How it Works
Cisco Systems
Loading...
OL-24124-01
User Manual
16 pgs494.93 Kb0
Table of contents
Loading...

Cisco Systems OL-24124-01 User Manual

Configuring Virtual Private Networks
The Cisco VPN Client for Cisco Unified IP Phones adds another option for customers attempting to solve the remote telecommuter problem by complementing other Cisco remote telecommuting offerings.
Easy to DeployAll settings configured via CUCM administration.
Easy to UseAfter configuring the phone within the Enterprise, the user can take it home and plug
it into their broadband router for instant connectivity, without any difficult menus to configure.
Easy to Manage—Phone can receive firmware updates and configuration changes remotely.
Secure—VPN tunnel only applies to voice and Cisco Unified IP Phone services. A PC connected to
the PC port is responsible for authenticating and establishing it own tunnel with VPN client software.

Supported Devices

CHAP T E R
17
You can use Cisco Unified Reporting to determine which Cisco Unified IP Phones support the VPN client. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature, choose Virtual Private Network Client from the pull-down menu. The system displays a list of products that support the feature.
For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Configuring the VPN Feature

To configure the VPN feature for supported Cisco Unified IP Phones, follow the steps in the following table.
Note The IP Phone VPN requires both TCP and UDP port 443 enabled to successfully build the VPN tunnel.
OL-24124-01
Cisco Unified Communications Manager Security Guide
17-1
Configuring the VPN Feature
Table 17-1 VPN Configuration Checklist
Configuration Steps Notes and Related Procedures
Step 1
Set up the VPN concentrators for each VPN Gateway.
Chapter 17 Configuring Virtual Private Networks
For configuration information, refer to the documentation for the VPN concentrator; such the following:
SSL VPN Client (SVC) on ASA with ASDM Configuration
Example
http://www.cisco.com/en/US/products/ps6120/products_conf iguration_example09186a008071c428.shtml
Note The ASA software must be version 8.0.4 or later, and the
“AnyConnect Cisco VPN Phone” license must be installed.
Note To avoid long delays when the user upgrades the firmware
or configuration information on a remote phone, Cisco recommends that you set up the VPN concentrator close in the network to the TFTP or Cisco Unified Communications Manager server. If this is not feasible in your network, you can set up an alternate TPTP or load server that is next to the VPN concentrator.
Step 2
Step 3
Step 4
Step 5
SSL VPN Client (WebVPN) on IOS with SDM Configuration
Example
http://www.cisco.com/en/US/products/ps6496/products_conf iguration_example09186a008072aa61.shtml
Note The IOS software must be versions 15.1(2)T or later.
Feature Set/License:" Universal (Data & Security & UC)" for the 2900 models and “Advanced Security” for the 2800 models with SSL VPN licenses activated.
Note To avoid long delays when the user upgrades the firmware
or configuration information on a remote phone, Cisco recommends that you set up the VPN concentrator close in the network to the TFTP or Cisco Unified Communications Manager server. If this is not feasible in your network, you can set up an alternate TPTP or load server that is next to the VPN concentrator.
Upload the VPN concentrator
Chapter 18, “Configuring a VPN Gateway”
certificates.
Configure the VPN Gateways. Chapter 18, “Configuring a VPN Gateway”
Create a VPN Group using the
Chapter 19, “Configuring a VPN Group”
VPN Gateways.
Configure the VPN Profile Chapter 20, “Configuring a VPN Profile”
17-2
Cisco Unified Communications Manager Security Guide
OL-24124-01
Chapter 17 Configuring Virtual Private Networks
Table 17-1 VPN Configuration Checklist
Configuration Steps Notes and Related Procedures
Step 6
Step 7
Step 8
Add the VPN Group and VPN Profile to a Common Phone Profile.
Upgrade the firmware for Cisco Unified IP Phones to a version that supports VPN.
Using a supported Cisco Unified IP Phone, establish a VPN connection.

IOS configuration requirements

In Cisco Unified Communications Manager Administration, choose Device > Device Settings > Common Phone Profile. For more information, see the “Common Phone Profile Configuration” chapter in the Cisco Unified Communications Manager Administration Guide.
Note If you do not associate a VPN Profile with the Common
Phone Profile, VPN uses the default settings defined in the VPN Feature Configuration window.
To run the Cisco VPN client, a supported Cisco Unified IP Phone must be running firmware release 9.0(2) or higher. For more information about upgrading firmware, see the Cisco Unified IP
Phone Administration Guide for Cisco Unified Communications Manager for your Cisco Unified IP Phone model.
Note Before you can upgrade to firmware release 9.0(2),
supported Cisco Unified IP Phones must be running firmware release 8.4(4) or later.
For more information about configuring a Cisco Unified IP Phone and establishing a VPN connection, see the Cisco Unified IP
Phone Administration Guide for Cisco Unified Communications Manager for your Cisco Unified IP Phone model.
IOS configuration requirements
Before you create an ISO configuration for VPN client on IP phone, complete the following steps:
Step 1 Install IOS Software version 15.1(2)T or later
Feature Set/License: Universal (Data & Security & UC) for IOS ISR-G2
Feature Set/License: Advanced Security for IOS ISR
Step 2 Activate the SSL VPN License

