08
SSL_VPN_GW#show webvpn session user vpnuser context all
WebVPN user name = vpnuser ; IP address = 172.16.1.50 ; context = SSL_VPN_CONTEXT
No of connections: 1
Created 00:03:03, Last-used 00:02:21
Client Port: 20512
User Policy Parameters
Group name = SSL_VPN_POLICY
Group Policy Parameters
banner = "Welcom to SSL VPN Lab"
idle timeout = 2100 sec
session timeout = 43200 sec
functions = svc-enabled
citrix disabled
address pool name = "SSL_VPN_POOL"
default domain = "lab.com"
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keep sslvpn client installed = enabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec
* URL and Common Internet File System (CIFS) file access: When the client browser establishes the SSL session and the user is authenticated, the gateway can present a page with resource bookmarks. These allow the user to access pre-configured web pages or file shares. The user can also enter an address of a resource and access it that way if it is within the user's permission.
* Port forwarding: Provide access to TCP-based applications by mapping application-specific ports on the remote computer to application-specific ports on the internal servers. Port forwarding requires that a Java applet be downloaded to the client. This applet listens on ports on the client machine and forwards the connection to the gateway.
Deployment Tasks
The basic deployment tasks for creating a basic Cisco IOS Software SSL VPN with either client-based or clientless solution are as follows:
Task 1: Configure the ISR with basic SSL VPN gateway features to include provisioning a certificate to enable SSL/TLS server authentication.
Task 2: Configure basic user authentication by adding user accounts with passwords and creating an access policy for all remote users.
Task 3: (Optional) Configure full tunneling VPN access to internal resources if the connection requires access that is like being connected to the internal network directly.
Task 4: (Optional) Deploy the Cisco AnyConnect VPN client if full tunneling is required.
Task 5: (Optional) Configure clientless VPN access to internal resources if the connection only requires browser-based access.
In this scenario, I've used my 1841 router with Advance Security IOS as the SSL VPN gateway since this device have enough space on its flash memory to load the Cisco AnyConnect file.
R1#show flash
-#- --length-- -----date/time------ path
1 1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2 861696 Nov 19 2007 23:57:20 +00:00 es.tar
3 1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4 1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5 113152 Nov 19 2007 23:58:30 +00:00 home.tar
6 21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin
R1#copy tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg flash
Destination filename [anyconnect-win-2.5.1025-k9.pkg]?
Accessing tftp://172.16.1.50/anyconnect-win-2.5.1025-k9.pkg...
Loading anyconnect-win-2.5.1025-k9.pkg from 172.16.1.50 (via FastEthernet0/1): !!!!!!!!!!!!!!!!!!
[OK - 4436544 bytes]
4436544 bytes copied in 19.988 secs (221960 bytes/sec)
R1#show flash
-#- --length-- -----date/time------ path
1 1821 Nov 19 2007 23:57:00 +00:00 sdmconfig-18xx.cfg
2 861696 Nov 19 2007 23:57:20 +00:00 es.tar
3 1164288 Nov 19 2007 23:57:46 +00:00 common.tar
4 1038 Nov 19 2007 23:58:10 +00:00 home.shtml
5 113152 Nov 19 2007 23:58:30 +00:00 home.tar
6 21846564 Jan 26 2013 10:03:34 +00:00 c1841-advsecurityk9-mz.124-9.T.bin
7 4436544 Jan 27 2013 02:00:54 +00:00 anyconnect-win-2.5.1025-k9.pkg
4718592 bytes available (27197440 bytes used)
R1#configure terminal
R1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
R1(config)#aaa new-model
R1(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
pod POD processing
route Static route downloading
session-id AAA Session ID
session-mib AAA session MIB options
traceback Traceback recording
user AAA user definitions
R1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username
R1(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)#aaa authentication login SSL_VPN_AUTHENTICATION local
R1(config)#username vpnuser password cisco123
R1(config)#ip http ?
access-class Restrict http server access by access-class
active-session-modules Set up active http server session modules
authentication Set http server authentication method
client Set http client parameters
help-path HTML help root URL
max-connections Set maximum number of concurrent http server
connections
path Set base path for HTML
port Set http port
secure-active-session-modules Set up active http secure server session
modules
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port number for
listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server certificate trustpoint
server Enable http server
session-module-list Set up a http(s) server session module list
timeout-policy Set http server time-out policy parameters
R1(config)#ip http server
R1(config)#ip http secure-server
Jan 27 02:52:22.947: %PKI-6-AUTOSAVE: Running configuration saved to NVRAM
R1(config)#ip local ?
policy Enable policy routing
pool IP Local address pool lists
R1(config)#ip local pool ?
WORD Create named local address pool
default Create default local address pool
R1(config)#ip local pool SSL_VPN_POOL ?
