CISCO Anyconnect and using TLS V1.2
Hello
I ran an anyconnect VPN Service that uses SSLv3, after POODLE, we moved on TLSv1, which worked well, but I have recently been informed that TLSv1 is also vulnerable to POODLE.
I upgraded to the latest version of the software firewall (it is a 5512 ASA) and TLSv1.2 - which stopped the work VPN was allowed, once it has been activated customers started anyconnect have reported that they were behind a captive portal, despite the fact that he is certainly no captive portal. I get the same problem with TLSv1.1 - How can I get this to work - I'm really stuck and not an expert CISCO.
Thank you very much
Hi James,
What is the version of ASA and anyconnect here? Only anyconnect 4.x support TLS 1.2 and ASA 9.3 (2).
http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...
Kind regards
Kanwal
Note: Please check if they are useful.
Tags: Cisco Security
Similar Questions
-
IPsec VPN with Cisco AnyConnect and 1921 ISR G2 router
Hello
Is it possible to establish a remote access VPN IPSec using Cisco Anyconnect client with router Cisco ISR G2 1921.
If someone does share it please the sample configuration. as I've been on this topic since last week a.
My Cisco rep recommended I have not try AnyConnect a router ISR or ASR. So I used an Open Source client. Don't say that AnyConnect won't work, just the route I took on my project. I work good known configuration for a 1921 with strongSwan as a Client. It is with IPSEC and IKEV2 using certificates for authentication.
-
Cisco Anyconnect and Aladdin eToken
Hello
I want to authenticate Clients on an ASA5510 (8.4. () (2)) with a certificate on an Aladdin eToken.
If I connect with the browser (IE), everything works fine, the eToken software requires the certificate and the password and downloads the client profile. AnyConnect-connection is established.
If I connect directly with the AnyConnect Client (ver. 3.0.4235) no certificate will be used and so it has an Errormessage "no valid certificate available for authentication.
Client is Win7, but the same problem on Windows XP with full admin rights
It seems that the Anyconnect Client cannot find the certificate store.
Any idea?
Thank you.
It is not just with Aladdin eToken, same problem with certificate of local (.pfx) Standard Microsoft software installed in the certificate store
You have configured the profile XML doc section to reference the certificate?
-
people
I have a question regarding anyconnect and using 2 profiles on a single customer
I use anyconnect ssl vpn to connect to several sites, each using certificates and name of user and password for authentication
My problem is that when I 2 certificates in the store of my staff two different asas, I can't authenticate on one of the firewalls
each certificate is named differently, i.e. mycert-site1 and site2 mycert
anyone came across this before?
Thanks to anyone who takes the time to answer
Hello
You have this option in a newer version of anyconnect:
HTH,
Marcin
-
AnyConnect and SSL - VPN without client
Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?
I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?
Hi Daniel
It's a little complicated if you want a granular authentication and authorization, but it works.
I'm running an ASA with IPSec, SSL Client and clientless SSL.
Each of these virtual private networks with user/one-time-password name and certificate based authentic.
The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.
Feel free to ask questions...
Stephan
-
Clients vpn AnyConnect and cisco using the same certificate
Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?
John.
The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.
What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.
M.
-
Cisco ASA and AnyConnect VPN certificate error
Hello
I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:
I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?
Hello
This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.Here is a document that you can refer to create a self-signed certificate.
https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPNKind regards
Dinesh MoudgilPS Please note the useful messages.
-
Setup for use with Cisco Anyconnect VPN IPsec
So, I had trouble setting up VPN on our ASA 5510. I would use IPsec VPN so that we don't have to worry about licensing issues, but what I have read you can do with and always use Cisco Anyconnect. My knowledge on how to set up VPN especially in iOS version 8.4 is limited, so I've been using a combination of command line and ASDM.
I am finally able to connect from a remote location, but once I log in, nothing else works. What I've read, you can use IPsec for client-to-lan connections. I use a pre-shared for this. Documentation is limited on what should happen after have connected you? Shouldn't be able to local access on the vpn connection computers? I'm trying to implement work. If I have VPN from home, should not be able to access all of the resources at work? According to me, because I used the command-line as ASDM I confused some of the configuration. In addition, I think that some of the default policies are confused me too. So I probably need a lot of help. Here is my current setup with the changed IP address and other things that are not related to deleted VPN.
NOTE: We are still testing this ASA and is not in production.
Any help you can give me is greatly appreciated.
ASA Version 8.4 (2)
!
ASA host name
domain.com domain name
!
interface Ethernet0/0
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
IP 50.1.1.225 255.255.255.0
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
No nameif
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa842 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
!
permit same-security-traffic intra-interface
!
network of the NETWORK_OBJ_192.168.0.224_27 object
subnet 192.168.0.224 255.255.255.224
!
object-group service VPN
ESP service object
the purpose of the tcp destination eq ssh service
the purpose of the tcp destination eq https service
the purpose of the service udp destination eq 443
the destination eq isakmp udp service object
!
allowed IP extended ip access list a whole
!
mask 192.168.0.225 - 192.168.0.250 255.255.255.0 IP local pool VPNPool
no failover
failover time-out period - 1
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 non-proxy-arp-search to itinerary
!
the object of the LAN network
NAT dynamic interface (indoor, outdoor)
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
Sysopt noproxyarp inside
Sysopt noproxyarp outdoors
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ASA
Configure CRL
crypto ca server
Shutdown
string encryption ca ASDM_TrustPoint0 certificates
certificate d2c18c4e
864886f7 0d06092a c18c4e30 308201f3 3082015c a0030201 d 020204 2 0d 010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 2 a 864886 30280609
02161b 41 53413535 31302e64 69676974 616c 6578 7472656d 65732e63 f70d0109
3131 31303036 31393133 31365a 17 323131 30303331 39313331 0d 170d 6f6d301e
365a303e 3110300e 06035504 03130741 53413535 3130312a 2 a 864886 30280609
02161b 41 53413535 31302e64 69676974 616c 6578 7472656d 65732e63 f70d0109
6f6d3081 9f300d06 092 has 8648 86f70d01 01010500 03818d b 30818902-00-818100-2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c 51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300 d 0609 2a 864886 f70d0101 05050003 8181009d d2d4228d 381112a 1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b 888669 70e398
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 10
Console timeout 0
management-access inside
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
profiles of AnyConnect VPN disk0: / devpn.xml
AnyConnect enable
tunnel-group-list activate
internal VPN group policy
attributes of VPN group policy
value of server WINS 50.1.1.17 50.1.1.18
value of 50.1.1.17 DNS server 50.1.1.18
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
digitalextremes.com value by default-field
WebVPN
value of AnyConnect VPN type user profiles
always-on-vpn-profile setting
privilege of xxxxxxxxx encrypted password username administrator 15
VPN1 xxxxxxxxx encrypted password username
VPN Tunnel-group type remote access
General-attributes of VPN Tunnel-group
address (inside) VPNPool pool
address pool VPNPool
LOCAL authority-server-group
Group Policy - by default-VPN
VPN Tunnel-group webvpn-attributes
enable VPN group-alias
Group-tunnel VPN ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
class-map ips
corresponds to the IP access list
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the http
class ips
IPS inline help
class class by default
Statistical accounting of user
I would recommend buy AnyConnect Essentials. The cost of the license is nominal - list of US $150 for the 5510. (piece number L-ASA-AC-E-5510 =)
Meawwhile you can use the Cisco VPN client inherited with IKEv1 IPSec remote access VPN using profiles *.pcf.
I believe you can also use the client Anyconnect client SSL or DTLS transport access remotely (non-IPsec) without having to buy the license Anyconnect Essentials for your ASA focus.
As an aside, note that if you want to use AnyConnect Mobile (e.g. for iPhone, iPad, Android, Blackberry etc.clients) you will also get the additional license for it (L-ASA-AC-M-5510 =, also price US $150)
-
Windows 7 and the location of Cisco anyconnect
Hello world
He had to confirm if cisco anyconnect vpn will work only if it is
C:\ProgramData?
Will it work if it is under
C:\Program Files (x 86) \Cisco
Concerning
Mahesh
Parts of the application are in two locations by default and try to move may cause instability.
-
OpenSSL with 'Cisco VCS Certificate Creation and use - deployment guide. "
Hi team,
To prevent users to log on with the VCS Highway, we want to use OpenSSL (version: 1.0.1p 9 julio 2015), but I am facing the following problem:
1 - I can't implement the command "touch index.txt".
2 - I can´t implement the command "openssl genrsa-aes256-out private/cakey.pem 4096"; and when I apply these commands I get "OpenSSL is not recognized.
I did all the steps that says "VCS certificate creation and use Cisco".
What could be the matter?
Thanks for your advice.
Kind regards
Bill
Already explained why touch does not, simply create the .txt through windows command file.
-
How to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
We want to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. We used the followign command:
SET JAVA_OPTION = - Dweblogic.security.SSL.protocolVersion = SSL3 - Dweblogic.security.disableNullCipher = true
but still SSL 2.0 is used. Help, please
Deepak looking good so far.
Let us know for any other help. We encourage you to create a service request with Oracle.
See you soon,.
-
Two factor authentication to cisco anyconnect using certificates
I plan to factor authentication two configuration, and intend to buy thawte Certificate, but need help to choose which certificate do I need to buy. Can I purchase a code signing ssl certificate and use it to two-factor authentication? If this is not the case, what should I buy and what is the procedure?
Concerning
NH
Hi, NH,
I see that you have authentication two factor for customers who connect to your network by using AAA + certificates head.
I also see that you are looking to get the signed certificate from Thawte.
> In two authentication factors in your scenario, the client when the connection must present the name of user and password and a client certificate to complete the authentication.
> You can get the client signed any Public certificate authority (CA) certificate.
> The certificate with the key usage extension attribute value, such as the authentication of the Client can only be used by the client during client certificate authentication.
> If extended key usage does not 'Authentication of customer' as one of its value then this certificate cannot be used for authentication of the client certificate.
