FlexVPN also allows us to configure remote-access VPNs which is useful for remote workers. This works with a Cisco proprietary AnyConnect-EAP method. All EAP communication terminates on the FlexVPN server. This is different from standards-based EAP methods such as EAP-MD5 or EAP-GTC, which pass through to an AAA server.
Both local and remote user authentication is possible. Local authentication is a great option for small networks because you don’t need an AAA server.
The FlexVPN server presents a certificate to the remote user so they can check the validity of the FlexVPN server. The clients can authenticate themselves to the FlexVPN server with a username and password or a certificate.
In this lesson, I’ll show you how to configure the FlexVPN server on a router and how to create an AnyConnect profile for our client. By default, Anyconnect uses SSL instead of IPSec so we need a custom profile.
Here is the topology we’ll use:
The router runs IOSv version 15.9(3)M2. The client is a Windows 10 computer with AnyConnect Client version 4.8.03052.
In this example, I will use a self-signed certificate on the router as we did in the FlexVPN PKI authentication lesson.
Certificate Authority (CA)
To communicate with the CA, we need to enable the HTTP server:
R1(config)#ip http server
I’ll turn R1 into a CA:
R1(config)#crypto pki server R1-CA R1(cs-server)#issuer-name cn="R1-CA" R1(cs-server)#grant auto R1(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. Password: Re-enter password: % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) % Certificate Server enabled.
R1 is now a CA and ready to create certificates.
We are going to create a client certificate for R1. First, we need to set a domain name:
R1(config)#ip domain name NWL.LAB
We configure a new trustpoint and set the enrollment URL and subject name:
R1(config)#crypto pki trustpoint R1-CLIENT R1(ca-trustpoint)#enrollment url http://192.168.1.1 R1(ca-trustpoint)#subject-name cn=R1-CLIENT.LAB.NWL
Let’s accept the certificate from the CA:
R1(config)#crypto pki authenticate R1-CLIENT Certificate has the following attributes: Fingerprint MD5: 41AD31E8 DE034F0C 0F4415EA 37165620 Fingerprint SHA1: AB9EC15F FBBF7C9A 2F85C44F 654FE42C 3EF77A8E % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
Now we can request a client certificate for R1:
R1(config)#crypto pki enroll R1-CLIENT % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will include: cn=R1-CLIENT.LAB.NWL % The subject name in the certificate will include: R1.NWL.LAB % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The ' ' commandwill show the fingerprint.
Excellent, we now have a certificate.
We are going to use local authentication and local network authorization. I’ll create two lists and a user account that we’ll use for the client:
R1(config)#aaa new-model R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local R1(config)#username test password cisco123
Let’s configure our IKEv2 settings. With some of these settings, you could use smart defaults but I prefer to configure this myself. It’s possible that with new versions of the AnyConnect client, certain protocols don’t work anymore. When this happens, you want to be able to quickly update your configuration.
IKEv2 Authorization Policy
We’ll start with an authorization policy. This is where we configure the pool of IP addresses that we want to use for our clients. I’ll also configure some default settings like a domain name, DNS server, and the remote routes that the client can reach:
R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY R1(config-ikev2-author-policy)#pool VPN_POOL R1(config-ikev2-author-policy)#def-domain NWL.LAB R1(config-ikev2-author-policy)#route set remote ipv4 22.214.171.124 255.255.255.255 R1(config-ikev2-author-policy)#dns 126.96.36.199
Let’s create that pool:
R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10
Let’s create an IKEv2 proposal:
R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL R1(config-ikev2-proposal)#encryption aes-cbc-256 R1(config-ikev2-proposal)#integrity sha256 R1(config-ikev2-proposal)#group 15
We also need an IKEv2 profile. Here is the configuration:
R1(config)#crypto ikev2 profile IKEV2_PROFILE R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$* R1(config-ikev2-profile)#authentication local rsa-sig R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate R1(config-ikev2-profile)#pki trustpoint R1-CLIENT R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK R1(config-ikev2-profile)#virtual-template 1
Let me explain what you see above:
match identity remote key id: *$AnyConnectClient$* is the default KEY ID that the AnyConnect client uses.
authentication local rsa-sig: The client will authenticate the router through the router’s certificate.
authentication remote: The router will authenticate the client using Cisco’s proprietary AnyConnect-EAP method.
aaa authentication anyconnect-eap: We refer to the AAA authentication list we want to use for authentication.
pki trustpoint: The certificate we want to use.
aaa authorization group anyconnect-eap: We refer to the AAA authorization list we want to use for network authorization.
virtual-template 1: We attach the IKEv2 profile to a virtual-template that we’ll create in a minute.
We need an IPSec transform-set and an IKEv2 profile. I’ll create both: