troubleshooting Question

Cisco 1841 SSL VPN/Anyconnect Help

Avatar of skapple
skapple asked on
RoutersVPNCisco
5 Comments1 Solution1045 ViewsLast Modified:
I pretty new to Cisco programming and am trying to get an SSL VPN set up for remote access using Anyconnect version 3.1.04509. If I try to connect via a web browser I get an error telling me the security certificate is not secure. If I try to connect via Anyconnect I get an error saying "Untrusted VPN Server Blocked." If I change the Anyconnect settings to allow connections to untrusted servers, I get two errors that say"Certificate does not match the server name" and "Certificate is malformed." Below is the running config in the router at this time. There is another Site-to-Site VPN tunnel that is up and working properly on this device. Any help would be greatly appreciated. Thanks

Current configuration : 7741 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname buchanan1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 XXXXXXX
enable password XXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
!
crypto pki trustpoint buchanan_Certificate
 enrollment selfsigned
 revocation-check crl
 rsakeypair buchanan_rsakey_pairname
!
crypto pki certificate chain buchanan_Certificate
 certificate self-signed 01
  30820197 30820141 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  1D311B30 1906092A 864886F7 0D010902 160C6275 6368616E 616E3138 3431301E
  170D3133 30373038 32323330 33335A17 0D323030 31303130 30303030 305A301D
  311B3019 06092A86 4886F70D 01090216 0C627563 68616E61 6E313834 31305C30
  0D06092A 864886F7 0D010101 0500034B 00304802 4100C76B D94BABC2 6D7FB1F1
  AF9AA76F E631B841 7CFEA806 1F52420B 9C83D754 D58393B1 EC02FCA8 BFBE82D6
  79645A32 4ECEDB43 8AEB1590 9CCC309E 17E70061 86150203 010001A3 6C306A30
  0F060355 1D130101 FF040530 030101FF 30170603 551D1104 10300E82 0C627563
  68616E61 6E313834 31301F06 03551D23 04183016 8014AF2E 3FCF66AF C8A43F5F
  97DFABA9 C74371FD 127A301D 0603551D 0E041604 14AF2E3F CF66AFC8 A43F5F97
  DFABA9C7 4371FD12 7A300D06 092A8648 86F70D01 01040500 034100C1 47D2E8B0
  4AC15F69 E8CBE141 E8EE96C5 7BF1EE51 102278B8 ED525185 9F112FA6 0D51F7A6
  3382DB09 8692EEE7 200471B3 BF12FBD0 223EB549 4A352049 513F4B
        quit
dot11 syslog
ip source-route
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username buchanan privilege 15 password 0 XXXXX
username cybera password 0 cybera
username skapple privilege 15 secret 5 XXXXXXXXXX
username buckys secret 5 XXXXXXXXXXX
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key p2uprEswaspus address XXXXXX
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set cybera esp-3des esp-md5-hmac
!
crypto ipsec profile cybera
 set transform-set cybera
!
archive
 log config
  hidekeys
!
ip ssh version 1
!
!
!
interface Tunnel0
 description Cybera WAN - IPSEC Tunnel
 ip address x.x.x.x 255.255.255.252
 ip virtual-reassembly
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile cybera
!
interface FastEthernet0/0
 description LAN Connection
 ip address 192.168.1.254 255.255.255.0
 ip helper-address 192.168.1.2
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description WAN Connection
 ip address x.x.x.x 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 shutdown
 atm restart timer 300
 no atm ilmi-keepalive
!
interface Virtual-Template2
 ip unnumbered FastEthernet0/0
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254
ip local pool LAN_POOL 192.168.1.50 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 4.71.21.0 255.255.255.224 x.x.x.x
ip route 10.4.0.0 255.255.0.0 x.x.x.x
ip route 10.5.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.240.0 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip route x.x.x.x 255.255.255.255 x.x.x.x
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.201 22 x.x.x.x 22 extendable
ip nat inside source static tcp 192.168.1.202 23 x.x.x.x 23 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255

control-plane
!
line con 0
line aux 0
line vty 0 4
 password xxxxx
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway gateway_1
 ip address x.x.x.x port 443
 http-redirect port 80
 ssl trustpoint buchanan_Certificate
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-3.1.04059-k9.pkg sequence 1
 !
webvpn context employees
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "LAN_POOL"
   svc default-domain "buchanan.local"
   svc keep-client-installed
   svc dns-server primary 192.168.1.2
   svc wins-server primary 192.168.1.2
 virtual-template 2
 default-group-policy policy_1
 aaa authentication list ciscocp_vpn_xauth_ml_2
 gateway gateway_1
 max-users 10
 inservice
!
end

buchanan1841#
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 5 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros