7/12/2013 - 11:41 AM

Cisco IOS SSL VPN Configuration

Cisco IOS SSL VPN Configuration

Cisco IOS SSL VPN Configuration


policy group vpn-group-test
svc keepalive 300
svc dpd-interval client 10
svc dpd-interval gateway 30
svc dtls


Declare the Trustpoint & Create Self-Signed Certificate

Generate RSA Keys

crypto key generate rsa label my-rsa-keys modulus 1024
crypto pki trustpoint my-trustpoint
  enrollment selfsigned
  rsakeypair my-rsa-keys
crypto pki enroll my-trustpoint
  % Include the router serial number in the subject name? [yes/no]: yes
  % Include an IP address in the subject name? [no]: no
  Generate Self Signed Router Certificate? [yes/no]: yes

  Router Self Signed Certificate successfully created

Third party certificate

router(config)# crypto pki trustpoint
router(ca-trustpoint)# enrollment terminal pem
router(ca-trustpoint)# fqdn [FQDN.MYROUTER.ME]
router(ca-trustpoint)# subject-name C=[COUNTRY], ST=[STATE] O=[DOMAIN], OU=[MY ROLE], CN=[FQDN.MYROUTER.ME]/emailAddress=[MY EMAIL ADDRESS]
router(ca-trustpoint)# revocation-check none
router(ca-trustpoint)# rsakeypair [FQDN.MYROUTER.ME] 1024

Clean old RSA keys

router(config)# crypto key zeroize rsa

Create RSA keys

router(config)# crypto key generate rsa general-keys label [FQDN.MYROUTER.ME] export modulus 1024

Import Root Certificate

router(config)# crypto pki authenticate

Create CSR (certificate signing request)

router(config)# crypto pki enroll

% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes

Import Signed Certificate

router(config)# crypto pki import certificate


show crypto pki certificates
show crypto key mypubkey rsa


ldap attribute-map vpn
 map type memberOf=CN=PHYSTER_WORKERS,CN=Users,DC=PHYSTER,DC=COM group-lock format dn-to-string
 map type physicalDeliveryOfficeName user-vpn-group
 map type sAMAccountName username

Verification Command List

show webvpn gateway 
show webvpn context
show webvpn install package svc
show webvpn install status svc
show webvpn policy group MYPOLICY context
show webvpn session context all
show webvpn stats detail context all
sh route-map MYMAP

Troubleshooting Command List

SSL VPN Clear Commands:

clear webvpn nbns - Clears the NBNS cache on an SSL VPN gateway.
clear webvpn session - Clears SSL VPN remote user sessions.
clear webvpn stats - Clears SSL VPN application and access counters.

SSL VPN Debug Commands:

debug webvpn [verbose] [aaa | acl | cifs | citrix [verbose] | cookie [verbose] | count | csd | data | dns | emweb [state] | entry context-name [source ip [network-mask] | user username] | http [authentication | trace | verbose] | package | sdps [level number] | sock [flow] | sso | timer | trie | tunnel [traffic acl-number | verbose] | url-disp | webservice [verbose]]

Example : debug webvpn