[c-nsp] AnyConnect VPN client, IOS, and Vista

Andy Saykao andy.saykao at staff.netspace.net.au
Thu Sep 17 22:07:29 EDT 2009 

Jay,

I've been doing some testing with WebVPN and AnyConnect client and have
had no problems with Vista honouring the certificate. I'm using a 7301
as the SSL/WebVPN Gateway running IOS 12.4(24)T1.

My config resembles your config somewhat.
Below I've shown the relevant parts of my config.

crypto pki trustpoint TP-self-signed-74999113
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-74999113
 revocation-check none
 rsakeypair TP-self-signed-74999113
!
!
crypto pki certificate chain TP-self-signed-74999113
 certificate self-signed 01
!
webvpn gateway WEBVPN
 ip address A.B.C.D port 443
 http-redirect port 80
 ssl trustpoint TP-self-signed-74999113
 inservice
 !
webvpn install svc disk0:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence
1
 !
webvpn install svc
disk0:/webvpn/anyconnect-macosx-powerpc-2.3.2016-k9.pkg sequence 2
 !
webvpn install svc disk0:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg
sequence 3
 !
webvpn install svc disk0:/webvpn/anyconnect-linux-2.3.2016-k9.pkg
sequence 4
 !
webvpn context TUNNEL
 title "Tunnel Mode"
 ssl authenticate verify all
 !
 !
 policy group TUNNEL-GROUP
   functions svc-enabled
   svc address-pool "TUNNEL-POOL"
   svc keep-client-installed
   svc dpd-interval gateway 30
   svc homepage "http://192.168.2.2"
   svc rekey method new-tunnel
   svc split include 192.168.2.0 255.255.255.0
 vrf-name NSTEST
 default-group-policy TUNNEL-GROUP
 aaa authentication list NSTEST
 gateway WEBVPN domain tunnel
 inservice

I did have problems with the self signed certificate at one time when I
was unable to open the WebVPN portal because the certificate wasn't
valid. This was showing up in the router logs with a line saying
something along the lines of "key is inactive". To fix this, I
re-generated the certficate by removing it from the webvpn gateway
section with a "no ssl trustpoint TP-self-signed-74999113" and as I did
that it automatically re-gerneated a new certficiate. Been working ok
since.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.

More information about the cisco-nsp mailing list