{"id":1624,"date":"2025-11-22T16:16:36","date_gmt":"2025-11-22T07:16:36","guid":{"rendered":"https:\/\/mylifeisbeautiful555.net\/?page_id=1624"},"modified":"2025-11-22T16:16:37","modified_gmt":"2025-11-22T07:16:37","slug":"vpn%e3%81%8c%e8%b2%bc%e3%82%8c%e3%81%aa%e3%81%84%e5%8e%9f%e5%9b%a0tls%e3%81%ae%e5%a0%b4%e5%90%88firepowerasa%e3%83%a2%e3%83%bc%e3%83%89%e3%81%a7secure-client","status":"publish","type":"page","link":"https:\/\/mylifeisbeautiful555.net\/?page_id=1624","title":{"rendered":"VPN\u304c\u8cbc\u308c\u306a\u3044\u539f\u56e0(TLS\u306e\u5834\u5408)(firepower(ASA\u30e2\u30fc\u30c9)\u3067Secure Client)"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Firepower(ASA mode) \u00d7 Secure Client<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">&#x2757; TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\u5178\u578b\u30d1\u30bf\u30fc\u30f3 7 \u9078<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2460 ASA \u306e\u8a3c\u660e\u66f8\u304c\u4e0d\u6b63\uff08\u671f\u9650\u5207\u308c \/ SAN \u4e0d\u4e00\u81f4\uff09<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure Client \u3067\u300c\u8a3c\u660e\u66f8\u30a8\u30e9\u30fc\u300d<\/li>\n\n\n\n<li>\u30a8\u30e9\u30fc\u4f8b\uff1a<code>certificate validation failure<\/code><\/li>\n\n\n\n<li>\u63a5\u7d9a\u304c TLS \u30cf\u30f3\u30c9\u30b7\u30a7\u30a4\u30af\u3067\u5931\u6557<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d\u30b3\u30de\u30f3\u30c9<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show crypto ca certificates\nshow vpn-sessiondb anyconnect\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FQDN \u3068 <strong>\u8a3c\u660e\u66f8\u306e SAN \u304c\u4e00\u81f4\u3057\u3066\u3044\u308b\u304b<\/strong>\u78ba\u8a8d<\/li>\n\n\n\n<li>\u65b0\u3057\u3044\u8a3c\u660e\u66f8\u3092 ASA \u306b\u30a4\u30f3\u30dd\u30fc\u30c8\u3057\u76f4\u3059<\/li>\n\n\n\n<li>\u671f\u9650\u5207\u308c\u306e\u5834\u5408\u306f\u518d\u767a\u884c<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2461 webvpn \u30dd\u30fc\u30c8\u304c 443 <em>\u4ee5\u5916<\/em> \u3092\u4f7f\u3063\u3066\u3044\u308b\uff08\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u975e\u5bfe\u5fdc\uff09<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>URL: <code>https:\/\/xxx:4443<\/code> \u3067\u904b\u7528\u3057\u3066\u3044\u308b<\/li>\n\n\n\n<li>Secure Client \u304c\u30dd\u30fc\u30c8\u5909\u66f4\u3092\u6b63\u3057\u304f\u5bfe\u5fdc\u3067\u304d\u305a\u63a5\u7d9a\u4e0d\u53ef<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show run webvpn\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u8a2d\u5b9a\u4f8b\uff08\u6b63\u3057\u3044\u5f62\uff09<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>webvpn\n enable outside\n port 443\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u57fa\u672c\u306f <strong>443 \u56fa\u5b9a<\/strong>\u306b\u623b\u3059<\/li>\n\n\n\n<li>\u3069\u3046\u3057\u3066\u3082\u5909\u3048\u305f\u3044\u5834\u5408\u3001Profile Editor \u3067\u30dd\u30fc\u30c8\u6307\u5b9a<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2462 TLS \u30d0\u30fc\u30b8\u30e7\u30f3\u5236\u9650\u304c\u53b3\u3057\u3059\u304e\u308b\uff08\u53e4\u3044\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u975e\u5bfe\u5fdc\uff09<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c TLS1.3 \/ TLS1.2 \u3092\u30b5\u30dd\u30fc\u30c8\u305b\u305a<\/li>\n\n\n\n<li>\u30ed\u30b0\uff1a<code>Failed