Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​SSLVPN - IOS SSLVPN with PKI Certificate




DNS(config)#crypto pki export PKI_SERVER pem terminal 
% The specified trustpoint is not enrolled (PKI_SERVER).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTIxMDExMzAwMTA0MFoXDTI0MDExMzAwMTA0MFowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy6sEoygy
QGus5vwhUGD6bcoUyzB8P46WV1edog01VGoNXtaKIfFB3XhFZLr17aQrtZ6O2Qqm
GLt3LoxbHeaKjgZA3+ymV0qEEcU6eq9ZF35ZHs/ndb0q8BrpgcKHdXxpafxvWamT
bo7Ge1xV7OaNntn7ZaGwl+svLr3iXS8l9l8CAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUj4XqYIU6zUeBZA0Ha/xw
081MsHUwHQYDVR0OBBYEFI+F6mCFOs1HgWQNB2v8cNPNTLB1MA0GCSqGSIb3DQEB
BAUAA4GBABOmXVALPeHIR2GZC2Gx+x4+hd0pUKkIb6PfRC2YRQlvBhfTzeBLdrVe
mozZFDVEgrQcDAr4u5R6wTNwNAhMuU2vs0uJ7ds0YBFy3TFOt3pBXNnazqrV2ClZ
JTuTzd3W4nHTQAG3Iofd6oNv3jKCiSuVU6jq4WHqnMuOy2SydvOp
-----END CERTIFICATE-----



crypto key generate rsa label PKI modulus 1024
The name for the keys will be: PKI

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)


crypto pki trustpoint PKI_TP
 enrollment terminal
 fqdn vpn7.test.com
 subject-name cn=vpn7.test.com
 revocation-check none
 rsakeypair PKI


R7(config)#crypto pki authenticate PKI_TP

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICAzCCAWygAwIBAgIBATANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTIxMDExMzAwMTA0MFoXDTI0MDExMzAwMTA0MFowFTETMBEGA1UE
AwwKUEtJX1NFUlZFUjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy6sEoygy
QGus5vwhUGD6bcoUyzB8P46WV1edog01VGoNXtaKIfFB3XhFZLr17aQrtZ6O2Qqm
GLt3LoxbHeaKjgZA3+ymV0qEEcU6eq9ZF35ZHs/ndb0q8BrpgcKHdXxpafxvWamT
bo7Ge1xV7OaNntn7ZaGwl+svLr3iXS8l9l8CAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAUj4XqYIU6zUeBZA0Ha/xw
081MsHUwHQYDVR0OBBYEFI+F6mCFOs1HgWQNB2v8cNPNTLB1MA0GCSqGSIb3DQEB
BAUAA4GBABOmXVALPeHIR2GZC2Gx+x4+hd0pUKkIb6PfRC2YRQlvBhfTzeBLdrVe
mozZFDVEgrQcDAr4u5R6wTNwNAhMuU2vs0uJ7ds0YBFy3TFOt3pBXNnazqrV2ClZ
JTuTzd3W4nHTQAG3Iofd6oNv3jKCiSuVU6jq4WHqnMuOy2SydvOp
-----END CERTIFICATE-----
quit
Certificate has the following attributes:
       Fingerprint MD5: 3A933F8E 7660BA79 A32E36D5 C04134CD 
      Fingerprint SHA1: 318DA1D7 532825A6 55E4A9EB 8545BB67 1F0CE5A5 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported




R7(config)#crypto pki enroll PKI_TP
% Start certificate enrollment .. 

% The subject name in the certificate will include: cn=vpn7.test.com
% The subject name in the certificate will include: vpn7.test.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no 
% Please answer 'yes' or 'no'.
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

MIIBlzCCAQACAQAwNjEWMBQGA1UEAxMNdnBuNy50ZXN0LmNvbTEcMBoGCSqGSIb3
DQEJAhYNdnBuNy50ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ocauOhq4eXOT5B4be14lbWnn2N7pUKbxTwU6U7+KWfXocKFTNrui1n+GgaqF2LQW
M4ueddDLg9OStZwev7QDO2As69fzxXrnsJ3kOROnezZAfFmvQlT+QIK0199vVjgV
amy5NdyCbJVIJ3AW/tSMplKyVx36I9hHR2JP9p0EAQECAwEAAaAhMB8GCSqGSIb3
DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAEMo5jWy
VPwOaN2sPH7rQ+EHnEkqFqrQQxI0LPIrq2Kq8amPM5gkOqUNensGOemsTNEO4DGa
dfn8skIyRwSsd0bcJ5MIPjUdkF8QONVpYR2sNPZYnPO6AcugaTt3Zfy0BCvWLCsd
msUR0uCF8569SOg/PAh+6F5lDJBZbig1sgdD

