This document provides a sample configuration on how to configure a WebVPN tunnel between a Cisco SSL VPN Client tunnel (SVC) and the Cisco VPN 3000 Concentrator that uses an internal database for authentication. The Cisco SSL VPN Client supports applications and functions unavailable to a standard WebVPN connection.
WebVPN provides Secure Socket Layer (SSL) VPN remote-access connectivity from almost any Internet-enabled location that uses only a Web browser and its native SSL encryption. This enables companies to extend their secure enterprise networks to any authorized user by providing remote access connectivity to corporate resources from any Internet-enabled location.
Ensure that you meet these requirements before you attempt this configuration:
In order to use SSL VPN Client release 1.0.2, you must upgrade the VPN Concentrator to release 4.7.2 or later. SSL VPN Client release 1.0.2 does not operate with the VPN Concentrator that runs releases earlier than 4.7.2.
SSL VPN Client works only with Microsoft Windows XP or Windows 2000.
Refer to Using the Command-Line Interface for Quick Configuration for a basic idea on how to use the VPN Concentrator Command Line Interface (CLI).
The information in this document is based on these software and hardware versions:
VPN 3015 release 4.7.2.B, and SVC release 18.104.22.168
Windows 2000 PC using Internet Explorer 6.0 SP1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
VPN Concentrators are not pre-programmed with IP addresses in their factory settings. You have to use the console port to configure the initial configurations which are a menu-based CLI. Refer to Configuring VPN Concentrators through the Console for information on how to configure through the console.
After you configure the IP address on the Ethernet 1 (private) interface, the rest can be configured either using the CLI or via the browser interface. The browser interface supports both HTTP and HTTP over Secure Socket Layer (SSL).
Complete these steps:
Type the IP address of the private interface from the web browser in order to enable the GUI interface.
The factory default username and password are admin which is case sensitive.
Once you are logged in as an Administrator, begin to install the SSL VPN Client software to the VPN Concentrator.
This step is required only when you upgrade a VPN Concentrator from an older release to 4.7. Choose Configuration > Tunneling and Security > WebVPN > Cisco SSL VPN Client in order to install the SSL VPN Client.
Note: New VPN Concentrators that run release 4.7 or later come pre-loaded with the SSL VPN Client. By default, the SSL VPN Client is disabled and you need to enable it. This is explained in step 4.
Click on the link provided in the confirmation window to continue to enable the SSL VPN Client on the VPN Concentrator.
Select Enable the Cisco SSL VPN Client and click Apply.
This enables the SSL VPN Client on the VPN Concentrator. If your VPN Concentrator was pre-loaded with the SSL VPN Client, go directly to Configuration > Tunneling and Security > WebVPN > Cisco SSL VPN Client and enable the SSL VPN Client.
Choose Configuration > User Management > Groups > Add in order to configure a group for the SSL VPN Client.
If you use an external authentication such as the Cisco ACS server, select External in the Type field. Enter a group name and an associated password in this window.
This example uses the name 'sslgroup' for the group. The internal database (on the VPN Concentrator) is also used to authenticate the SSL VPN Client users.
Note: In order to configure the Cisco VPN 3000 Concentrator for RADIUS authentication, refer to Configuring the Cisco VPN 3000 Concentrator with MS RADIUS.
Select the WebVPN Tab in the same window in order to enable the SSL VPN Client for group name sslgroup. Select the necessary options.
The Cisco SSL VPN Client Keepalive Frequency option is needed only to ensure that an SSL VPN Client connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.
The Keep Cisco SSL VPN Client option ensures that the SSL VPN Client is always installed in the client PC. If this option is not selected, the SSL VPN Client needs to be installed every time you want a WebVPN tunnel from the client PC.
Choose Configuration > User Management > Users > Add in order to configure an SSL VPN Client user credentials.
You can also assign a static IP address to the users through this window.
In this example, the user name is test. This user is added to the group sslgroup. IP addresses are also assigned with the configuration of a pool of IP addresses.
Choose Configuration > System > Address Management > Assignment and check the necessary option as shown and click Apply in order to configure the IP address assignment method.
Choose Configuration > System > Address Management > Pools > Add in order to configure an associated IP address pool.
In this example, you configure an IP address range that is a part of the same subnet of the corporate network.
Choose Configuration > System > IP Routing > Default Gateway in order to ensure that you have all necessary routes and default gateways configured properly.
The interface that terminates the SSL VPN Client needs to have an SSL certificate associated with it.
Choose Administration > Certificate Management in order to confirm that SSL certificates are generated for the interfaces.
If the certificates are not generated you can generate them when you choose Generate. This is an option available under Actions in the SSL Certificates box for the respective interface.
Choose Configuration > Interfaces and select the respective interface to specifically allow the HTTPS session on the interface that terminates the SSL VPN Client.
Go to the WebVPN tab and check Allow WebVPN HTTPS sessions.
In this example, you are terminating the SSL VPN Client on the public Interface of the VPN Concentrator.
When you generate the SSL certificate on the VPN Concentrator, always use an IP address or DNS name of the interface. But, if you type something else which does not match your inputs when you open the browser in order to connect the SSL, you receive security warnings messages such as hostname mismatch errors. You should type what you previously used when the certificate was generated.
You can choose Administration > Certificate Management, and delete and generate the SSL certificate in order to fix this issue.
When you choose Generate, you get the Administration > Certificate Management > Generate SSL Certificate. At this window, you can generate the SSL certificate for the interface to where you connect. At the Common Name (CN) field, you need to fill this space with either an IP address or the DNS name of the interface, which must be similar to what you typed in the browser in order to make the SSL client connection avoid the mismatch error message.
But, even though you do this, a window appears to let you know these messages:
The security certificate date is valid.