to negotiate acceptable TLS version<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show run webvpn | include tls\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">ASA \u63a8\u5968\u8a2d\u5b9a<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ssl server-version tlsv1.2\nssl client-version tlsv1.2\n<\/code><\/pre>\n\n\n\n<p>\u203b TLS1.0\/1.1 \u7121\u52b9\u306b\u3059\u308b\u3068\u53e4\u3044 AnyConnect \u306f\u63a5\u7d9a\u4e0d\u53ef\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secure Client \u3092\u6700\u65b0\u7248\u3078\u66f4\u65b0<\/li>\n\n\n\n<li>TLS1.0\/1.1 \u3092\u4e00\u6642\u7684\u306b\u6709\u52b9\u5316\u3057\u3066\u5207\u308a\u5206\u3051<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2463 \u6697\u53f7\u30b9\u30a4\u30fc\u30c8\u304c\u4e0d\u4e00\u81f4\uff08cipher mismatch\uff09<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u63a5\u7d9a\u304c \u201cNegotiating security policies\u201d \u3067\u505c\u6b62<\/li>\n\n\n\n<li>\u30ed\u30b0\uff1a<code>SSL negotiation failed<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show run webvpn | i cipher\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">ASA \u3067\u3088\u304f\u3042\u308b NG \u30d1\u30bf\u30fc\u30f3<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>aes256-sha<\/code> \u3092\u7121\u52b9\u5316\u3057\u3066\u3044\u308b<\/li>\n\n\n\n<li><code>ecdh<\/code> \u7cfb\u3092\u62d2\u5426\u3057\u3066\u3057\u307e\u3063\u3066\u3044\u308b<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">ASA \u63a8\u5968\u8a2d\u5b9a\uff08\u6700\u3082\u5b89\u5168\u3067\u76f8\u6027\u304c\u826f\u3044\uff09<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>ssl cipher tlsv1.2 high-security<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>high-security<\/code> or <code>fips<\/code> \u306b\u623b\u3059<\/li>\n\n\n\n<li>\u72ec\u81ea cipher \u3092\u4f7f\u308f\u306a\u3044\uff08\u4e92\u63db\u6027\u4f4e\u4e0b\uff09<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2464 \u8a3c\u660e\u66f8\u30c1\u30a7\u30fc\u30f3\u306e\u4e2d\u9593\u8a3c\u660e\u66f8\u3092 ASA \u306b\u30a4\u30f3\u30dd\u30fc\u30c8\u3057\u3066\u3044\u306a\u3044<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u30d6\u30e9\u30a6\u30b6\u3067\u306f OK \u306a\u306e\u306b Secure Client \u3060\u3051\u5931\u6557<\/li>\n\n\n\n<li>\u30a8\u30e9\u30fc\uff1a<code>unable to get local issuer certificate<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show crypto ca certificates | begin certificate\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u7279\u306b Let&#8217;s Encrypt \u306f\u4e2d\u9593 CA \u5fc5\u9808<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e2d\u9593\u8a3c\u660e\u66f8\u3092 ASA \u306b\u8ffd\u52a0<\/li>\n\n\n\n<li>trustpoint \u306b\u7d10\u3065\u3051\u308b<\/li>\n<\/ul>\n\n\n\n<p>\u4f8b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>crypto ca import MY-TP certificate\ncrypto ca import MY-TP chain<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2465 FQDN\u3067\u30a2\u30af\u30bb\u30b9\u3057\u3066\u3044\u306a\u3044\uff08\u8a3c\u660e\u66f8 SAN \u3068\u4e00\u81f4\u3057\u306a\u3044\uff09<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP \u76f4\u6253\u3061\u3067\u306f TLS \u30cf\u30f3\u30c9\u30b7\u30a7\u30a4\u30af\u3067\u30a8\u30e9\u30fc\u304c\u767a\u751f<\/li>\n\n\n\n<li><code>certificate common name