This document provides a sample configuration on how to configure a
WebVPN tunnel between a Cisco SSL VPN Client tunnel (SVC) and the Cisco VPN
3000 Concentrator that uses an internal database for authentication. The Cisco
SSL VPN Client supports applications and functions unavailable to a standard
WebVPN provides Secure Socket Layer (SSL) VPN remote-access
connectivity from almost any Internet-enabled location that uses only a Web
browser and its native SSL encryption. This enables companies to extend their
secure enterprise networks to any authorized user by providing remote access
connectivity to corporate resources from any Internet-enabled location.
Ensure that you meet these requirements before you attempt this
In order to use SSL VPN Client release 1.0.2, you must upgrade the
VPN Concentrator to release 4.7.2 or later. SSL VPN Client release 1.0.2 does
not operate with the VPN Concentrator that runs releases earlier than 4.7.2.
SSL VPN Client works only with Microsoft Windows XP or Windows
Command-Line Interface for Quick Configuration for a basic idea on how
to use the VPN Concentrator Command Line Interface
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the
Technical Tips Conventions for more information on document
In this section, you are presented with the information to configure
the features described in this document.
This document uses this network setup:
VPN Concentrators are not pre-programmed with IP addresses in their
factory settings. You have to use the console port to configure the initial
configurations which are a menu-based CLI. Refer to
VPN Concentrators through the Console for information on how to
configure through the console.
After you configure the IP address on the Ethernet 1 (private)
interface, the rest can be configured either using the CLI or via the browser
interface. The browser interface supports both HTTP and HTTP over Secure Socket
Complete these steps:
Type the IP address of the private interface from the web browser
in order to enable the GUI interface.
The factory default username and password are
admin which is case sensitive.
Once you are logged in as an Administrator, begin to install the
SSL VPN Client software to the VPN Concentrator.
This step is required only when you upgrade a VPN Concentrator from
an older release to 4.7. Choose Configuration > Tunneling and
Security > WebVPN > Cisco SSL VPN Client in order to install the
SSL VPN Client.
Note: New VPN Concentrators that run release 4.7 or later come
pre-loaded with the SSL VPN Client. By default, the SSL VPN Client is disabled
and you need to enable it. This is explained in step 4.
Note: The SSL VPN Client and VPN Concentrator software can be obtained
from the Cisco
(registered customers only)
Click on the link provided in the confirmation window to continue
to enable the SSL VPN Client on the VPN
Select Enable the Cisco SSL VPN Client and click
This enables the SSL VPN Client on the VPN Concentrator. If your
VPN Concentrator was pre-loaded with the SSL VPN Client, go directly to
Configuration > Tunneling and Security > WebVPN > Cisco SSL
VPN Client and enable the SSL VPN Client.
Choose Configuration > User Management > Groups >
Add in order to configure a group for the SSL VPN
If you use an external authentication such as the Cisco ACS server,
select External in the Type field. Enter a group name and an
associated password in this window.
This example uses the name 'sslgroup' for the group. The internal
database (on the VPN Concentrator) is also used to authenticate the SSL VPN
Note: In order to configure the Cisco VPN 3000 Concentrator for RADIUS
authentication, refer to
the Cisco VPN 3000 Concentrator with MS RADIUS.
Select the WebVPN Tab in the same window in order to enable the SSL
VPN Client for group name sslgroup. Select the necessary
The Cisco SSL VPN Client Keepalive Frequency
option is needed only to ensure that an SSL VPN Client connection through a
proxy, firewall, or NAT device remains open, even if the device limits the time
that the connection can be idle.
The Keep Cisco SSL VPN Client option ensures that
the SSL VPN Client is always installed in the client PC. If this option is not
selected, the SSL VPN Client needs to be installed every time you want a WebVPN
tunnel from the client PC.
Choose Configuration > User Management > Users >
Add in order to configure an SSL VPN Client user
You can also assign a static IP address to the users through this
In this example, the user name is test. This user is added to the
group sslgroup. IP addresses are also assigned with the configuration of a pool
of IP addresses.
Choose Configuration > System > Address Management
> Assignment and check the necessary option as shown and click
Apply in order to configure the IP address assignment method.
Choose Configuration > System > Address Management
> Pools > Add in order to configure an associated IP address
In this example, you configure an IP address range that is a part
of the same subnet of the corporate network.
Choose Configuration > System > IP Routing >
Default Gateway in order to ensure that you have all necessary routes
and default gateways configured properly.
The interface that terminates the SSL VPN Client needs to have an
SSL certificate associated with it.
Choose Administration > Certificate Management
in order to confirm that SSL certificates are generated for the
If the certificates are not generated you can generate them when
you choose Generate. This is an option available under
Actions in the SSL Certificates box for the respective
Choose Configuration > Interfaces and select
the respective interface to specifically allow the HTTPS
session on the interface that terminates the SSL VPN
Go to the WebVPN tab and check Allow WebVPN HTTPS
In this example, you are terminating the SSL VPN Client on the
public Interface of the VPN Concentrator.
When you generate the SSL certificate on the VPN Concentrator, always
use an IP address or DNS name of the interface. But, if you type something else
which does not match your inputs when you open the browser in order to connect
the SSL, you receive security warnings messages such as hostname
mismatch errors. You should type what you previously used when
the certificate was generated.
You can choose Administration > Certificate
Management, and delete and generate the SSL certificate in order to
fix this issue.
When you choose Generate, you get the
Administration > Certificate Management > Generate SSL
Certificate. At this window, you can generate the SSL certificate for
the interface to where you connect. At the Common Name
(CN) field, you need to fill this space with either an IP
address or the DNS name of the interface, which must be similar to what you
typed in the browser in order to make the SSL client connection avoid the
mismatch error message.
