Here I am going to show how to configure a SSL VPN with the usage of the cisco anyconnect client.
- Get access to my devices at home lab, even through internet connections that have a proxy and only allow port 80 and 443.
- Cisco 1841 that is connected to my LAN (like a router on a stick) with IOS 12.4(24)T6 (c1841-advsecurityk9-mz.124-24.T6.bin) and Advanced Security Feature set.
What to do?:
- Setup SSL VPN configuration in the 1841
- Allow the VPN clients to get access to the dynamips server and/or resources you like
- Setup Cisco Anyconnect client in a windows machine
Lets begin with the configuration:
I will only take care of the configuration regarding to the SSL VPN itself. Keep in mind that my router has an ip address (192.168.1.5), its connected to my LAN and it has a default route to my internet router. I have configured a portforwarding on my home router so that port 443 is forwarded directly from the internet to my ssl/vpn-router.
1) As SSL VPN is using https/ssl we need to generate a certificate for that. To do that for free we need to generate a self-signed certificate:
## configure a domain-name
ip domain name ccie.lab.mwirth
## setup the properties of a local used certificate (trustpoint), usage is selfsigned, the certificate revocation list (CRL) is checked to make sure that the certificate has not been revoked, 1024 bit RSA is used
crypto pki trustpoint CERTIFICATE_NAME
rsakeypair KEY_SSL 1024 1024
## after doing this, this should also be configured in the config
crypto pki certificate chain CERTIFICATE_NAME
certificate self-signed 01 nvram:SSL-GATEccie#1.cer
## create the certificate you just configured the properties for
crypto pki enroll CERTIFICATE_NAME
## we need ssl(443)/https to run the vpn
ip http secure-server
## configure a user authentication list that the vpn users can be authenticated against the local database, radius or tacacs+
aaa authentication login AAA_LOGIN local
NOTE: When enabling aaa new-model, keep in mind that you should set an enable secret and configure “login authentication AAA_LOGIN” under con0 and vty
## configure an access-list to define to which resources the vpn clients shall have access to (in my case the network of the vpn clients is the same as the destination network), I give access to my whole network, you can do this the way you like
ip access-list extended ACL_SSL
permit ip any 192.168.1.0 0.0.0.255
## configure a local address pool from which the vpn clients get their vpn ip addresses
ip local pool POOL_SSL 192.168.1.20 192.168.1.29
## configure a webvpn/sslvpn gateway entry
webvpn gateway WEBVPN_GATE
ip address 192.168.1.5 port 443 //thats where the router is reachable at for the SSL connections
http-redirect port 80 //when a user comes at port 80 he will be redirected to 443
ssl trustpoint CERTIFICATE_NAME
inservice //activate the gateway
## configure a webvpn/sslvpn context entry
webvpn context CONTEXT_SSL
title “Welcome to my SSL-VPN – http://chasingmyccie.wordpress.com”
ssl authenticate verify all
login-message “Welcome to my SSL-VPN – Enter User/Pass now!”
policy group PG_SSL
banner “User credentials have been accepted! Have fun! – http://chasingmyccie.wordpress.com”
filter tunnel ACL_SSL //here the ACL is connected to the vpn users, allowing or forbidding resources
svc address-pool POOL_SSL //the addresses for the vpn clients we configured
svc default-domain http://chasingmyccie.wordpress.com //thats the domain name (suffix) a logged in client will have on the virtual vpn interface of the anyconnect client
svc homepage http://chasingmyccie.wordpress.com //logged in user will be kicked to that page in the browser
svc rekey method new-tunnel //when keys are need to be renegotiated, a reconnect is required
svc split include 192.168.1.4 255.255.255.255 //those entries are configured for the split tunneling, the anyconnect user will get those entries as routes pushed to his operating system, effect is that the user is still able to use his own internet connection and the tunnel for the vpn resources
svc split include 192.168.1.3 255.255.255.255
svc split include 192.168.1.5 255.255.255.255
svc split include 192.168.1.1 255.255.255.255
svc split include 192.168.1.2 255.255.255.255
default-group-policy PG_SSL //define this group for all users that come into the vpn
aaa authentication list AAA_LOGIN //authenticate all users that want to connect to the vpn against this authentication method
gateway WEBVPN_GATE //associate the formerly configured gateway to this context
inservice //activate the context
## download the sslvpn/webvpn packages for users that want to connect with the browser or anyconnect client and copy them into flash with ftp/tftp, then install them (config mode)
webvpn install svc flash:anyconnect-win-2.5.3055-k9.pkg sequence 1
webvpn install svc flash:anyconnect-macosx-i386-2.5.3055-k9.pkg sequence 2
webvpn install svc flash:anyconnect-linux-2.5.3055-k9.pkg sequence 3
Save the config and reboot the router to be sure everthing has been accepted.
When the router is rebooted, on osme IOS version the upper 3 “webvpn install” files are missing. One has to re-enter them, because the webvpn probably is not working correctly then!
So now it is time to setup the vpn client. I used this image to install the client: “anyconnect-win-2.5.3055-pre-deploy-k9.msi” on my windows machine.
If you have further questions, just leave a comment or email me.
Have fun with it!