A.B.C.D First IP address of range
cache-size Number of free entries to search
group Create ip local pool group
<cr>
R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 ?
A.B.C.D Last IP address of range
cache-size Number of free entries to search
group Create ip local pool group
<cr>
R1(config)#ip local pool SSL_VPN_POOL 192.168.1.10 192.168.1.150
R1(config)#webvpn ?
context Specify webvpn context
gateway Virtual Gateway configuration
install Install package command
R1(config)#webvpn install ?
csd Install a Secure Desktop package
svc Install a SSLVPN Client package
<cr>
R1(config)#webvpn install svc ?
WORD Filename of installing package
R1(config)#webvpn install svc anyconnect-win-2.5.1025-k9.pkg
SSLVPN Package SSL-VPN-Client : installed successfully
SSL_VPN_GW(config)#webvpn gateway ?
WORD Name of virtual gateway
R1(config)#webvpn gateway SSL_VPN_GW
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config-webvpn-gateway)#
Jan 27 02:44:43.279: %SSH-5-ENABLED: SSH 1.99 has been enabled
Jan 27 02:44:44.827: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
R1(config-webvpn-gateway)#do write memory
Building configuration...
[OK]
R1(config-webvpn-gateway)#?
SSLVPN Gateway Submode commands:
exit Exit from gateway configuration mode
hostname Hostname used in URL & Cookie mangling
http-redirect enable HTTP redirect feature
inservice Enable webvpn gateway
ip Virtual Gateway IP config
no Negate or set default values of a command
ssl SSL configurations for front end client connections
R1(config-webvpn-gateway)#ip ?
address Virtual Gateway IPaddr
R1(config-webvpn-gateway)#ip address ?
A.B.C.D Gateway IP address
R1(config-webvpn-gateway)#ip address 172.16.1.254 ?
port port configuration
secondary configure gateway as secondary IP
<cr>
R1(config-webvpn-gateway)#ip address 172.16.1.254 port ?
443 Default secure port
<1025-65535> Port number
R1(config-webvpn-gateway)#ip address 172.16.1.254 port 443
R1(config-webvpn-gateway)#http-redirect ?
port port number to redirect
<cr>
R1(config-webvpn-gateway)#http-redirect port ?
80 Default redirect port
<1025-65535> Port number
R1(config-webvpn-gateway)#http-redirect port 80
R1(config-webvpn-gateway)#ssl ?
encryption SSL transforms
trustpoint SSL trustpoint
R1(config-webvpn-gateway)#ssl encryption ?
3des-sha1 3DES and SHA1
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
R1(config-webvpn-gateway)#ssl encryption 3des-sha1 ?
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
<cr>
R1(config-webvpn-gateway)#ssl encryption 3des-sha1 aes-sha1
R1(config-webvpn-gateway)#inservice
R1(config-webvpn-gateway)#exit
R1(config)#do show webvpn gateway
Gateway Name Admin Operation
------------ ----- ---------
SSL_VPN_GW up up
R1(config)#webvpn context ?
WORD Name of webvpn context
R1(config)#webvpn context SSL_VPN_CONTEXT
R1(config-webvpn-context)#?
SSLVPN Submode commands:
aaa AAA config for context
csd Cisco Secure Desktop config
default-group-policy Default group policy
exit Exit from SSLVPN mode
gateway Associate gateway to context
inservice Bring context to inservice
login-message Login messsage to be displayed
logo Logo file to be displayed
max-users Maximum users for this context
nbns-list NBNS list configuration submode
no Negate or set default values of a command
policy Policy configuration
port-forward Port-forward list config submode
secondary-color Secondary color for the browser
secondary-text-color Secondary text color for the browser
ssl SSL configurations for backend server connections
text-color Text color for the browser
title Title to be displayed on the browser
title-color Title color for the browser
url-list URL list configuration submode
vrf-name VRF associated to context
R1(config-webvpn-context)#gateway SSL_VPN_GW
R1(config-webvpn-context)#policy ?
group Group Policy configuration
R1(config-webvpn-context)#policy group ?
WORD Group Policy name
R1(config-webvpn-context)#policy group SSL_VPN_POLICY
R1(config-webvpn-group)#?
SSLVPN Group Policy Configuration Commands:
banner Specify the banner to be used
citrix Citrix configuration
exit Exit from group-policy configuration mode
filter Network ACL
functions Configuring VPN features
hide-url-bar Disable URL bar on portal page
nbns-list NBNS list
no Negate a command or set its defaults
port-forward Port-forward list
svc Tunnel specific configuration
timeout WebVPN timeout values
url-list URL list
R1(config-webvpn-group)#banner ?
