Solved

Cannot get Tunnel Mode SSL VPN to work

Posted on 2008-06-13
4
1,581 Views
Last Modified: 2012-06-21
Hi Experts.

I cannot get SSL VPN tunnel mode to work on a Cisco1801 Router. I can get the URL side working fine, but when i try and set-up the Tunnel mode using SDM. I get the following error message when i try to connect.

An error has been found in the VPN server certificate.

Certificate received is signed by an untrusted authority.

I then have the option to install the certificate. This process seems to work but i then get the following error.

The SSL VPN HTTP responce code received form the gateway indicates an error, contact your network administartor.

Am i doing something wrong with regards to the certificate? Below is the config of the router.
User Access Verification

Username: sdm
Password:

Router#show run
Building configuration...

Current configuration : 4329 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret *
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-639909846
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-639909846
 revocation-check none
 rsakeypair TP-self-signed-639909846
!
!
crypto pki certificate chain TP-self-signed-639909846
 certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36333939 30393834 36301E17 0D303830 36313331 31313231
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 39393039
  38343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A0C544ED 00D2A36B 1FAED224 6AB933C1 0F4C6362 9A9D51F3 BF6B9147 1844A084
  3BA4A0C0 D1E476FF B59C784F D30563AD E5F46612 859135D0 1E5D573A 0B908789
  A639CA66 3D340C79 010DD0C4 A8D42F7D 7C5D9ED1 351E2A69 4CC94D77 71F837FC
  B171ED22 D5F13B5F 2F6EEC81 05894D89 6A6A837E 8C8E9C59 1823A685 33524B19
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
  11040A30 08820652 6F757465 72301F06 03551D23 04183016 80140938 6E3C3DB6
  D71DF967 FE3147BC C442266B 75A9301D 0603551D 0E041604 1409386E 3C3DB6D7
  1DF967FE 3147BCC4 42266B75 A9300D06 092A8648 86F70D01 01040500 03818100
  81BE8DE3 B0C52C83 6689ACC2 98B517C1 C201C27E D8A18178 AEE848C3 5770582E
  93FF120B 60168408 F4B54722 06253C22 4391C59F 8D280C36 6D6910DC 325A8719
  392F1F72 B9BB5515 9D7C99C9 2B211D26 AAF5D9B9 05DDAF6A C04EF15E 9C3ABA01
  1102FC4C B1BE2D2B C7C8240C FEC0A326 7F5297BF 20A86F03 25B27605 094C6994
        quit
!
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.10 10.10.10.20
!
ip dhcp pool home
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 10.10.10.1
!
!
!
multilink bundle-name authenticated
!
!
username sdm privilege 15 password 0 *
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $FW_OUTSIDE$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 load-interval 60
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface Vlan1
 description $FW_INSIDE$$ES_LAN$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool Poll 10.10.20.1 10.10.20.5
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 10.10.10.101 53225 interface FastEthernet0 53225
ip nat inside source static tcp 10.10.10.200 5900 interface FastEthernet0 5900
ip nat inside source route-map nat interface FastEthernet0 overload
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map nat permit 1
 match ip address 101
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password *
 transport input telnet ssh
!
!
webvpn gateway gateway_1
 ip address *.*.*.* port 443
 http-redirect port 80
 ssl trustpoint TP-self-signed-639909846
 inservice
 
!
webvpn cef
 !
webvpn install svc flash:/webvpn/svc.pkg
 !
webvpn context SSLVPN
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 url-list "Test"
   heading "Test"
   url-text "Test" url-value "http://10.10.10.6"
 !
 !
 policy group policy_1
   url-list "Test"
   functions svc-enabled
   mask-urls
   svc address-pool "Poll"
   svc keep-client-installed
  default-group-policy policy_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway gateway_1
  inservice
!
end








0
Comment
Question by:mitsyisfat
  • 2
  • 2
4 Comments
 
LVL 2

Expert Comment

by:artisticsoul
ID: 21784165
What does the log on the router say for the connection? Have you been able to run a debug on the router?
0
 

Author Comment

by:mitsyisfat
ID: 21791674
This is what i get on a debug webvpn. Thanks

Router#
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: Entering APPL with Context: 0x8526D7B8,
      Data buffer(buffer: 0x84E672C8, data: 0x07A73E18, len: 198,
      offset: 0, domain: 0)
*Jun 16 08:33:21.442: WV: http request: / with no cookie
*Jun 16 08:33:21.442: WV: Client side Chunk data written..
 buffer=0x84E67508 total_len=186 bytes=186 tcb=0x853EACCC
*Jun 16 08:33:21.446: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.490: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.494: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: Entering APPL with Context: 0x8526E698,
      Data buffer(buffer: 0x84E672C8, data: 0x07A7E318, len: 234,
      offset: 0, domain: 0)
*Jun 16 08:33:24.146: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
 buffer=0x84E67508 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
 buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
 buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
 buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: Client side Chunk data written..
 buffer=0x84E67128 total_len=633 bytes=633 tcb=0x84845014
*Jun 16 08:33:24.150: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: Entering APPL with Context: 0x8526D378,
      Data buffer(buffer: 0x84E672C8, data: 0x07A555F8, len: 198,
      offset: 0, domain: 0)
*Jun 16 08:33:53.354: WV: http request: / with no cookie
*Jun 16 08:33:53.354: WV: Client side Chunk data written..
 buffer=0x84E67128 total_len=186 bytes=186 tcb=0x85012714
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: Entering APPL with Context: 0x8526D9D8,
      Data buffer(buffer: 0x84E672C8, data: 0x07A9DFD8, len: 234,
      offset: 0, domain: 0)
*Jun 16 08:33:55.782: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
 buffer=0x84E67128 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
 buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
 buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: [Q]Client side Chunk data written..
 buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: Client side Chunk data written..
 buffer=0x84E67508 total_len=633 bytes=633 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: sslvpn process rcvd context queue event
0
 
LVL 2

Accepted Solution

by:
artisticsoul earned 500 total points
ID: 21809895
OK, so nothing jumps out at me in the log. I also do not see anything out of the ordinary with the certificate. Something I do see is why are you using the pool 10.10.20.1 10.10.20.5? I do not see you using that any where else.
0
 

Author Closing Comment

by:mitsyisfat
ID: 31466898
It was the DHCP pool. You need to have pool wither within the inside interface range or add a loopback
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now