[cisco-voip] Phone VPN
Erick Wellnitz
ewellnitzvoip at gmail.com
Thu Nov 7 15:37:55 EST 2013
Have you gone to settings -> administrator settings -> Security Setup ->
LSC and selected update? Also, check the ITL file under trust list to make
sure the CAPF Server is listed. The CAPF certificate also needs to be
installed on the ASA.
If the CAPF Server is not listed. restart the CAPF service and it should
appear.
On Thu, Nov 7, 2013 at 12:08 PM, Brian Meade (brmeade) <brmeade at cisco.com>wrote:
> Check the Group URL you are using on the VPN Gateway configuration. On
> the ASA, see which tunnel-group that URL is configured under and make sure
> it has “authentication certificate”.
>
>
>
> tunnel-group CertOnlyTunnelGroup webvpn-attributes
>
> authentication certificate
>
> group-url https://10.89.79.135/CertOnly enable
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk]
> *Sent:* Thursday, November 07, 2013 12:59 PM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> I have completely reset the phone and left it plugged into the lan to
> register for some time,
>
>
>
> Now when I plug the phone back into the external connection and connect
> the vpn setting I get a username and password box present itself.
>
>
>
> Where is this referencing?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:53
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Try downloading the phone’s config file:
> http://x.x.x.x:6970/SEP3CCE73AD2EE2.cnf.xml and look for the CAPF entry
> to make sure it is there. Also download the ITL and make sure the CAPF
> entry is there and matches the CAPF.pem from the publisher.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:43 AM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> The phone is a 9951 and interestingly enough I am getting the following
> messages, so It appears we have a CAPF problem.
>
>
>
> The service is running, I have just checked.
>
>
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:34
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Way model phone is it? Do you see anything in the console logs/status
> messages when you reset the phone after setting the Operation to
> Install/Upgrade? The Operation should switch back to No Pending Operation
> if the install was successful so it looks like it is not successful.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:06 AM
> *To:* Heim, Dennis; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> This is the CAPF information from the test phone,
>
>
>
> When I go onto the test phone and add the authorisation string, it accepts
> the string when I submit it but does not install anything onto the phone.
>
>
>
>
>
>
>
>
>
> *From:* Heim, Dennis [mailto:Dennis.Heim at wwt.com <Dennis.Heim at wwt.com>]
> *Sent:* 07 November 2013 15:43
> *To:* James Dust; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> You will need to go to each phone you want to have the lsc and have it
> install/generate if you are using LSC. If you hit security menu on the
> phone and look, it should say the lsc is installed.
>
>
>
> *Dennis Heim | Solution Architect (Collaboration)*
>
> World Wide Technology, Inc. | 314-212-1814
>
>
>
> *PS Engineering: ** Innovate & Ignite.*
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 10:41 AM
> *To:* Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Thank you Brian,
>
>
>
> We believe we have done all of that so I will work back through the config.
>
>
>
>
>
> Kind Regards
>
>
>
> James Dust
> Technical Infrastructure Engineer
> Charles Stanley & Co Ltd
> Tel: 020 7149 6314
> Mob: 07989 491136
> mailto: james.dust at charles-stanley.co.uk
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 15:11
> *To:* James Dust; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> The ASA certificate needs to be added as a Phone-VPN-Trust under OS
> Administration->Security->Certificate Management. You then select that
> certificate under the VPN Gateway configuration in CUCM. You then
> associate the VPN Group and VPN Profile to the Common Phone Profile and
> associate the Common Phone Profile to the phone.
>
>
>
> If you’re doing username/password authentication, that’s all you have to
> do. The certificate for the ASA will be in the phone’s config file. Just
> need to reset the phone on-site so it can download it.
>
>
>
> If you want to do MIC-based authentication, you need to add the
> Manufacturing CA Trust certificate from OS Administration to the ASA as a
> trustpoint.
>
>
>
> If you want to do LSC-based authentication, you need to add the
> Publisher’s CAPF.pem certificate as a trustpoint on the ASA and Install the
> LSC on the phone.
>
>
>
> Good IP Phone Anyconnect documentation-
> https://supportforums.cisco.com/docs/DOC-9124
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 9:24 AM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] Phone VPN
>
>
>
> Afternoon all,
>
>
>
> We are trying a proof of concept here for Cisco IP phone VPN and are
> stuck, as we don’t seem to be able to update the 9951 SIP phone we are
> using with the certificate needed to build the VPN tunnel.
>
>
>
> The phone has been added with a ‘common phone profile’ but we cannot see
> where the certificate has been installed (if at all)
>
>
>
> Versions are as so:
>
>
>
> Cucm: 8.6.2
>
> Asa ver 9.1(2)
>
> 9951 phone load: sip9951.9-3-4-24
>
>
>
> Can anyone shed any light on what the correct process is to update the
> phone?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131107/ee4a7f08/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14426 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131107/ee4a7f08/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23438 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131107/ee4a7f08/attachment.jpg>
More information about the cisco-voip
mailing list