WORD Banner string
R1(config-webvpn-group)#banner "Welcome to SSL VPN Lab"
R1(config-webvpn-group)#functions ?
file-access Enable File Access
file-browse Allow File Browsing
file-entry Allow File Entry
svc-enabled Enabled to run tunnel-mode
svc-required Required to run tunnel-mode
R1(config-webvpn-group)#functions svc-enabled
R1(config-webvpn-group)#svc ?
address-pool Assign addresses from the pool to remote users
default-domain Specify the default domain
dns-server DNS Server
dpd-interval WebVPN dpd interval
homepage Specify the homepage to be used
keep-client-installed Keep tunnel client installed after termination
msie-proxy Microsoft Internet Explorer browser proxy settings
rekey SSLVPN Client rekey command
split Split Tunnel configuration commands
wins-server WINS Server
R1(config-webvpn-group)#svc keep-client-installed
R1(config-webvpn-group)#svc address-pool ?
WORD Address pool name
R1(config-webvpn-group)#svc address-pool SSL_VPN_POOL
R1(config-webvpn-group)#exit
R1(config-webvpn-context)#default-group-policy ?
WORD default group policy name
R1(config-webvpn-context)#default-group-policy SSL_VPN_POLICY
R1(config-webvpn-context)#aaa ?
accounting accounting parameters
authentication authetication parameters
R1(config-webvpn-context)#aaa authentication ?
domain domain to be used for authentication
list authetication list
R1(config-webvpn-context)#aaa authentication list ?
WORD list name
R1(config-webvpn-context)#aaa authentication list SSL_VPN_AUTHENTICATION
R1(config-webvpn-context)#inservice
Jan 27 03:12:21.843: %SSLVPN-5-UPDOWN: sslvpn context : SSL_VPN_CONTEXT changed state to UP
R1(config-webvpn-context)#do show webvpn context
Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host
Context Name Gateway Domain/VHost VRF AS OS
------------ ------- ------------ ------- ---- --------
SSL_VPN_CONTEXT SSL_VPN_ - - up up
For some reason the SSL VPN connection initially didn't work. So I ran some debugs on R1 and found the error. My Google search has led me that the error is due to an incompatible cipher algorithm. I've changed it to another type and it was loading successfully afterwards.
R1#debug ssl openssl errors
<output truncated>
Jan 27 06:40:00.854: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:00.858: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.846: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.850: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.970: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: sslvpn process rcvd context queue event
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
Data buffer(buffer: 0x649035D8, data: 0xE75BD078, len: 1,
offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Fragmented App data - buffered
Jan 27 06:40:02.978: SSLVPN: Entering APPL with Context: 0x64703D58,
Data buffer(buffer: 0x649035B8, data: 0xE7204718, len: 483,
offset: 0, domain: 0)
Jan 27 06:40:02.978: SSLVPN: Appl. processing Failed : 2
Jan 27 06:40:02.978: SSLVPN: server side not ready to send.
SSL_VPN_GW#show run | sec webvpn
webvpn gateway SSL_VPN_GW
ip address 172.16.1.254 port 443
http-redirect port 80
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint TP-self-signed-514137430
inservice
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context SSL_VPN_CONTEXT
ssl authenticate verify all
!
!
policy group SSL_VPN_POLICY
functions svc-enabled
banner "Welcom to SSL VPN Lab"
svc address-pool "SSL_VPN_POOL"
svc keep-client-installed
default-group-policy SSL_VPN_POLICY
aaa authentication list SSL_VPN_AUTHENTICATION
gateway SSL_VPN_GW
inservice
SSL_VPN_GW#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SSL_VPN_GW(config)#webvpn gateway SSL_VPN_GW
SSL_VPN_GW(config-webvpn-gateway)#no ssl encryption 3des-sha1 aes-sha1
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption ?
3des-sha1 3DES and SHA1
aes-sha1 AES and SHA1
rc4-md5 RC4 and MD5
SSL_VPN_GW(config-webvpn-gateway)#ssl encryption rc4-md5
SSL_VPN_GW#show webvpn session context all
WebVPN context name: SSL_VPN_CONTEXT
Client_Login_Name Client_IP_Address No_of_Connections Created Last_Used
vpnuser 172.16.1.50 2 00:01:50 00:01:08
SSL_VPN_GW#show webvpn session user vpnuser context all
WebVPN user name = vpnuser ; IP address = 172.16.1.50 ; context = SSL_VPN_CONTEXT
No of connections: 1
Created 00:03:03, Last-used 00:02:21
Client Port: 20512
User Policy Parameters
Group name = SSL_VPN_POLICY
Group Policy Parameters
banner = "Welcom to SSL VPN Lab"
idle timeout = 2100 sec
session timeout = 43200 sec
functions = svc-enabled
citrix disabled
address pool name = "SSL_VPN_POOL"
default domain = "lab.com"
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keep sslvpn client installed = enabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec