Cisco Anyconnect on 1841 Issues

Hi Experts,

Im after some help in setting up Anyconnect SSLVpn on a Cisco 1841 Router. I have been following some guides but do not have a great understanding of the setup. I have a dynamic public IP address which I have DDNS setup to resolve me a hostname.

When trying to connect using CiscoAnyConnect Secure Mobility client I am able to "hit" the server and am presented with a certificate, when I accept the certificate i receive the error "connection attempt has failed" and am presented with another certificate.

I have posted a copy of a clean version of my config and any help would be greatly appreciated.

Regards,

Fraser
wth-int-rt-confg
MrFunzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
change the  port to  443 and try ,coz u already have a static NAT  on router for 4400

webvpn gateway Cisco-WebVPN-Gateway
 ip interface Dialer0 port 443
0
MrFunzAuthor Commented:
I put the static entry on because i thought it was required. Do you not need to allow 4400 in with nat for it to work?
0
anoopkmrCommented:
sorry now only I  noticed that  you r using loopback ip for  SSL  vpn ..
I never tried like this ..  anyhow let the static Nat entry be there ..

did you put the port number 4400 while trying the anyconnect connection from internet.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

MrFunzAuthor Commented:
I am very new to setting up these so was unsure if a loopback would be required.  Im on a dynamic ip address if that makes a difference. Ive tried with and without having the :4400 on the address of the anyconnect client both seem to retrieve the certificate but have the same result.  Ive also noticed that if I browse to it as a web page to login that way I get no response and the page doesn't load.

Regards

Fraser
0
anoopkmrCommented:
Just try..

IP Nat inside on loopback
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
anoopkmrCommented:
please ignore my last comment..  its not required on loopback.

please try the following

no webvpn install svc flash:/webvpn/anyconnect-win-3.1.03103-k9.pkg sequence 1
crypto vpn anyconnect flash:anyconnect-win-3.1.03103-k9.pkg sequence 1
interface Virtual-Template1
ip address 192.168.2.66 255.255.255.240
webvpn Cisco-WebVPN
virtual-template 1

 then try .. still not working  please post the  output of " debug webvpn verbose "  while testing
0
MrFunzAuthor Commented:
Thanks for the replies, i added the ip nat inside on the loopback and that seems to let me connect to the VPN. i am still getting a message saying that it is untrusted.

Regards,

Fraser
0
anoopkmrCommented:
Oh is it ?.. Great
 error in certificate is ok.. Otherwise u have to purchase the certificate from CA
0
MrFunzAuthor Commented:
thanks for the help.

On mobile devices such as my phone and ipad it connects fine, however on my laptop if i try to connect using just the software i get the message

"security warning: untrusted VPN server certificate!

anyconnect cannot veryify the VPN server: homelocal.dyndns-ip.com

Certificate does not match the server name
Certificate is from an untrusted source"

i press connect anyway and recieve the message connection attempt failed, no valid certificates to authenticate.

however if i login to the webpage then connect by pressing start tunnel it connects fine?

is there somthing im still doing wrong.

Thanks a lot for all your help.

Regards,

Fraser
0
anoopkmrCommented:
Go to client preference and untick the block connection to untrusted server
0
MrFunzAuthor Commented:
I have that unticked.

Is this all because i am not using an "issued" cert from a provider?

Regards,

Fraser
0
anoopkmrCommented:
Coz u r not using the ca certificate.. That's why
0
MrFunzAuthor Commented:
And this is somthing id have to purchase from a provider like godaddy etc?
0
anoopkmrCommented:
u can purchase it from

verisign, entrust etc...
0
MrFunzAuthor Commented:
Thanks for your help,

Ive signed up with a trian SSL cert from verisign, the only instructions they have are for the installation on an ASA however i believe the majority would be the same for IOS correct me if im mistaken?

I have created a trust point with the following settings:

crypto pki trustpoint SSLVPN.trustpoint
 enrollment terminal
 fqdn ***My-DNS-Name****
 subject-name CN=***My-DNS-NAME***,OU=SSLVPN,O=*******,C=UK,St=*****,L=******
 revocation-check crl
 rsakeypair SSLVPN.key

i created a set of rsa keys called SSLVPN.key with a moduls size of 2048

then added the cert:

crypto pki certificate chain SSLVPN.trustpoint
 certificate **************
****************************
*************************************
*************************************
*************************************
*************************************
*************************************
*************************************
        quit
 certificate ca
*************************************
*************************************
*************************************
*************************************
*************************************
*************************************
        quit

then i pointed the gateway to look at the new trustpoint:

webvpn gateway Cisco-WebVPN-Gateway
 ip address 192.168.2.65 port 4400
 http-redirect port 80
 ssl encryption 3des-sha1 aes-sha1
 ssl trustpoint SSLVPN.trustpoint
 inservice

on the guide provided by verisign its for an ASA and includes the line:

ssl trust-point <Trustpoint name>.Trustpoint outside

this is not recognised on the 1841 but is it the same as the "ssl trustpoint SSLVPN.trustpoint" from the gateway config?

When browsing to the Anyconnect page now it shows the cert has been issued by verisign
and a message saying windows does not have enough information to verify this cert.

I get the same message from the anyconnect software saying "warning the following cert received from the server could not be verified" i press accept and it resends the cert i press accept again and it just goes round and round asking me to accept.

Regards,

Fraser
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.