Skip to Content

Configuring Clientless SSL VPN (WebVPN) on Cisco IOS Routers

Fri, 2011-08-05 00:19

A Tekcert member recently posted a question in the forums regarding IOS Clientless SSL VPN, a.k.a WebVPN. This prompted me to test the functionality in a lab environment and post my findings. To make it easier to find, I decided to make it a full-blown blog post. So, here we go...

The first step I took was to get a router with 12.4T code running on a LAN with a desktop connected to it. The following configuration is broken into chunks to help break down the process.

Configure basic settings on the router, including hostname, domain, usernames, etc. (not all of this is required for WebVPN to work, but it is what I had on my router so you're getting it all): 

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname R1

boot-start-marker
boot-end-marker

enable secret 5 $1$AAgP$EGtD.sBs/zDbFhMkfBUSR.

aaa new-model

aaa session-id common
ip source-route
ip cef

username tekcert privilege 15 password cisco

interface GigabitEthernet2/0
 ip address 192.168.146.2 255.255.255.0
 negotiation auto

ip domain-name tekcert.com

ip http server
ip http authentication local
ip http secure-server

A key point to make here is that enabling http secure-server (https) forces the router to create a self-signed certificate if it hasn't already done so. If you have a Certificate Authority (CA) server or have purchased a cert from one of the dozens of providers on the net, you can upload the cert to the router and use that instead of a self-signed cert. Since this is a lab, I went ahead and used the self-signed cert.

Now comes the specific WebVPN configuration:

webvpn gateway TekcertSSLVPNGW1
 hostname R1
 ip address 192.168.146.2 port 443 
 http-redirect port 80
 ssl trustpoint TP-self-signed-cert
 inservice
 !
webvpn context Context1
 ssl authenticate verify all
 !
 url-list "InternalWebServers"
   heading "TekcertSSLVPNGW1"
   url-text "Tekcert Blogs" url-value "http://tekcert.com"
   url-text "Tekcert Forums" url-value "http://tekcert.com/forum"
 !
 nbns-list NBNSServers
   nbns-server 192.168.146.1 
 !

 policy group policy_1
   url-list "InternalWebServers"
   nbns-list "NBNSServers"
   functions file-access
   functions file-browse
   functions file-entry
   hide-url-bar
   citrix enabled
 default-group-policy policy_1
 gateway TekcertSSLVPNGW1
 max-users 2
 inservice

Once this is configured, you can test it by opening a browser and going to the IP address configured in the gateway. The following two pictures show the pre-login page and the post-login page.


IOS_SSLVPN_Login

You can also check webvpn status with a few commands. Here are some examples:

R1#show webvpn gateway 

Gateway Name                       Admin  Operation
------------                       -----  ---------
TekcertSSLVPNGW1                   up     up  


R1#
R1#show webvpn session context all
WebVPN context name: Context1
Client_Login_Name  Client_IP_Address  No_of_Connections  Created  Last_Used
tekcert            192.168.146.1              2         00:17:17  00:17:10  

R1#
R1#show webvpn stat
User session statistics:
    Active user sessions     : 1          AAA pending reqs         : 0         
    Peak user sessions       : 1          Peak time                : 01:21:15
    Active user TCP conns    : 1          Terminated user sessions : 1         
    Session alloc failures   : 0          Authentication failures  : 0         
    VPN session timeout      : 0          VPN idle timeout         : 0         
    User cleared VPN sessions: 0          Exceeded ctx user limit  : 0         
    Exceeded total user limit: 0         
    Client process rcvd pkts : 84         Server process rcvd pkts : 0         
    Client process sent pkts : 736        Server process sent pkts : 0         
    Client CEF received pkts : 96         Server CEF received pkts : 0         
    Client CEF rcv punt pkts : 0          Server CEF rcv punt pkts : 0         
    Client CEF sent pkts     : 0          Server CEF sent pkts     : 0         
    Client CEF sent punt pkts: 0          Server CEF sent punt pkts: 0         

    SSLVPN appl bufs inuse   : 0          SSLVPN eng  bufs inuse   : 0         
    Active server TCP conns  : 0

For additional information on configuring SSL VPNs, check out this doc at Cisco.com.

If you have any questions, feel free to ask by posting a comment below or posting it in the forums. Hope this helps!

Your rating: None Average: 5 (3 votes)

Comments

pikas's picture

https

pikas - 2011-08-05 11:29

hello,

i want to ask you - add at least one https to your bookmarks and try to open it. please, let me know your results.

thanks,

IOS vs. ASA

Steven Williams - 2011-08-05 14:59

Can this same configuration be applied tot he ASA?

pikas's picture

No, though configuration

pikas - 2011-08-06 01:04

No, though configuration logic is pretty much the same.

The problem with adding HTTPS

Tim - 2011-08-09 08:57

The problem with adding HTTPS web sites through WebVPN is that that HTTPS certificates work on DNS name resolution.

When adding a URL to a WebVPN context list, it mangles it, so when you try and browse to this URL, the certificate chain is, in effect, broken.

I'm having the same trouble and cannot seem to find a way around it at the minute.

pikas's picture

thanks for your reply. i have

pikas - 2011-08-10 06:44

thanks for your reply. i have lost my hope already with this IOS SSL VPN. still, if by any chance, you'll find any workaround - let me know please..



Dr. Radut | blog