anyconnect 提示“Security Warning:Untrusted VPN Server Certificate!

出现此连接警告的原因是因为路由器上CA证书的subject-name的字段与路由器的IP地址不一致造成的。重装修改生成新的CA证书,然后连接VPN时勾选选项"always trust the vpn server and import the certifaction"后再次连接就不会再弹出该安全告警。

show run 后找到以下信息:

!
crypto pki certificate chain TP-self-signed-19124
certificate self-signed 05
3082022B 30820194 A0030201 02020105 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393132 34313830 3939301E 170D3135 30333034 30343436
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39313234
31383039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C046 F965E4EA 7FD19E5A D31727B9 AD93DA9A EF138758 F65A9AD1 18114FE4
A1AD404D CBB200C4 5232DCA4 892F6822 C9C9C830 41AFF407 1D4457BD 039EB24E

取消原证书

router-name(config)#no crypto pki trustpoint TP-self-signed-19124
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

生成新的证书:

router-name(config)#crypto key generate rsa general-keys label router-name modulus 1024 exportable
The name for the keys will be: router-name

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)

router-name(config)#crypto pki trustpoint router-name
router-name(ca-trustpoint)#en
router-name(ca-trustpoint)#enrollment sel

router-name(ca-trustpoint)#enrollment selfsigned

router-name(ca-trustpoint)#rsakeypair router-name

router-name(ca-trustpoint)#subject-name 1.2.3.4
"1.2.3.4" is not a valid subject name
The subject name must be in X.500 (LDAP) format

router-name(ca-trustpoint)#subject-name cn=1.2.3.4
router-name(ca-trustpoint)#exit

router-name(config)#crypto pki enroll router-name
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

router-name(config)#exit

router-name#conf t
router-name(config)#webvpn gateway VPNGW
router-name(config-webvpn-gateway)#ssl trustpoint router-name
router-name(config-webvpn-gateway)#exit
router-name(config)#exit

查看新生成的证书:

router-name#sh crypto pki certificates router-name
Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
hostname=router-name.yourdomain.com
cn=1.2.3.4
Subject:
Name: router-name.yourdomain.com
hostname=router-name.yourdomain.com
cn=1.2.3.4
Validity Date:
start date: 02:16:57 UTC Mar 9 2015
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: router-name
时间: 2024-10-17 15:13:13

anyconnect 提示“Security Warning:Untrusted VPN Server Certificate!的相关文章

PowerCLI: “WARNING: There were one or more problems with the server certificate”

使用"VMware vSphere PowerCLI"连接vCenter Server,该主机加入到 域内,并且使用 默认 证书,执行" Connect-Viserver <team_vCenter_Server_system_FQDN>" 见出现如下警告! 1:57:08 AM Connecting to VI Server WARNING: There were one or more problems with the server certifi

在 Apache error_log 中看到多个信息,提示 RSA server certificate CommonName (CN) 与服务器名不匹配(转)

在 Apache error_log 中看到多个信息,提示 RSA server certificate CommonName (CN) 与服务器名不匹配. Article ID: 1500, created on 五月 28, 2012, last review on 五月 11, 2014 适用于: Web Presence Builder Plesk for Linux/Unix Plesk Automation 11.5 问题 Apache error_log 含有警告: [Mon Se

vpn案例2:vpn server和网关不在同一台上面

这里主要写的是vpn server和网关不在同一台服务器上的场景配置 一.环境 网关         eth0:192.168.3.80    gateway 网关         eth1:172.16.1.254    gateway 内网服务器   eth0:172.16.1.2      client vpn服务器    eth0:172.16.1.1      vpn-server 外网客户端   IP:192.168.3.2       win7 二.安装yum源,同步时间 这我们的

DFS security warning and use group policy to set up internet security zones

Opening a file from a DFS domain share shows a security warning while openning from the server share directly doesn't. To solve this problem, add "*.domain.local" to intranet zone in internet options. To add the domain to the intranet zone autom

in `connect&#39;: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

最近在用ruby的一些库的时候,总是出现这个错误. 在使用net/imap库的时候,或者net/http库(主要是用到了https,https是用了ssl) 的时候,具体如下: 错误提示:E:/Ruby200/lib/ruby/2.0.0/net/imap.rb:1454:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Op

grunt serve Warning: Running &quot;sass:server&quot; (sass) task

使用grunt serve运行时遇到一问题: [email protected]:ydkt$ grunt serve Running "serve" task Running "clean:server" (clean) task Cleaning .tmp...OK Running "env:all" (env) task Running "injector:sass" (injector) task Missing opt

通过openswan基于Azure平台搭建VPN server

用过Azure的读者都知道,Vnet一直是Azure比较自豪的地方,尤其是VPN,Azure提供了两种VPN以及专线来保证客户数据的安全性,S2S vpn(站点到站点的,基于IPsec的),P2S vpn(点到站点的,基于sstp的),专线express route是和物理链路或者MPLS网络相连接,在这里笔者要提醒大家一句,Azure的vpn身后是两台机器做HA的vpn server,是提供LSA保证的,而无论是阿里还是AWS都没有这样的服务,而且Azure最高提供带宽200M的VPN链路,三

PPTP一键安装脚本及使用webmin管理PPTP VPN Server

一.一键安装PPTP服务器 VPS有很多种玩法,在墙上打洞是最常见的玩法之一.打洞方法多种多样,其中以PPTP最为常见,也是配置起来最为简便的方式之一. 本脚本只需执行一次即可将PPTP服务安装完毕,然后在你的电脑里设置好VPN即可.当然了,要保证你的VPS是在外面的自由世界中,而且VPS是基于Xen或KVM的. 终端里运行以下命令(以root用户运行): wget -c http://dl.dropbox.com/u/32817960/linux/Software/pptpd_debian.s

vpn案例1:vpn server和网关在同一台上

安装参考 http://qicheng0211.blog.51cto.com/3958621/1575273 http://freeloda.blog.51cto.com/2033581/1354858 一.环境 系统:    CentOS 6.4x64最小化安装 eth0:      192.168.3.75    vpn server eth1:      172.16.1.1      vpn server win7:      192.168.3.76 client:    172.16