But, even though you do this, a window appears to let you know these
These messages have the green mark, but the yellow mark indicates that
the certificate is not yet stored under the trusted certificates of the IE
Click the third button of the View Certificate box in
order to save the certificate and no longer receive this error message. Choose
Install Certificate at the wizard and click
Next. Then, choose Place all the certificates in the
following store and click Browse.
Finally, choose the Trusted Root Certification
Authorities folder and click Next. Choose
Finish and Yes at the final warning window.
You should receive another message that says that the import was
Note: This is a process that you need to make in every computer that uses
the SSL client connection, because every computer needs to store the
certificate under its own certificate storage.
Complete these steps in order to confirm that your configuration works
Open the Web browser on the Client PC that is going to connect to
the VPN Concentrator and enter
At the login prompt, enter the user credentials that you created
earlier and select Login.
In this example, type https://172.16.5.100, enter
the username test, and its associated password that you
This starts the download of the SSL VPN Client on to the client
When you receive the certificate warning, you can either select
Yes or View Certificate.
Certificate on how to proceed with this option.
In this example, Yes is selected on the
Click Yes when you are prompted with an alert
which states that the certificate issuer is unknown or
Click Yes in order to display the certificate
Click OK on the certification authentication
window to install the certificate as a trusted certificate.
Click Yes when you are prompted with a certificate
warning in the next window.
Once you click Yes, the SSL VPN Client is installed on the client
PC. The WebVPN connection is automated as well. Once the tunnel is established,
you can see the Key icon on the Windows taskbar.
Right-click the Key icon and select
Status in order to view the WebVPN connection properties in
the SSL VPN Client.
In this example the SSL VPN Client is assigned an IP address of
10.10.1.2 which is part of the IP address pool you
Complete these steps in order to troubleshoot your configuration. On
the VPN Concentrator you can enable Event Classes to log
events. This helps you to troubleshoot if your SSL VPN tunnel does not come
Choose Configuration > System > Events > Classes
> Add in order to enable all relevant Event Classes.
In this example you need to enable the classes Auth, SSL,
STC, and WebVPN.
Note: When you enable Event Classes and set Severity levels, this
impacts the performance of the VPN Concentrator. Make it a point to disable
once you have finished troubleshooting your problem.
Similarly enable all the other Event
Choose Monitoring > Filterable Event Log in
order to monitor the enabled alarms and click Get Log to view
the event logs.
The log is displayed in a text file format. You can save the log
with the Save Log option.
Log of SSL VPN Client when connecting
1 10/18/2005 13:27:32.270 SEV=4 AUTH/22 RPT=3 172.16.1.1
User [test] Group [sslgroup] connected, Session Type: WebVPN
2 10/18/2005 13:27:32.270 SEV=5 WEBVPN/1 RPT=13 172.16.1.1
Group [sslgroup] User [test]
WebVPN session started.
Log of a SSL VPN Client issuing a disconnect
3 10/18/2005 13:28:26.240 SEV=4 AUTH/28 RPT=3 172.16.1.1
User [test] Group [sslgroup] disconnected:
Session Type: SSL VPN Client
Bytes xmt: 244
Bytes rcv: 7083
Reason: User Requested
4 10/18/2005 13:28:26.240 SEV=5 WEBVPN/2 RPT=13 172.16.1.1
Group [sslgroup] User [test]
WebVPN session terminated; User Requested.
If you encounter the Reason: bad handshake
type error, it could be due to a problem with the expired SSL
certificate on one or more interfaces of the VPN Concentrator. The workaround
is to delete the expired certificate and regenerate a new one for the
particular interface. Choose Administration > Certificate
Management and click Generate in order to renew the
certificate. Refer to
SSL Certificates for more information on how to generate a new
With the introduction of SSL VPN functionality, HTTP/HTTPS access to
the Public interface became a necessity. The default configuration however, is
to allow SSL VPN access while disallowing management access to the same Public
Use this procedure in order to configure the VPN Concentrator so that
you can manage it from the public network for releases 4.1 and
Select Configuration >
Interfaces > Ethernet 2 (Public), then
choose the WebVPN tab.
Check the Allow Management HTTPS sessions check
Check the Redirect HTTP to HTTPS checkbox for
Click the Apply button and save the configuration.
Note: This checkbox setting overrides the rules that the Public filter
defines (or whatever filter is applied to the Public interface). You do not
need to add rules to filters in WebVPN supported code.
In order to access the management screen from the Public interface,
the URL now becomes http[s]://<concentrator public IP
Problem: The WebVPN users are not able to
authenticate against the RADIUS server, but can authenticate successfully with
the local database of the VPN Concentrator. Errors such as Login
failed and the message in this example screen shot are
Cause: These kinds of problems happen very often
when you use any database other than the internal database of the VPN
Concentrator. WebVPN users hit the Base Group when they first connect to the
VPN Concentrator and therefore must use the default authentication method.
Often this method is set to the internal database of the VPN Concentrator and
not a configured RADIUS or other server.
Solution: When a WebVPN user authenticates, the VPN
Concentrator checks the list of servers defined at Configuration
>System > Servers > Authentication and uses the top one. Make
sure to move the server that you want WebVPN users to authenticate with to the
top of this list. For example, if RADIUS should be the authentication method,
you need to move the RADIUS server to the top of the list to push the
authentication to it.
Note: Just because WebVPN users initially hit the Base Group does not
mean that they are confined to the Base Group. Additional WebVPN groups can be
configured on the VPN Concentrator and users can be assigned to them by the
RADIUS server by populating attribute 25 with
. Refer to
Users into a VPN 3000 Concentrator Group Using a RADIUS Server for a
more detailed explanation.