anyconnect 提示“Security Warning:Untrusted VPN Server Certificate!"

2015/03/09 cisco 共 2580 字,约 8 分钟

anyconnect 提示“Security Warning:Untrusted VPN Server Certificate!”

出现此连接警告的原因是因为路由器上CA证书的subject-name的字段与路由器的IP地址不一致造成的。重装修改生成新的CA证书,然后连接VPN时勾选选项"always trust the vpn server and import the certifaction"后再次连接就不会再弹出该安全告警。

 

show run 后找到以下信息:

!
crypto pki certificate chain TP-self-signed-19124
certificate self-signed 05
3082022B 30820194 A0030201 02020105 300D0609 2A864886 F70D0101 05050030 
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 31393132 34313830 3939301E 170D3135 30333034 30343436 
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313234 
31383039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
8100C046 F965E4EA 7FD19E5A D31727B9 AD93DA9A EF138758 F65A9AD1 18114FE4 
A1AD404D CBB200C4 5232DCA4 892F6822 C9C9C830 41AFF407 1D4457BD 039EB24E 

 


取消原证书

router-name(config)#no crypto pki trustpoint TP-self-signed-19124
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

 

生成新的证书:

router-name(config)#crypto key generate rsa general-keys label router-name modulus 1024 exportable 
The name for the keys will be: router-name

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)

router-name(config)#crypto pki trustpoint router-name 
router-name(ca-trustpoint)#en
router-name(ca-trustpoint)#enrollment sel

router-name(ca-trustpoint)#enrollment selfsigned


router-name(ca-trustpoint)#rsakeypair router-name

router-name(ca-trustpoint)#subject-name 1.2.3.4
"1.2.3.4" is not a valid subject name
The subject name must be in X.500 (LDAP) format

router-name(ca-trustpoint)#subject-name cn=1.2.3.4
router-name(ca-trustpoint)#exit

router-name(config)#crypto pki enroll router-name
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

router-name(config)#exit

router-name#conf t
router-name(config)#webvpn gateway VPNGW
router-name(config-webvpn-gateway)#ssl trustpoint router-name
router-name(config-webvpn-gateway)#exit
router-name(config)#exit

 

 

查看新生成的证书:

router-name#sh crypto pki certificates router-name
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer: 
hostname=router-name.yourdomain.com
cn=1.2.3.4
Subject:
Name: router-name.yourdomain.com
hostname=router-name.yourdomain.com
cn=1.2.3.4
Validity Date: 
start date: 02:16:57 UTC Mar 9 2015
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: router-name

 

Search

    Table of Contents