anyconnect 提示“Security Warning:Untrusted VPN Server Certificate!”
出现此连接警告的原因是因为路由器上CA证书的subject-name的字段与路由器的IP地址不一致造成的。重装修改生成新的CA证书,然后连接VPN时勾选选项"always trust the vpn server and import the certifaction"后再次连接就不会再弹出该安全告警。
show run 后找到以下信息:
! crypto pki certificate chain TP-self-signed-19124 certificate self-signed 05 3082022B 30820194 A0030201 02020105 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31393132 34313830 3939301E 170D3135 30333034 30343436 31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313234 31383039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C046 F965E4EA 7FD19E5A D31727B9 AD93DA9A EF138758 F65A9AD1 18114FE4 A1AD404D CBB200C4 5232DCA4 892F6822 C9C9C830 41AFF407 1D4457BD 039EB24E
取消原证书
router-name(config)#no crypto pki trustpoint TP-self-signed-19124 % Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority. Are you sure you want to do this? [yes/no]: yes % Be sure to ask the CA administrator to revoke your certificates.
生成新的证书:
router-name(config)#crypto key generate rsa general-keys label router-name modulus 1024 exportable The name for the keys will be: router-name % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be exportable... [OK] (elapsed time was 0 seconds) router-name(config)#crypto pki trustpoint router-name router-name(ca-trustpoint)#en router-name(ca-trustpoint)#enrollment sel router-name(ca-trustpoint)#enrollment selfsigned router-name(ca-trustpoint)#rsakeypair router-name router-name(ca-trustpoint)#subject-name 1.2.3.4 "1.2.3.4" is not a valid subject name The subject name must be in X.500 (LDAP) format router-name(ca-trustpoint)#subject-name cn=1.2.3.4 router-name(ca-trustpoint)#exit router-name(config)#crypto pki enroll router-name % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created router-name(config)#exit router-name#conf t router-name(config)#webvpn gateway VPNGW router-name(config-webvpn-gateway)#ssl trustpoint router-name router-name(config-webvpn-gateway)#exit router-name(config)#exit
查看新生成的证书:
router-name#sh crypto pki certificates router-name Router Self-Signed Certificate Status: Available Certificate Serial Number (hex): 06 Certificate Usage: General Purpose Issuer: hostname=router-name.yourdomain.com cn=1.2.3.4 Subject: Name: router-name.yourdomain.com hostname=router-name.yourdomain.com cn=1.2.3.4 Validity Date: start date: 02:16:57 UTC Mar 9 2015 end date: 00:00:00 UTC Jan 1 2020 Associated Trustpoints: router-name