[cisco-voip] Phone VPN

Erick Wellnitz ewellnitzvoip at gmail.com
Fri Nov 8 10:34:00 EST 2013


Check your VPN Feature Configuration and VPN Profile.  Client
Authentication Mehtod should be Certificate if you aren't using manual
login.  I also disabled Host ID Check.

What I have noticed is that if settnigs between the profile and the Feature
configuration are not consistent you will see inconsistent results.


On Fri, Nov 8, 2013 at 4:15 AM, James Dust <james.dust at charles-stanley.co.uk
> wrote:

>  Morning Erick,
>
>
>
> Yes I have done what you suggested and it still hasn’t worked.
>
>
>
> Today I might strip all the config off and start again.
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Erick Wellnitz [mailto:ewellnitzvoip at gmail.com]
> *Sent:* 07 November 2013 20:38
> *To:* Brian Meade (brmeade)
> *Cc:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Have you gone to settings -> administrator settings -> Security Setup ->
> LSC and selected update?  Also, check the ITL file under trust list to make
> sure the CAPF Server is listed.  The CAPF certificate also needs to be
> installed on the ASA.
>
>
>
> If the CAPF Server is not listed. restart the CAPF service and it should
> appear.
>
>
>
> On Thu, Nov 7, 2013 at 12:08 PM, Brian Meade (brmeade) <brmeade at cisco.com>
> wrote:
>
> Check the Group URL you are using on the VPN Gateway configuration.  On
> the ASA, see which tunnel-group that URL is configured under and make sure
> it has “authentication certificate”.
>
>
>
> tunnel-group CertOnlyTunnelGroup webvpn-attributes
>
> authentication certificate
>
> group-url https://10.89.79.135/CertOnly enable
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk]
> *Sent:* Thursday, November 07, 2013 12:59 PM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> I have completely reset the phone and left it plugged into the lan to
> register for some time,
>
>
>
> Now when I plug the phone back into the external connection and connect
> the vpn setting I get a username and password box present itself.
>
>
>
> Where is this referencing?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:53
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Try downloading the phone’s config file:
> http://x.x.x.x:6970/SEP3CCE73AD2EE2.cnf.xml and look for the CAPF entry
> to make sure it is there.  Also download the ITL and make sure the CAPF
> entry is there and matches the CAPF.pem from the publisher.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:43 AM
> *To:* Brian Meade (brmeade); Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> Hi Brian,
>
>
>
> The phone is a 9951 and interestingly enough I am getting the following
> messages, so It appears we have a CAPF problem.
>
>
>
> The service is running, I have just checked.
>
>
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 16:34
> *To:* James Dust; Heim, Dennis; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> Way model phone is it?  Do you see anything in the console logs/status
> messages when you reset the phone after setting the Operation to
> Install/Upgrade?  The Operation should switch back to No Pending Operation
> if the install was successful so it looks like it is not successful.
>
>
>
> Brian
>
>
>
> *From:* James Dust [mailto:james.dust at charles-stanley.co.uk<james.dust at charles-stanley.co.uk>]
>
> *Sent:* Thursday, November 07, 2013 11:06 AM
> *To:* Heim, Dennis; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> This is the CAPF information from the test phone,
>
>
>
> When I go onto the test phone and add the authorisation string, it accepts
> the string when I submit it but does not install anything onto the phone.
>
>
>
>
>
>
>
>
>
> *From:* Heim, Dennis [mailto:Dennis.Heim at wwt.com <Dennis.Heim at wwt.com>]
> *Sent:* 07 November 2013 15:43
> *To:* James Dust; Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> You will need to go to each phone you want to have the lsc and have it
> install/generate if you are using LSC. If you hit security menu on the
> phone and look, it should say the lsc is installed.
>
>
>
> *Dennis Heim | Solution Architect (Collaboration)*
>
> World Wide Technology, Inc. | 314-212-1814
>
>
>
> *PS Engineering: ** Innovate & Ignite.*
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 10:41 AM
> *To:* Brian Meade (brmeade); cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Phone VPN
>
>
>
> Thank you Brian,
>
>
>
> We believe we have done all of that so I will work back through the config.
>
>
>
>
>
> Kind Regards
>
>
>
> James Dust
> Technical Infrastructure Engineer
> Charles Stanley & Co Ltd
> Tel: 020 7149 6314
> Mob: 07989 491136
> mailto: james.dust at charles-stanley.co.uk
>
>
>
> *From:* Brian Meade (brmeade) [mailto:brmeade at cisco.com<brmeade at cisco.com>]
>
> *Sent:* 07 November 2013 15:11
> *To:* James Dust; cisco-voip at puck.nether.net
> *Subject:* RE: Phone VPN
>
>
>
> James,
>
>
>
> The ASA certificate needs to be added as a Phone-VPN-Trust under OS
> Administration->Security->Certificate Management.  You then select that
> certificate under the VPN Gateway configuration in CUCM.  You then
> associate the VPN Group and VPN Profile to the Common Phone Profile and
> associate the Common Phone Profile to the phone.
>
>
>
> If you’re doing username/password authentication, that’s all you have to
> do.  The certificate for the ASA will be in the phone’s config file.  Just
> need to reset the phone on-site so it can download it.
>
>
>
> If you want to do MIC-based authentication, you need to add the
> Manufacturing CA Trust certificate from OS Administration to the ASA as a
> trustpoint.
>
>
>
> If you want to do LSC-based authentication, you need to add the
> Publisher’s CAPF.pem certificate as a trustpoint on the ASA and Install the
> LSC on the phone.
>
>
>
> Good IP Phone Anyconnect documentation-
> https://supportforums.cisco.com/docs/DOC-9124
>
>
>
> Brian
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *James Dust
> *Sent:* Thursday, November 07, 2013 9:24 AM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] Phone VPN
>
>
>
> Afternoon all,
>
>
>
> We are trying a proof of concept here for Cisco IP phone VPN and are
> stuck, as we don’t seem to be able to update the 9951 SIP phone we are
> using with the certificate needed to build the VPN tunnel.
>
>
>
> The phone has been added with a ‘common phone profile’ but we cannot see
> where the certificate has been installed (if at all)
>
>
>
> Versions are as so:
>
>
>
> Cucm: 8.6.2
>
> Asa ver 9.1(2)
>
> 9951 phone load: sip9951.9-3-4-24
>
>
>
> Can anyone shed any light on what the correct process is to update the
> phone?
>
>
>
> Kind Regards
>
>
>
> James
>
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> *Consider the environment - Think before you print*
>
> The contents of this email are confidential to the intended recipient and
> may not be disclosed. Although it is believed that this email and any
> attachments are virus free, it is the responsibility of the recipient to
> confirm this.
>
> You are advised that urgent, time-sensitive communications should not be
> sent by email. We hereby give you notice that a delivery receipt does not
> constitute acknowledgement or receipt by the intended recipient(s).
>
> Details of Charles Stanley group companies and their regulators (where
> applicable), can be found at this URL
> http://www.charles-stanley.co.uk/contact-us/disclosure/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131108/036893a6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23438 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131108/036893a6/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 14426 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131108/036893a6/attachment.png>


More information about the cisco-voip mailing list