Cisco ASA SSL VPN configuration to support IP Phones using ASA & CUCM self signed certificate

Summary Steps

  1. Build Base ASA Config Enabling AnyConnect
  2. Export Cert From ASA to Import to CUCM OS Admin Cert Management
  3. Configure CUCM VPN details
    • VPN Gateway
    • VPN Group
    • VPN Profile
  4. Configure CommonPhoneProfile (copy of default) with VPNGroup / VPNProfile
  5. Apply new CommonPhoneProfile to relevent phones
  6. CUCM Activate – Cisco Certificate Authority Proxy Function Service
  7. CUCM Activate – Cisco CTL Provider
  8. Export CAPF Cert From CUCM OS Admin to Import to ASA (use Putty to paste in PEM cert)
    • regenerated capf cert as I thought this was an issue – though i now think it was related to ssh client issue.
    • Pasting in the cert in Putty works, in SecureCRT this failed.
    • Also generate a PEM from a DER export online which provided better format.. need to recheck this.
  9. Set Phone CAPF Params
  10. Restart TVS & TFTP CUCM services.
    • after issues with CUCM and probably related to laptop dual default gateways
    • phone got LSC using manual authentication method – null str.
    • “Device Security Profile” was auto changed in lab but suspect it should me manually changed.
  11. Connect Phone to outside network (to DMZ in this case where anyconnect is enabled)
  12. Boot Phone..

Base ASA Configuration for enabling AnyConnect.

!--- Generate an RSA key for the certificate. (The name should be unique. i.e. sslvpnkeypair.)
crypto key generate rsa label sslvpnkeypair
!
!
!--- Create a trustpoint for the self-issued certificate.
crypto ca trustpoint TP_SSL
!--- The fully qualified domain name is used for both fqdn and CN.
!--- The name should resolve to the ASA outside interface IP address from reachable DNS by phone
enrollment self
fqdn GRH-GW1.birtles.eu
subject-name CN=GRH-GW1.birtles.eu
!--- The RSA key is assigned to the trustpoint for certificate creation.
keypair sslvpnkeypair
!
!
crypto ca enroll TP_SSL noconfirm
!
! For VPN Clients (Phones)
ip local pool SSL_Pool 192.168.222.150-192.168.222.200 mask 255.255.255.0
!
!
group-policy GP_SSL internal
!
group-policy GP_SSL attributes
split-tunnel-policy tunnelall
vpn-tunnel-protocol ssl-client
!
!
!
tunnel-group SSL type remote-access
!
tunnel-group SSL general-attributes
address-pool SSL_Pool
default-group-policy GP_SSL
!
tunnel-group SSL webvpn-attributes
authentication certificate
group-url https://GRH-GW1.birtles.eu/SSL enable
!
!
!
webvpn
! enable on the DMZ interface for testing, usually outside interface
enable dmz
! Is this next Required for Phones, just for std vpn client download but required to enable 'anyconnect enable'
anyconnect image disk0:/anyconnect/anyconnect-win-3.1.04072-k9.pkg
anyconnect enable
!
!
ssl trust-point TP_SSL dmz
!
! Check Reqd...
sysopt connection permit-vpn
!

Export ASA Certificate & Import to CUCM

Export the certificate from the ASA and copy into text file (e.g. asa.pem). This will be imported into CUCM OS Admin Certificate Management and used in the CUCM VPN configuration.
show run ssl
crypto ca export SSL identity-certificate
In CUCM OS Administration Security Certificate Management Upload Cert./Cert. Chain. Set the purpose as ‘Phone-VPN-Trust’ with a name/desc such as ASA-VPN-GW. Upload the asa.pem file as created in the previous step.

Export CUCM CAPF Certificate and Import to ASA

In CUCM OS Administration Security Certificate Management, click find, select the CAPF certificate (all ‘CAPF’ certs – not ‘CAPF-Trust’), in the popup dialog Download PEM file to a text file called CAPF.pem. (See notes about format and using putty for ASA import).
Follow next steps on ASA, then ‘crypto ca authenticate CUCM’ will ask for the content of the CAPF.PEM file to be pasted into the terminal session.

ASA Import of CUCM Certificate With Own Trustpoint

!
crypto ca trustpoint CUCM
enrollment terminal
crl configure
!
! run next command and paste in CAPF.pem from CUCM OS Admin / Certs when prompted.
crypto ca authenticate CUCM
!

Show & Debugs

  • show vpn-sessiondb svc
  • vpn-sessiondb logoff name
  • debug webvpn svc 255

Show Command Output

=======================================
GRH-GW1# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : CP-8945-SEP8478acec620b
Index        : 1
Assigned IP  : 192.168.222.150        Public IP    : 192.168.2.50
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials, AnyConnect for Cisco VPN Phone
Encryption   : AnyConnect-Parent: (1)AES128  SSL-Tunnel: (1)AES128  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 115091                 Bytes Rx     : 21323
Pkts Tx      : 149                    Pkts Rx      : 154
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : GP_SSL                 Tunnel Group : SSL
Login Time   : 13:10:06 GMT Tue Apr 25 2017
Duration     : 0h:00m:21s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID    : 1.1
Public IP    : 192.168.2.50
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: TLSv1.0                TCP Dst Port : 443
Auth Mode    : Certificate
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Client Type  : AnyConnect
Client Ver   : Cisco SVC IPPhone Client v1.0
Bytes Tx     : 1666                   Bytes Rx     : 655
Pkts Tx      : 2                      Pkts Rx      : 1
Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID    : 1.2
Assigned IP  : 192.168.222.150        Public IP    : 192.168.2.50
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: TLSv1.0                TCP Src Port : 43384
TCP Dst Port : 443                    Auth Mode    : Certificate
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Client Type  : SSL VPN Client
Client Ver   : Cisco SVC IPPhone Client v1.0
Bytes Tx     : 824                    Bytes Rx     : 0
Pkts Tx      : 1                      Pkts Rx      : 0
Pkts Tx Drop : 0                      Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID    : 1.3
Assigned IP  : 192.168.222.150        Public IP    : 192.168.2.50
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: DTLSv1.0               UDP Src Port : 39339
UDP Dst Port : 443                    Auth Mode    : Certificate
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Client Type  : DTLS VPN Client
Client Ver   : Cisco SVC IPPhone Client v1.0
Bytes Tx     : 112601                 Bytes Rx     : 20668
Pkts Tx      : 146                    Pkts Rx      : 153
Pkts Tx Drop : 0                      Pkts Rx Drop : 0

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 23 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :
==========================================

Notes

1. Uses SHA-1 ! can we fix this? – Nope, SHA2 only available on 5500-x versions
– AES-256 with SHA-2 ciphers applies only to TLS version 1.2; TLSv1.2 is available in release 9.3(2) of the ASA on 5500-X models.
2. Phone Security Mode states – Non Secure ???
3. The CAPF (Certificate Authority Proxy Function) service is responsible for signing and storing LSCs (Locally Significant Certificates) from phones.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html