Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

How to Configure SSLVPN on Cisco CSR1000V (Cloud Services Router 1000V)?

May 28 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Network Diagram-Configure SSLVPN on Cisco CSR1000V

Network Diagram-Configure SSLVPN on Cisco CSR1000V

How to configure a Cisco CSR1000V Router for terminating Anyconnect client based connections? Namita Sharma (A volunteer in Cisco Support Community) shared a guide of configuring a Cisco CSR1000V Router. What do you need to prepare before configuration. What are the detailed steps? Let’s see…

Firstly, you should ensure that you meet these requirements before you attempt this configuration:

Cisco Cloud Services Router 1000V running IOS XE 3.12 or higher
Cisco AnyConnect Secure Mobility Client 3.x or higher

Components Used:

Cisco Cloud Services Router 1000V running IOS XE 3.12
Cisco AnyConnect Secure Mobility Client 3.1.05160
Microsoft Windows 7
PC

Network Diagram-Configure SSLVPN on Cisco CSR1000V (The Figure)

Anyconnect Configuration:

1. Configure SSL Server Self-Signed Certificate

# Generate an Rivest-Shamir-Addleman (RSA) Key with a length of 2048 bytes:
crypto key generate rsa general-keys label anyconnect modulus 2048

# Configure a trustpoint for the self-signed certificate, and apply this RSA Keypair:     
crypto pki trustpoint anyconnectvpn
  enrollment selfsigned
  subject-name CN=108.1.220.132
  revocation-check none
  rsakeypair anyconnect

# Once the trustpoint is configured, enroll the self-signed certificate
crypto pki enroll anyconnectvpn
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

2. Upload and Apply the Anyconnect client software

copy tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg flash

Address or name of remote host [10.0.0.150]?

Source filename [anyconnect-win-3.1.05160-k9.pkg]?

Destination filename [anyconnect-win-3.1.05160-k9.pkg]?

Accessing tftp://10.0.0.150/anyconnect-win-3.1.05160-k9.pkg...!!!!!!!!!!!!!

Writing file disk0:/anyconnect-win-3.1.05160-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2635734 bytes copied in 4.480 secs (658933 bytes/sec)

# Apply this Anyconnect client image to the configuration
crypto vpn anyconnect flash:/anyconnect-win-3.1.05160-k9.pkg sequence 1

3. Configure the User Database

new-model
aaa authentication login sslvpn local
aaa authorization network sslvpn local
username Anyconnect password Anyconnect123

4. Configure the VPN pool

# Define the local pool that is used in order to assign IP addresses to the clients when they connect

ip local pool SSL_Client 192.168.10.1 192.168.100.20

5. Define the supported ciphers under SSL Proposal

crypto ssl proposal sslvpn-proposal
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1

6. Create a split-tunnel access-list to be pushed out as a secure route to the Anyconnect clients

ip access-list standard sslvpn-tunnel
permit 10.0.0.0 0.255.255.255

7. Configure an SSL Policy that defines the ciphers to be supported and the trustpoint to be used during SSL negotiation.

crypto ssl policy sslvpn-policy
ssl proposal ssl_proposal
pki trustpoint anyconnectvpn sign
ip address local 108.1.220.132 port 443
no shut

8. Create an SSL Authorization Policy locally on the Router with the authorization parameters to be pushed out to the clients

crypto ssl authorization policy sslvpn-auth-policy
pool SSL_Client
dns 10.0.0.120
def-domain cisco.com    
route set access-list sslvpn-tunnel

9. Define the configured authentication and authorization lists under an SSL Profile

crypto ssl profile sslvpn-profile
 match policy sslvpn-policy
 aaa authentication list sslvpn
 aaa authorization group list sslvpn sslvpn-auth-policy
 authentication remote user-credentials
 max-users 100

10. Verify your connection

Once a Client connects, you can view the status using:

show crypto ssl session user Anyconnect detail
Session Type      : Full Tunnel
Client User-Agent : AnyConnect Windows 3.1.05160

