Cisco ASA SSL VPN configuration to support IP Phones using ASA & CUCM self signed certificate
Summary Steps
- Build Base ASA Config Enabling AnyConnect
- Export Cert From ASA to Import to CUCM OS Admin Cert Management
- Configure CUCM VPN details
- VPN Gateway
- VPN Group
- VPN Profile
- Configure CommonPhoneProfile (copy of default) with VPNGroup / VPNProfile
- Apply new CommonPhoneProfile to relevent phones
- CUCM Activate – Cisco Certificate Authority Proxy Function Service
- CUCM Activate – Cisco CTL Provider
- Export CAPF Cert From CUCM OS Admin to Import to ASA (use Putty to paste in PEM cert)
- regenerated capf cert as I thought this was an issue – though i now think it was related to ssh client issue.
- Pasting in the cert in Putty works, in SecureCRT this failed.
- Also generate a PEM from a DER export online which provided better format.. need to recheck this.
- Set Phone CAPF Params
- Restart TVS & TFTP CUCM services.
- after issues with CUCM and probably related to laptop dual default gateways
- phone got LSC using manual authentication method – null str.
- “Device Security Profile” was auto changed in lab but suspect it should me manually changed.
- Connect Phone to outside network (to DMZ in this case where anyconnect is enabled)
- Boot Phone..
Base ASA Configuration for enabling AnyConnect.
!--- Generate an RSA key for the certificate. (The name should be unique. i.e. sslvpnkeypair.) crypto key generate rsa label sslvpnkeypair ! ! !--- Create a trustpoint for the self-issued certificate. crypto ca trustpoint TP_SSL !--- The fully qualified domain name is used for both fqdn and CN. !--- The name should resolve to the ASA outside interface IP address from reachable DNS by phone enrollment self fqdn GRH-GW1.birtles.eu subject-name CN=GRH-GW1.birtles.eu !--- The RSA key is assigned to the trustpoint for certificate creation. keypair sslvpnkeypair ! ! crypto ca enroll TP_SSL noconfirm ! ! For VPN Clients (Phones) ip local pool SSL_Pool 192.168.222.150-192.168.222.200 mask 255.255.255.0 ! ! group-policy GP_SSL internal ! group-policy GP_SSL attributes split-tunnel-policy tunnelall vpn-tunnel-protocol ssl-client ! ! ! tunnel-group SSL type remote-access ! tunnel-group SSL general-attributes address-pool SSL_Pool default-group-policy GP_SSL ! tunnel-group SSL webvpn-attributes authentication certificate group-url https://GRH-GW1.birtles.eu/SSL enable ! ! ! webvpn ! enable on the DMZ interface for testing, usually outside interface enable dmz ! Is this next Required for Phones, just for std vpn client download but required to enable 'anyconnect enable' anyconnect image disk0:/anyconnect/anyconnect-win-3.1.04072-k9.pkg anyconnect enable ! ! ssl trust-point TP_SSL dmz ! ! Check Reqd... sysopt connection permit-vpn !
Export ASA Certificate & Import to CUCM
show run ssl crypto ca export SSL identity-certificate
Export CUCM CAPF Certificate and Import to ASA
ASA Import of CUCM Certificate With Own Trustpoint
! crypto ca trustpoint CUCM enrollment terminal crl configure ! ! run next command and paste in CAPF.pem from CUCM OS Admin / Certs when prompted. crypto ca authenticate CUCM !
Show & Debugs
- show vpn-sessiondb svc
- vpn-sessiondb logoff name
- debug webvpn svc 255
Show Command Output
=======================================
GRH-GW1# show vpn-sessiondb detail anyconnectSession Type: AnyConnect Detailed
Username : CP-8945-SEP8478acec620b
Index : 1
Assigned IP : 192.168.222.150 Public IP : 192.168.2.50
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials, AnyConnect for Cisco VPN Phone
Encryption : AnyConnect-Parent: (1)AES128 SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)SHA1 SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 115091 Bytes Rx : 21323
Pkts Tx : 149 Pkts Rx : 154
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GP_SSL Tunnel Group : SSL
Login Time : 13:10:06 GMT Tue Apr 25 2017
Duration : 0h:00m:21s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : noneAnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1AnyConnect-Parent:
Tunnel ID : 1.1
Public IP : 192.168.2.50
Encryption : AES128 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Dst Port : 443
Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : AnyConnect
Client Ver : Cisco SVC IPPhone Client v1.0
Bytes Tx : 1666 Bytes Rx : 655
Pkts Tx : 2 Pkts Rx : 1
Pkts Tx Drop : 0 Pkts Rx Drop : 0SSL-Tunnel:
Tunnel ID : 1.2
Assigned IP : 192.168.222.150 Public IP : 192.168.2.50
Encryption : AES128 Hashing : SHA1
Encapsulation: TLSv1.0 TCP Src Port : 43384
TCP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : SSL VPN Client
Client Ver : Cisco SVC IPPhone Client v1.0
Bytes Tx : 824 Bytes Rx : 0
Pkts Tx : 1 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0DTLS-Tunnel:
Tunnel ID : 1.3
Assigned IP : 192.168.222.150 Public IP : 192.168.2.50
Encryption : AES128 Hashing : SHA1
Encapsulation: DTLSv1.0 UDP Src Port : 39339
UDP Dst Port : 443 Auth Mode : Certificate
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : DTLS VPN Client
Client Ver : Cisco SVC IPPhone Client v1.0
Bytes Tx : 112601 Bytes Rx : 20668
Pkts Tx : 146 Pkts Rx : 153
Pkts Tx Drop : 0 Pkts Rx Drop : 0NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 23 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
==========================================
Notes
1. Uses SHA-1 ! can we fix this? – Nope, SHA2 only available on 5500-x versions
– AES-256 with SHA-2 ciphers applies only to TLS version 1.2; TLSv1.2 is available in release 9.3(2) of the ASA on 5500-X models.
2. Phone Security Mode states – Non Secure ???
3. The CAPF (Certificate Authority Proxy Function) service is responsible for signing and storing LSCs (Locally Significant Certificates) from phones.