FlexVPN Remote Access AnyConnect

FlexVPN also allows us to configure remote-access VPNs which is useful for remote workers. This works with a Cisco proprietary AnyConnect-EAP method. All EAP communication terminates on the FlexVPN server. This is different from standards-based EAP methods such as EAP-MD5 or EAP-GTC, which pass through to an AAA server.

Both local and remote user authentication is possible. Local authentication is a great option for small networks because you don’t need an AAA server.

The FlexVPN server presents a certificate to the remote user so they can check the validity of the FlexVPN server. The clients can authenticate themselves to the FlexVPN server with a username and password or a certificate.

In this lesson, I’ll show you how to configure the FlexVPN server on a router and how to create an AnyConnect profile for our client. By default, Anyconnect uses SSL instead of IPSec so we need a custom profile.

Configuration

Here is the topology we’ll use:

Cisco Anyconnect Topology R1 User

The router runs IOSv version 15.9(3)M2. The client is a Windows 10 computer with AnyConnect Client version 4.8.03052.

PKI

In this example, I will use a self-signed certificate on the router as we did in the FlexVPN PKI authentication lesson.

Certificate Authority (CA)

To communicate with the CA, we need to enable the HTTP server:

R1(config)#ip http server 

I’ll turn R1 into a CA:

R1(config)#crypto pki server R1-CA
R1(cs-server)#issuer-name cn="R1-CA"
R1(cs-server)#grant auto
R1(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.

Password: 

Re-enter password: 
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

% Certificate Server enabled.

R1 is now a CA and ready to create certificates.

ID Trustpoint

We are going to create a client certificate for R1. First, we need to set a domain name:

R1(config)#ip domain name NWL.LAB

We configure a new trustpoint and set the enrollment URL and subject name:

R1(config)#crypto pki trustpoint R1-CLIENT
R1(ca-trustpoint)#enrollment url http://192.168.1.1
R1(ca-trustpoint)#subject-name cn=R1-CLIENT.LAB.NWL

Let’s accept the certificate from the CA:

R1(config)#crypto pki authenticate R1-CLIENT
Certificate has the following attributes:
       Fingerprint MD5: 41AD31E8 DE034F0C 0F4415EA 37165620 
      Fingerprint SHA1: AB9EC15F FBBF7C9A 2F85C44F 654FE42C 3EF77A8E 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

Now we can request a client certificate for R1:

R1(config)#crypto pki enroll R1-CLIENT
%
% Start certificate enrollment .. 
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password: 
Re-enter password: 

% The subject name in the certificate will include: cn=R1-CLIENT.LAB.NWL
% The subject name in the certificate will include: R1.NWL.LAB
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The '
' commandwill show the fingerprint.

Excellent, we now have a certificate.

AAA

We are going to use local authentication and local network authorization. I’ll create two lists and a user account that we’ll use for the client:

R1(config)#aaa new-model

R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local 

R1(config)#username test password cisco123

IKEv2

Let’s configure our IKEv2 settings. With some of these settings, you could use smart defaults but I prefer to configure this myself. It’s possible that with new versions of the AnyConnect client, certain protocols don’t work anymore. When this happens, you want to be able to quickly update your configuration.

An example of disabled protocols is AnyConnect 4.9.00086 which disables DES, 3DES, MD5, and DH groups 2,5, 14, and 24.

IKEv2 Authorization Policy

We’ll start with an authorization policy. This is where we configure the pool of IP addresses that we want to use for our clients. I’ll also configure some default settings like a domain name, DNS server, and the remote routes that the client can reach:

R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-author-policy)#pool VPN_POOL
R1(config-ikev2-author-policy)#def-domain NWL.LAB
R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
R1(config-ikev2-author-policy)#dns 1.1.1.1

Let’s create that pool:

R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10

IKEv2 Proposal

Let’s create an IKEv2 proposal:

R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL 
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity sha256
R1(config-ikev2-proposal)#group 15

IKEv2 Policy

ok

R1(config)#crypto ikev2 policy default
R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL

IKEv2 Profile

We also need an IKEv2 profile. Here is the configuration:

R1(config)#crypto ikev2 profile IKEV2_PROFILE
R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
R1(config-ikev2-profile)#authentication local rsa-sig
R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-profile)#virtual-template 1

Let me explain what you see above:

  • match identity remote key id: *$AnyConnectClient$* is the default KEY ID that the AnyConnect client uses.
  • authentication local rsa-sig: The client will authenticate the router through the router’s certificate.
  • authentication remote:  The router will authenticate the client using Cisco’s proprietary AnyConnect-EAP method.
  • aaa authentication anyconnect-eap: We refer to the AAA authentication list we want to use for authentication.
  • pki trustpoint: The certificate we want to use.
  • aaa authorization group anyconnect-eap:  We refer to the AAA authorization list we want to use for network authorization.
  • virtual-template 1: We attach the IKEv2 profile to a virtual-template that we’ll create in a minute.

IPSec

We need an IPSec transform-set and an IKEv2 profile. I’ll create both:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

540 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hello Taha

    Keep in mind that the AnyConnect client depending upon its version can support various different configurations. You may have configured the ASA exactly the same way as in the lesson, but the client may or may not support certain configurations.

    You may also find that depending upon your operating system or connecting device (Windows 10, Windows 7/8, Android, iOS, Mac etc…) you will have different capabilities. The following Cisco community thread describes some of these issues that have resulted in the same error as you are getting here. Hopeful

    ... Continue reading in our forum

  2. After consistently spending time in the lab troubleshooting/reading/learning the fundamentals of IKEV2. I was able to use the false positive debug information to track the root cause of this “passed authentication and failed authorization” issue.

    I have finally managed to resolve this issue and I hope this small write-up will help others in future too.

    I was using the same version of anyconnect 4.8 in the article and IOS 15.7.

    Authorization Failure:
    The article really helped! however it left out a small issue:

    https://networklessons.com/cisco/ccie-enterprise-i

    ... Continue reading in our forum

  3. Hi Laz,

    I am extremely flattered by your compliments thank you. I am novice in the cisco world.
    I think very highly of any individual who has acquired a CCIE. I see them as a role-model!

    As of late networking and virtualization has become a hobby activity, subsequently this aids ones ability to learn rather quickly.

    The issue came to my attention, after reading cisco article on IKEv2:

    https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html

    Under the proposal section it states:

    “Manuall

    ... Continue reading in our forum

  4. Hi @ReneMolenaar ,

    It’s an absolute pleasure to meet you :raising_hand_man:

    I apologise I opened up multiple topics regarding this issue, as I was experiencing multiple issues with the lesson. Lets use this forum as I have included details on how I came to conclusions with some of the issues above.

    I would like to state the article is wonderful. Between each step you provide details on a) why we are performing the the particular step b)How we will perform this config.
    With this type of break-down one is able to fully comprehend and understand the config, subsequently this allow

    ... Continue reading in our forum

  5. Hello Jason

    Thanks so much for sharing this on the forum. I’ll let Rene know to take a look and make the appropriate updates to the lesson.

    Thanks again!

    Laz

6 more replies! Ask a question or join the discussion by visiting our Community Forum