Username          : Anyconnect           Num Connection : 1
Public IP         : 173.36.240.173
Profile           : ssl_profile
Policy            : ssl_policy
Last-Used         : 00:00:06                Created        : *10:00:00.928 UTC Mon Apr 6 2014
Session Timeout   : 43200                Idle Timeout   : 1800
DNS primary       : 10.0.0.120
DPD GW Timeout    : 300                  DPD CL Timeout : 300
Address Pool      : SSL_Client           MTU Size       : 1406
Disconnect Time   : 0
Rekey Time        : 3600
Lease Duration    : 43200                Keepalive      : 30
Tunnel IP         : 192.168.10.2         Netmask        : 0.0.0.0
Rx IP Packets     : 533                     Tx IP Packets  : 462
Virtual Access    : 1
CSTP Started      : 00:46:50             Last-Received  : 00:00:06
CSTP DPD-Req sent : 0
Msie-ProxyServer  : None
Msie-PxyOption    : Disabled
Msie-Exception    : None
Split DNS         : None
ACL               : sslvpn-tunnel
Default Domain    : cisco.com
Client Ports      : 49423

Detail Session Statistics for User:: Anyconnect
----------------------------------

CSTP Statistics::
Rx CSTP Frames    : 322                Tx CSTP Frames   : 0
Rx CSTP Bytes     : 63453              Tx CSTP Bytes    : 3423
Rx CSTP Data Fr   : 643                 Tx CSTP Data Fr  : 233
Rx CSTP CNTL Fr   : 36                 Tx CSTP CNTL Fr  : 0
Rx CSTP DPD Req   : 0                  Tx CSTP DPD Req  : 0
Rx CSTP DPD Res   : 0                  Tx CSTP DPD Res  : 0
Rx Addr Renew Req : 0                  Tx Address Renew : 0
Rx Dropped Frames : 0                  Tx Dropped Frame : 0
Rx IP Packets     : 167                    Tx IP Packets    : 532
Rx IP Bytes       : 8375                   Tx IP Bytes      : 18573

CEF Statistics::
Rx CSTP Data Fr   : 0                   Tx CSTP Data Fr  : 0
Rx CSTP Bytes     : 0                    Tx CSTP Bytes    : 0

Guide from https://supportforums.cisco.com/document/12470701/configure-sslvpn-cisco-cloud-services-router-1000vcsr1000v... More discussion you can read here…

More Topics Related to Cisco Routers you can visit here

Share this post

Repost 0

Comment on this post

victoriya 11/30/2015 13:40

The increasing number of cyber security threats, information hacks, privacy attacks have made the importance of security more evident than ever. This is the reason why large organizations that are involved in online business have realized the importance of cyber security. Now, every organization is working on a security framework meant to safeguard their online presence. https://www.ivacy.com/blog/what-is-ssl-vpn-and-why-use-ssl-vpn/

Obat Sipilis 11/19/2015 18:28

Thanks for sharing your nice post

Alfred Vilsmeier 10/13/2015 20:45

Hi, I got the bug requests if you want to hop on... apparently the fix for the Anyconnect 4.1 package has been released but hasn't been made available as an Amazon AMI yet :)


Hi Alfred,

Yes, the following bugs are linked to our case:

(enhancement request):
https://tools.cisco.com/bugsearch/bug/CSCus02767

https://tools.cisco.com/bugsearch/bug/CSCuu42183

Please note that CSCuu42183 is resolved and the fix is available from cisco.com. But, I’m still discussing with our teams here to determine when those same fixes are available as an Amazon AMI.

Alfred Vilsmeier 10/13/2015 14:51

I'm trying to get a bug/request number so I can share it with you guys, the CSR should definitely support these features.

Jim 06/25/2015 00:15

Whenever I try to connect to my CSR after the same exact configuration I receive the following on the AnyConnect client.

The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

Alfred Vilsmeier 10/13/2015 14:45

Hi guys, I was getting the same error running the CSR 1000v (Version 03.14.01.S) on Amazon AWS and Anyconnect 4.1.
Our fix was to revert to Anyconnect 3.1 PKGs and everything works just as expected now, I can even login with an Anyconnect 4.1 client, apparently there's still no support for AnyConnect 4.1 on the CSR, also, no Web Launch so no client download.
I still have a ticket open with Cisco so I'm notified if a patch comes out, try and get a hold of Cisco support yourselves, we should be able to have these features on the CSR as well...

Manuel 10/13/2015 09:49

I am facing the same problem and are still not able to fix it... any guesses?

Alfred 07/15/2015 17:12

I have the same issue, were you ever able to fix it?