Configuring IOS for VPN client on IP phone

Perform the following steps to configure IOS for VPN client on IP phone.
Step 1 Configure IOS locally.
a. Configure the Network Interface
Example:
router(config)# interface GigabitEthernet0/0 router(config-if)# description "outside interface" router(config-if)# ip address 10.1.1.1 255.255.255.0
OL-24124-01
Cisco Unified Communications Manager Security Guide
17-3
Configuring IOS for VPN client on IP phone
router(config-if)# duplex auto router(config-if)# speed auto router(config-if)# no shutdown router#show ip interface brief (shows interfaces summary)
b. Configure static and default routes.
router(config)# ip route <dest_ip> < mask> < gateway_ip>
Example:
router(config)# ip route 10.10.10.0 255.255.255.0 192.168.1.1
Step 2 Generate and register the necessary certificates for Cisco Unified Communications Manager and IOS.
The following certificates need to be imported from the Cisco Unified Communications Manager.
CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for
mixed-mode clusters)
Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate
(MIC).
CAPF - Authenticating IP phones with an LSC.
To import these Cisco Unified Communications Manager certificates
a. From the Cisco Unified Communications Manager OS Administration web page.
Chapter 17 Configuring Virtual Private Networks
b. Choose Security > Certificate Management. (Note: This location may change based on the UCM
version)
c. Find the certificates Cisco_Manufacturing_CA and CAPF. Download the .pem file and save as .txt
file
d. Create trustpoint on the IOS
Example:
hostname(config)# crypto pki trustpoint trustpoint_name hostname(config-ca-trustpoint)# enrollment terminal hostname(config)# crypto pki authenticate trustpoint
When prompted for base 64 encoded CA Certificate, copy-paste the text in the downloaded
.pem file along with the BEGIN and END lines. Repeat the procedure for the other certificates
e. You should generate the following IOS self-signed certificates and register them with Cisco Unified
Communications Manager, or replace with a certificate that you import from a CA.
Generate a self-signed certificate.
Example:
Router> enable Router# configure terminal Router(config)# crypto key generate rsa general-keys label <name> <exportable
-optional> Router(config)# crypto pki trustpoint <name> Router(ca-trustpoint)# enrollment selfsigned Router(ca-trustpoint)# rsakeypair <name> 1024 1024 Router(ca-trustpoint)#authorization username subjectname commonname Router(ca-trustpoint)# crypto pki enroll <name> Router(ca-trustpoint)# end
Generate a self-signed certificate with Host-id check enabled on the VPN profile in Cisco Unified
Communications Manager.
17-4
Example:
Router> enable Router# configure terminal
Cisco Unified Communications Manager Security Guide
OL-24124-01
Chapter 17 Configuring Virtual Private Networks
Router(config)# crypto key generate rsa general-keys label <name> <exportable
-optional> Router(config)# crypto pki trustpoint <name> Router(ca-trustpoint)# enrollment selfsigned Router(config-ca-trustpoint)# fqdn <full domain name> Router(config-ca-trustpoint)# subject-name CN=<full domain name>, CN=<IP> Router(ca-trustpoint)#authorization username subjectname commonname Router(ca-trustpoint)# crypto pki enroll <name> Router(ca-trustpoint)# end
Register the generated certificate with Cisco Unified Communications Manager.
Example:
Router(config)# crypto pki export <name> pem terminal
Copy the text from the terminal and save it as a .pem file and upload it to the Managing Certificate part of the CUCM.
Step 3 Install Anyconnect on IOS.
Download anyconnect package from cisco.com and install to flash
Example:
router(config)#webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg
Step 4 Configure the VPN feature. You can use the Sample IOS configuration summary bellow to guide you
with the configuration.

Sample IOS configuration summary

Note To use the phone with both certificate and password authentication, create a user with the phone MAC
address. Username matching is case sensitive. For example:
username CP-7975G-SEP001AE2BC16CB password k1kLGQIoxyCO4ti9 encrypted
Sample IOS configuration summary
You can use the following sample IOS configuration for VPN client on IP phone as a general guideline to creating your own configurations. The configuration entries can change over time.
Current configuration : 4648 bytes ! ! Last configuration change at 13:48:28 CDT Fri Mar 19 2010 by test ! version 15.2 service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone no service password-encryption ! ! hostname of the IOS hostname vpnios ! boot-start-marker
OL-24124-01
! Specifying the image to be used by IOS – boot image boot system flash c2800nm-advsecurityk9-mz.152-1.4.T boot-end-marker ! ! logging buffered 21474836 !
Cisco Unified Communications Manager Security Guide
17-5
Loading...
+ 11 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use