The security certificate has a valid name that matches the name of the page you attempt to view.
These messages have the green mark, but the yellow mark indicates that the certificate is not yet stored under the trusted certificates of the IE certificate store.
Click the third button of the View Certificate box in order to save the certificate and no longer receive this error message. Choose Install Certificate at the wizard and click Next. Then, choose Place all the certificates in the following store and click Browse.
Finally, choose the Trusted Root Certification Authorities folder and click Next. Choose Finish and Yes at the final warning window. You should receive another message that says that the import was successful.
Note: This is a process that you need to make in every computer that uses the SSL client connection, because every computer needs to store the certificate under its own certificate storage.
Complete these steps in order to confirm that your configuration works properly.
Open the Web browser on the Client PC that is going to connect to the VPN Concentrator and enter https://concentrator_ip_address.
At the login prompt, enter the user credentials that you created earlier and select Login.
In this example, type https://172.16.5.100, enter the username test, and its associated password that you created earlier.
This starts the download of the SSL VPN Client on to the client PC.
When you receive the certificate warning, you can either select Yes or View Certificate.
Refer to View Certificate on how to proceed with this option.
In this example, Yes is selected on the certificate warnings.
Click Yes when you are prompted with an alert which states that the certificate issuer is unknown or untrusted.
Click Yes in order to display the certificate information.
Click OK on the certification authentication window to install the certificate as a trusted certificate.
Click Yes when you are prompted with a certificate warning in the next window.
Once you click Yes, the SSL VPN Client is installed on the client PC. The WebVPN connection is automated as well. Once the tunnel is established, you can see the Key icon on the Windows taskbar.
Right-click the Key icon and select Status in order to view the WebVPN connection properties in the SSL VPN Client.
In this example the SSL VPN Client is assigned an IP address of 10.10.1.2 which is part of the IP address pool you defined.
Complete these steps in order to troubleshoot your configuration. On the VPN Concentrator you can enable Event Classes to log events. This helps you to troubleshoot if your SSL VPN tunnel does not come up.
Choose Configuration > System > Events > Classes > Add in order to enable all relevant Event Classes.
In this example you need to enable the classes Auth, SSL, STC, and WebVPN.
Note: When you enable Event Classes and set Severity levels, this impacts the performance of the VPN Concentrator. Make it a point to disable once you have finished troubleshooting your problem.
Similarly enable all the other Event Classes.
Choose Monitoring > Filterable Event Log in order to monitor the enabled alarms and click Get Log to view the event logs.
The log is displayed in a text file format. You can save the log with the Save Log option.
Log of SSL VPN Client when connecting 1 10/18/2005 13:27:32.270 SEV=4 AUTH/22 RPT=3 172.16.1.1 User [test] Group [sslgroup] connected, Session Type: WebVPN 2 10/18/2005 13:27:32.270 SEV=5 WEBVPN/1 RPT=13 172.16.1.1 Group [sslgroup] User [test] WebVPN session started. Log of a SSL VPN Client issuing a disconnect 3 10/18/2005 13:28:26.240 SEV=4 AUTH/28 RPT=3 172.16.1.1 User [test] Group [sslgroup] disconnected: Session Type: SSL VPN Client Duration: 0:00:53 Bytes xmt: 244 Bytes rcv: 7083 Reason: User Requested 4 10/18/2005 13:28:26.240 SEV=5 WEBVPN/2 RPT=13 172.16.1.1 Group [sslgroup] User [test] WebVPN session terminated; User Requested.
If you encounter the Reason: bad handshake type error, it could be due to a problem with the expired SSL certificate on one or more interfaces of the VPN Concentrator. The workaround is to delete the expired certificate and regenerate a new one for the particular interface. Choose Administration > Certificate Management and click Generate in order to renew the certificate. Refer to Obtaining SSL Certificates for more information on how to generate a new certificate.
With the introduction of SSL VPN functionality, HTTP/HTTPS access to the Public interface became a necessity. The default configuration however, is to allow SSL VPN access while disallowing management access to the same Public interface.
Use this procedure in order to configure the VPN Concentrator so that you can manage it from the public network for releases 4.1 and later.
Select Configuration > Interfaces > Ethernet 2 (Public), then choose the WebVPN tab.
Check the Allow Management HTTPS sessions check box.
Check the Redirect HTTP to HTTPS checkbox for enhanced security.
Click the Apply button and save the configuration.
Note: This checkbox setting overrides the rules that the Public filter defines (or whatever filter is applied to the Public interface). You do not need to add rules to filters in WebVPN supported code.
In order to access the management screen from the Public interface, the URL now becomes http[s]://<concentrator public IP address>/admin.html.
Problem: The WebVPN users are not able to authenticate against the RADIUS server, but can authenticate successfully with the local database of the VPN Concentrator. Errors such as Login failed and the message in this example screen shot are seen.
Cause: These kinds of problems happen very often when you use any database other than the internal database of the VPN Concentrator. WebVPN users hit the Base Group when they first connect to the VPN Concentrator and therefore must use the default authentication method. Often this method is set to the internal database of the VPN Concentrator and not a configured RADIUS or other server.
Solution: When a WebVPN user authenticates, the VPN Concentrator checks the list of servers defined at Configuration >System > Servers > Authentication and uses the top one. Make sure to move the server that you want WebVPN users to authenticate with to the top of this list. For example, if RADIUS should be the authentication method, you need to move the RADIUS server to the top of the list to push the authentication to it.
Note: Just because WebVPN users initially hit the Base Group does not mean that they are confined to the Base Group. Additional WebVPN groups can be configured on the VPN Concentrator and users can be assigned to them by the RADIUS server by populating attribute 25 with OU=groupname . Refer to Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server for a more detailed explanation.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.