mitsyisfat
asked on
Cannot get Tunnel Mode SSL VPN to work
Hi Experts.
I cannot get SSL VPN tunnel mode to work on a Cisco1801 Router. I can get the URL side working fine, but when i try and set-up the Tunnel mode using SDM. I get the following error message when i try to connect.
An error has been found in the VPN server certificate.
Certificate received is signed by an untrusted authority.
I then have the option to install the certificate. This process seems to work but i then get the following error.
The SSL VPN HTTP responce code received form the gateway indicates an error, contact your network administartor.
Am i doing something wrong with regards to the certificate? Below is the config of the router.
User Access Verification
Username: sdm
Password:
Router#show run
Building configuration...
Current configuration : 4329 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret *
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-639909846
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-639909846
!
!
crypto pki certificate chain TP-self-signed-639909846
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36333939 30393834 36301E17 0D303830 36313331 31313231
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 39393039
38343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A0C544ED 00D2A36B 1FAED224 6AB933C1 0F4C6362 9A9D51F3 BF6B9147 1844A084
3BA4A0C0 D1E476FF B59C784F D30563AD E5F46612 859135D0 1E5D573A 0B908789
A639CA66 3D340C79 010DD0C4 A8D42F7D 7C5D9ED1 351E2A69 4CC94D77 71F837FC
B171ED22 D5F13B5F 2F6EEC81 05894D89 6A6A837E 8C8E9C59 1823A685 33524B19
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 80140938 6E3C3DB6
D71DF967 FE3147BC C442266B 75A9301D 0603551D 0E041604 1409386E 3C3DB6D7
1DF967FE 3147BCC4 42266B75 A9300D06 092A8648 86F70D01 01040500 03818100
81BE8DE3 B0C52C83 6689ACC2 98B517C1 C201C27E D8A18178 AEE848C3 5770582E
93FF120B 60168408 F4B54722 06253C22 4391C59F 8D280C36 6D6910DC 325A8719
392F1F72 B9BB5515 9D7C99C9 2B211D26 AAF5D9B9 05DDAF6A C04EF15E 9C3ABA01
1102FC4C B1BE2D2B C7C8240C FEC0A326 7F5297BF 20A86F03 25B27605 094C6994
quit
!
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.10 10.10.10.20
!
ip dhcp pool home
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
!
multilink bundle-name authenticated
!
!
username sdm privilege 15 password 0 *
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $FW_INSIDE$$ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool Poll 10.10.20.1 10.10.20.5
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 10.10.10.101 53225 interface FastEthernet0 53225
ip nat inside source static tcp 10.10.10.200 5900 interface FastEthernet0 5900
ip nat inside source route-map nat interface FastEthernet0 overload
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map nat permit 1
match ip address 101
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password *
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address *.*.*.* port 443
http-redirect port 80
ssl trustpoint TP-self-signed-639909846
inservice
!
webvpn cef
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context SSLVPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
url-list "Test"
heading "Test"
url-text "Test" url-value "http://10.10.10.6"
!
!
policy group policy_1
url-list "Test"
functions svc-enabled
mask-urls
svc address-pool "Poll"
svc keep-client-installed
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end
I cannot get SSL VPN tunnel mode to work on a Cisco1801 Router. I can get the URL side working fine, but when i try and set-up the Tunnel mode using SDM. I get the following error message when i try to connect.
An error has been found in the VPN server certificate.
Certificate received is signed by an untrusted authority.
I then have the option to install the certificate. This process seems to work but i then get the following error.
The SSL VPN HTTP responce code received form the gateway indicates an error, contact your network administartor.
Am i doing something wrong with regards to the certificate? Below is the config of the router.
User Access Verification
Username: sdm
Password:
Router#show run
Building configuration...
Current configuration : 4329 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret *
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-639909846
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-639909846
!
!
crypto pki certificate chain TP-self-signed-639909846
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36333939 30393834 36301E17 0D303830 36313331 31313231
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 39393039
38343630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
A0C544ED 00D2A36B 1FAED224 6AB933C1 0F4C6362 9A9D51F3 BF6B9147 1844A084
3BA4A0C0 D1E476FF B59C784F D30563AD E5F46612 859135D0 1E5D573A 0B908789
A639CA66 3D340C79 010DD0C4 A8D42F7D 7C5D9ED1 351E2A69 4CC94D77 71F837FC
B171ED22 D5F13B5F 2F6EEC81 05894D89 6A6A837E 8C8E9C59 1823A685 33524B19
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 80140938 6E3C3DB6
D71DF967 FE3147BC C442266B 75A9301D 0603551D 0E041604 1409386E 3C3DB6D7
1DF967FE 3147BCC4 42266B75 A9300D06 092A8648 86F70D01 01040500 03818100
81BE8DE3 B0C52C83 6689ACC2 98B517C1 C201C27E D8A18178 AEE848C3 5770582E
93FF120B 60168408 F4B54722 06253C22 4391C59F 8D280C36 6D6910DC 325A8719
392F1F72 B9BB5515 9D7C99C9 2B211D26 AAF5D9B9 05DDAF6A C04EF15E 9C3ABA01
1102FC4C B1BE2D2B C7C8240C FEC0A326 7F5297BF 20A86F03 25B27605 094C6994
quit
!
