I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)
Few things to note:
- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below
- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself
- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert
- Works on both ASA and SSLVPN on a router as far as I can tell.
OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR
So the first thing is of course, a working SSL VPN config, mine looks something like this:
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
ip interface Dialer1 port 443
ssl trustpoint TP-self-signed-4216080960
webvpn context SSL_Gateway
ssl authenticate verify all
webvpn context SSL_gateway
ssl authenticate verify all
policy group default
svc address-pool "VPN" netmask 255.255.255.0
svc split include 172.21.1.0 255.255.255.0
svc split include 10.0.0.0 255.255.255.0
This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:
1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN
Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.
Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.
The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.
Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.
Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.
For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.
Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.
The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile
You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.
Ok Almost there! Last step is to just associate this VPN profile to a common phone profile, a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:
Device -> Device Settings -> Common Phone Profile
As you can see I have selected the VPN Profile and VPN Group at the bottom.
Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots
On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.
Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!
I hope this helps someone out there.