> Now, once you get the client certificate and installed it on the post, and currently the head of network during authentication may fail once again validating the certificate of the network head as it is necessary that the head of network must have the certificate root certificate Client installed in his store of Certificate Authority (CA).
Kind regards
Nouredine Sethi
-
Cisco Anyconnect license upgrade Questions
Hi all
So, we currently have a pair of failover ASA 5515 - X running at one of our sites. This serves as a VPN gateway for our users. I am migrating users from the old Cisco VPN client to the newest Cisco Anyconnect client. I have work and installing anyconnect. Meanwhile, I discovered that process to take care of TLS 1.1 and using the Anyconnect client, you must use the most recent 4.0 Anyconnect client. To use this client, you must have something license called a "Anyconnect more" I think it was a recent change of return in 2014. We currently have the Anyconnect Essentials license installed on the ASA pair. I discovered that not only it a license upgrade available for upgrade Anyconnect positive of the battery, but the Anyconnect Plus license is subscription now. Boo Cisco. But that's another debate.
I went ahead and reluctantly bought the upgrade license to upgrade Anyconnect positive of the battery. I am trying to understand however the affects of the installation of this license with respect to the current VPN functionality. Currently, we offer the following VPN options for our users:
RA IPSEC (IKE v1via former customer)
RA IPSEC (L2TP via the Windows client)
SSL (Anyconnect 3.0)
We also use tunneling IPSEC of P2P (IKEv1 PSK) between two sites to serve as a link of relief when our primary site-to-site link fails.
If anyone knows what would be the effect on the current VPN functionality when installing my upgrade license? He turns off the older IPSEC IKEv1 feature? As I said I want to migrate to the newer platform users but still have need of the oldest customer work until this can be done. I have this in my current setup:
WebVPN
AnyConnect essentials
What happens on this command when I apply the new license?
Appreciate any help here. Thank you.
Addition of the new activation key and the client configuration somehow 4.x will not affect the IKEv1, L2TP or VPN SSL. "AnyConnect essentials" rest a command active and valid
It will give the ability to activate the advanced security features that require the 4.x client.
-
HotSpot iOS 9.3.1 works do not with Cisco AnyConnect
Does anyone else have this problem? Since the upgrade to 9.3.1 iOS I am more able to use one of the hotspot from my iPhone to connect to the VPN from my company using Cisco AnyConnect. I can still connect via Wi-Fi, but not with the iPhone 5s or 6s hotspot feature.
Ideas?
TIA,
DM
Hello, I'm from the Italy, and I have the same problem on my 5 64 GB iPhone.
I have updated to iOS 9.3.1 and now I don't have the Hotspot feature in the phone settings Menu.
What is happen? I work with this feature and now I need to change the phone!
-
ACLog.dll missing killing Cisco Anyconnect Secure Mobiltiy customer
I use 'Cisco AnyConnect Secure Mobility Client' on Windows 7 for a year now with no problems.
All started yesterday when I try to connect I get this error message:dialog title: vpnui.exe - system error
message: "the program can't start because aclog.dll is missing on your computer. Try reinstalling the program to fix this problem. »
So, of course, I tried to reinstall, but without success.
I keep reading that aclog.dll is a windows system dll.
No idea how to solve this problem?I installed Visual Studio SP1 of 2015, the other day and it looked like there were a few errors in the final dialog box. Would he have the issue?
Hello
Thank you for visiting Microsoft Community and we provide a detailed description of the issue.
I suggest you to send your request in the TechNet forums to get the problem resolved.
Please visit the link below to send your query in the TechNet forums:
https://social.technet.Microsoft.com/forums/en-us/home?category=WindowsServer
Hope this information is useful. Please come back to write to us if you need more help, we will be happy to help you.
Maybe you are looking for
-
A60-302: problems with Win XP SP2 update
I have Win XP Home OEM and installed SP2. Since then, the desktop icons are refreshed terribly slowly (for example at startup). Sometimes it takes 2-3 seconds for a simple icon appears in place of his general "icon". I'm just interested in other expe
-
External USB HARD drive Stor.E basics Sleep Mode
Hi allRecently, I bought Stor.E Basics 500 GB USB 3.0 external hard drive to store my archives of work (mainly the .docx and .xls formats).During my work after maybe 5 or 10 minutes, my drive HARD past in mode "sleep" and it takes time to wake up my
-
Extension of love at first sight. Will it work?
The thunderbolt attached my Thunderbolt display cable is about a foot short of my Mac Pro. I see where it is is an extension of 1 meter (man/woman), available per person interposed. This will affect working on FCP X on my screen? Thank you. See you s
-
error code 646 while that convert videos using real player converter
How can I fix my computer? When I try to convert videos using the RealPlayer converter, it displays an error 646 code, what can I do?
-
Sent email in Windows Live mail folder
All the Mall in my sent folder disappeared. I found it by searching and it is located in a folder. I what to know how to get it back in my windows live mail. Please keep it simple" Paul B Marrone E-mail address is removed from the privacy *.