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.10 10.10.10.20
!
ip dhcp pool home
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
!
multilink bundle-name authenticated
!
!
username sdm privilege 15 password 0 *
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $FW_INSIDE$$ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool Poll 10.10.20.1 10.10.20.5
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 10.10.10.101 53225 interface FastEthernet0 53225
ip nat inside source static tcp 10.10.10.200 5900 interface FastEthernet0 5900
ip nat inside source route-map nat interface FastEthernet0 overload
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map nat permit 1
match ip address 101
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password *
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address *.*.*.* port 443
http-redirect port 80
ssl trustpoint TP-self-signed-639909846
inservice
!
webvpn cef
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context SSLVPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
url-list "Test"
heading "Test"
url-text "Test" url-value "http://10.10.10.6"
!
!
policy group policy_1
url-list "Test"
functions svc-enabled
mask-urls
svc address-pool "Poll"
svc keep-client-installed
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end
What does the log on the router say for the connection? Have you been able to run a debug on the router?
ASKER
This is what i get on a debug webvpn. Thanks
Router#
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: Entering APPL with Context: 0x8526D7B8,
Data buffer(buffer: 0x84E672C8, data: 0x07A73E18, len: 198,
offset: 0, domain: 0)
*Jun 16 08:33:21.442: WV: http request: / with no cookie
*Jun 16 08:33:21.442: WV: Client side Chunk data written..
buffer=0x84E67508 total_len=186 bytes=186 tcb=0x853EACCC
*Jun 16 08:33:21.446: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.490: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.494: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: Entering APPL with Context: 0x8526E698,
Data buffer(buffer: 0x84E672C8, data: 0x07A7E318, len: 234,
offset: 0, domain: 0)
*Jun 16 08:33:24.146: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67508 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: Client side Chunk data written..
buffer=0x84E67128 total_len=633 bytes=633 tcb=0x84845014
*Jun 16 08:33:24.150: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: Entering APPL with Context: 0x8526D378,
Data buffer(buffer: 0x84E672C8, data: 0x07A555F8, len: 198,
offset: 0, domain: 0)
*Jun 16 08:33:53.354: WV: http request: / with no cookie
*Jun 16 08:33:53.354: WV: Client side Chunk data written..
buffer=0x84E67128 total_len=186 bytes=186 tcb=0x85012714
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: Entering APPL with Context: 0x8526D9D8,
Data buffer(buffer: 0x84E672C8, data: 0x07A9DFD8, len: 234,
offset: 0, domain: 0)
*Jun 16 08:33:55.782: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E67128 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: [Q]Client side Chunk data written..
buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: Client side Chunk data written..
buffer=0x84E67508 total_len=633 bytes=633 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: sslvpn process rcvd context queue event
Router#
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:20.934: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:21.442: WV: Entering APPL with Context: 0x8526D7B8,
Data buffer(buffer: 0x84E672C8, data: 0x07A73E18, len: 198,
offset: 0, domain: 0)
*Jun 16 08:33:21.442: WV: http request: / with no cookie
*Jun 16 08:33:21.442: WV: Client side Chunk data written..
buffer=0x84E67508 total_len=186 bytes=186 tcb=0x853EACCC
*Jun 16 08:33:21.446: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.490: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:22.494: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:23.590: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:24.146: WV: Entering APPL with Context: 0x8526E698,
Data buffer(buffer: 0x84E672C8, data: 0x07A7E318, len: 234,
offset: 0, domain: 0)
*Jun 16 08:33:24.146: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67508 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: [Q]Client side Chunk data written..
buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84845014
*Jun 16 08:33:24.150: WV: Client side Chunk data written..
buffer=0x84E67128 total_len=633 bytes=633 tcb=0x84845014
*Jun 16 08:33:24.150: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:49.878: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:52.798: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:53.354: WV: Entering APPL with Context: 0x8526D378,
Data buffer(buffer: 0x84E672C8, data: 0x07A555F8, len: 198,
offset: 0, domain: 0)
*Jun 16 08:33:53.354: WV: http request: / with no cookie
*Jun 16 08:33:53.354: WV: Client side Chunk data written..
buffer=0x84E67128 total_len=186 bytes=186 tcb=0x85012714
*Jun 16 08:33:53.354: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:54.050: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.290: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: sslvpn process rcvd context queue event
*Jun 16 08:33:55.782: WV: Entering APPL with Context: 0x8526D9D8,
Data buffer(buffer: 0x84E672C8, data: 0x07A9DFD8, len: 234,
offset: 0, domain: 0)
*Jun 16 08:33:55.782: WV: http request: /webvpn.html with domain cookie
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E67128 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E674A8 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.782: WV: [Q]Client side Chunk data written..
buffer=0x84E67488 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: [Q]Client side Chunk data written..
buffer=0x84E67528 total_len=1009 bytes=1009 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: Client side Chunk data written..
buffer=0x84E67508 total_len=633 bytes=633 tcb=0x84F827EC
*Jun 16 08:33:55.786: WV: sslvpn process rcvd context queue event
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was the DHCP pool. You need to have pool wither within the inside interface range or add a loopback