invalid<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u4f8b\uff1a<br>\u8a3c\u660e\u66f8\uff1a<code>vpn.example.com<\/code><br>\u63a5\u7d9a\uff1a<code>https:\/\/1.2.3.4\/<\/code> \u2192 NG<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<p>Secure Client \u306e\u30ed\u30b0\uff08Message History\uff09\u3067 \u201cCN mismatch\u201d \u304c\u51fa\u3066\u3044\u308b\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5fc5\u305a FQDN \u3067\u63a5\u7d9a<\/li>\n\n\n\n<li>\u516c\u958b DNS \u306b\u6b63\u3057\u3044\u30ec\u30b3\u30fc\u30c9\u3092\u4f5c\u6210<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u2466 ASA \u5074\u3067 TLS Inspection\uff08decrypt\uff09\u8a2d\u5b9a\u304c\u8aa4\u52d5\u4f5c<\/strong><\/h2>\n\n\n\n<p>\u7279\u306b Firepower Threat Defense \u3067\u306f\u8aa4\u8a2d\u5b9a\u6642\u306b TLS \u3092\u58ca\u3059\u3053\u3068\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u75c7\u72b6<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5185\u90e8\u304b\u3089\u5916\u90e8\u306f OK<\/li>\n\n\n\n<li>\u5916\u90e8\u304b\u3089 ASA \u3078\u306e TLS \u304c\u9014\u4e2d\u3067 reset<\/li>\n\n\n\n<li>ASA \u672c\u4f53\u306e SSL \u304c\u5f71\u97ff\u3092\u53d7\u3051\u308b\uff08\u307e\u308c\uff09<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u78ba\u8a8d<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>show run | i inspect tls\nshow run service-policy\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u89e3\u6c7a<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ASA mode \u3067 decrypt \u306f\u57fa\u672c\u4f7f\u308f\u306a\u3044<\/li>\n\n\n\n<li>TLS inspect \u3092\u7121\u52b9\u5316\u3057\u3066\u5207\u308a\u5206\u3051<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>policy-map global_policy\n no inspect ssl<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">\u307e\u3068\u3081\uff08TLS \u3067\u63a5\u7d9a\u3067\u304d\u306a\u3044\u6642\u306e\u6700\u77ed\u5207\u308a\u5206\u3051\uff09<\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u8a3c\u660e\u66f8\u306e CN\/SAN \u2192 FQDN \u3068\u4e00\u81f4\u3057\u3066\u308b\uff1f<\/strong><\/li>\n\n\n\n<li><strong>\u8a3c\u660e\u66f8\u671f\u9650\u5207\u308c\uff1f\u4e2d\u9593CA\u3042\u308b\uff1f<\/strong><\/li>\n\n\n\n<li><strong>TLS \u30d0\u30fc\u30b8\u30e7\u30f3\u306f 1.2 \u304c\u6709\u52b9\uff1f<\/strong><\/li>\n\n\n\n<li><strong>cipher \u304c\u904e\u5ea6\u306b\u5236\u9650\u3055\u308c\u3066\u306a\u3044\uff1f<\/strong><\/li>\n\n\n\n<li><strong>webvpn \u304c outside \u306b\u6709\u52b9\uff1f<\/strong><\/li>\n\n\n\n<li><strong>443 \u304c\u958b\u3044\u3066\u3044\u308b\uff1f<\/strong><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Firepower(ASA mode) \u00d7 Secure Client &#x2757; TLS \u304c\u539f\u56e0\u3067 VPN \u304c\u8cbc\u308c\u306a\u3044\u5178\u578b\u30d1\u30bf\u30fc\u30f3 7 \u9078 \u2460 ASA \u306e\u8a3c\u660e\u66f8\u304c\u4e0d\u6b63\uff08\u671f\u9650\u5207\u308c \/ SAN \u4e0d\u4e00\u81f4\uff09 \u75c7\u72b6 \u78ba\u8a8d\u30b3 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1624","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1624"}],"version-history":[{"count":1,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1624\/revisions"}],"predecessor-version":[{"id":1625,"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=\/wp\/v2\/pages\/1624\/revisions\/1625"}],"wp:attachment":[{"href":"https:\/\/mylifeisbeautiful555.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}