---End - This line not part of the certificate request---


DNS#crypto pki server PKI_SERVER request pkcs10 terminal base64 
PKCS10 request in base64 or pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
MIIBlzCCAQACAQAwNjEWMBQGA1UEAxMNdnBuNy50ZXN0LmNvbTEcMBoGCSqGSIb3
DQEJAhYNdnBuNy50ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ocauOhq4eXOT5B4be14lbWnn2N7pUKbxTwU6U7+KWfXocKFTNrui1n+GgaqF2LQW
M4ueddDLg9OStZwev7QDO2As69fzxXrnsJ3kOROnezZAfFmvQlT+QIK0199vVjgV
amy5NdyCbJVIJ3AW/tSMplKyVx36I9hHR2JP9p0EAQECAwEAAaAhMB8GCSqGSIb3
DQEJDjESMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAEMo5jWy
VPwOaN2sPH7rQ+EHnEkqFqrQQxI0LPIrq2Kq8amPM5gkOqUNensGOemsTNEO4DGa
dfn8skIyRwSsd0bcJ5MIPjUdkF8QONVpYR2sNPZYnPO6AcugaTt3Zfy0BCvWLCsd
msUR0uCF8569SOg/PAh+6F5lDJBZbig1sgdD
quit
% Granted certificate:
MIICEzCCAXygAwIBAgIBAjANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTIxMDExMzAwNDMzNloXDTIyMDExMzAwNDMzNlowNjEWMBQGA1UE
AxMNdnBuNy50ZXN0LmNvbTEcMBoGCSqGSIb3DQEJAhYNdnBuNy50ZXN0LmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAocauOhq4eXOT5B4be14lbWnn2N7p
UKbxTwU6U7+KWfXocKFTNrui1n+GgaqF2LQWM4ueddDLg9OStZwev7QDO2As69fz
xXrnsJ3kOROnezZAfFmvQlT+QIK0199vVjgVamy5NdyCbJVIJ3AW/tSMplKyVx36
I9hHR2JP9p0EAQECAwEAAaNSMFAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaA
FI+F6mCFOs1HgWQNB2v8cNPNTLB1MB0GA1UdDgQWBBSAFT/Je9EURX3lzYPeqc1E
OmjLuDANBgkqhkiG9w0BAQQFAAOBgQApXGdJrB/4ZIfHiprKJGeyOPXAPtqQeEsH
0hB27hZrDzMa5wPaTR4JPF0QmpxNHJSh7ivNZ0DqpoUaui0RRnlScvJPfaOIPuc2
XIJ2SFJJYSZslpcglviyBXlZ6Ta4kZ4X8AMqAvIOgKZ0NQgH0/q704SmK561X/3/
gSQExQ+7uw==



Redisplay enrollment request? [yes/no]: no
R7(config)#cryp
R7(config)#crypto pki
R7(config)#crypto pki iimp
R7(config)#crypto pki imp 
R7(config)#crypto pki import PKI_TP cer
R7(config)#crypto pki import PKI_TP certificate 

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

MIICEzCCAXygAwIBAgIBAjANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDDApQS0lf
U0VSVkVSMB4XDTIxMDExMzAwNDMzNloXDTIyMDExMzAwNDMzNlowNjEWMBQGA1UE
AxMNdnBuNy50ZXN0LmNvbTEcMBoGCSqGSIb3DQEJAhYNdnBuNy50ZXN0LmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAocauOhq4eXOT5B4be14lbWnn2N7p
UKbxTwU6U7+KWfXocKFTNrui1n+GgaqF2LQWM4ueddDLg9OStZwev7QDO2As69fz
xXrnsJ3kOROnezZAfFmvQlT+QIK0199vVjgVamy5NdyCbJVIJ3AW/tSMplKyVx36
I9hHR2JP9p0EAQECAwEAAaNSMFAwDgYDVR0PAQH/BAQDAgWgMB8GA1UdIwQYMBaA
FI+F6mCFOs1HgWQNB2v8cNPNTLB1MB0GA1UdDgQWBBSAFT/Je9EURX3lzYPeqc1E
OmjLuDANBgkqhkiG9w0BAQQFAAOBgQApXGdJrB/4ZIfHiprKJGeyOPXAPtqQeEsH
0hB27hZrDzMa5wPaTR4JPF0QmpxNHJSh7ivNZ0DqpoUaui0RRnlScvJPfaOIPuc2
XIJ2SFJJYSZslpcglviyBXlZ6Ta4kZ4X8AMqAvIOgKZ0NQgH0/q704SmK561X/3/
gSQExQ+7uw==
quit
% Router Certificate successfully imported

​

username cisco secret cisco123

webvpn gateway SSLVPN_GATEWAY
 hostname SSLVPN_GATEWAY
 ip interface GigabitEthernet0/0 port 8443
 http-redirect port 80
 ssl trustpoint PKI_TP
 inservice
 !
webvpn context SSLVPN_CONTEXT
 aaa authentication list SSLVPN
 gateway SSLVPN_GATEWAY
 user-profile location flash:vpn-profile
 !
 ssl authenticate verify all
 !
 inservice
 !
 policy group SSLVPN_CONTEXT_POLICY
 default-group-policy SSLVPN_CONTEXT_POLICY
Picture
 Open a web browser, navigate to https://vpn7.test.com. Authenticate with the username/password configured.
Picture
Once authenticated, you can see that the connection was successful.


Username          : cisco                Num Connection : 2                   
Public IP         : 101.0.0.101          VRF Name       : None                
Context           : SSLVPN_CONTEXT       Policy Group   : SSLVPN_CONTEXT_POLIC
Last-Used         : 00:00:15             Created        : *02:47:57.281 UTC Wed Jan 13 2021
Session Timeout   : 3600                 Idle Timeout   : 7200                
Citrix            : Disabled             Citrix Filter  : None                
Url List          : R38_HTTP
Client Ports      : 49737 49738 
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto