Configure Cisco FlexVPN with AnyConnect

by | Oct 3, 2024 | Networking | 1 comment

Configuration on Cisco

It is a 7-step process on a Cisco router. The steps are:

  1. Turn ON HTTP server on R1
  2. Turn R1 into a CA so that it can create client certificates
  3. Create client certificate on R1
  4. Configure AAA
  5. Configure IKEv2
  6. Configure IPSec
  7. Create virtual-template1 and bind the IPSec profile to it.
Pre-configuration

hostname R1
no ip domain lookup

interface Loopback1
ip address 192.168.111.1 255.255.255.255

interface GigabitEthernet0/0
ip address 10.9.99.86 255.255.255.0
no shutdown

username reashad privilege 15 password FlexVPN-p@ssword

line vty 0 4
privilege level 15
logging synchronous
login local
transport input ssh

FLEXVPN configuration

=============================================
1.Turn ON HTTP server:
ip http server
=============================================
2.Turn R1 into a CA so that it can create client certificates:
crypto pki server R1-CA
issuer-name cn=”R1-CA”
grant auto
no shutdown
=============================================
3.Create client certiface on R1:
3.1 configure domain
ip domain name reashad.com

3.2 Create trustpoint and enrollment URL:
crypto pki trustpoint R1-CLIENT
enrollment url http://10.9.99.86
subject-name cn=R1-CLIENT.com.reashad

3.3 Accept the certificate:
crypto pki authenticate R1-CLIENT

3.4 Finally create the client certificate:
crypto pki enroll R1-CLIENT
=============================================
4. Configure AAA
aaa new-model
aaa authentication login A-EAP-AUTHEN-LOCAL local
aaa authorization network A-EAP-AUTHOR-GRP local
=============================================
5. IKEv2:
5.1 IKEv2 authorization policy:
crypto ikev2 authorization policy IKEV2-AUTH-POLICY
pool ACPOOL
dns 1.1.1.1
def-domain reashad.com
route set remote ipv4 192.168.111.1 255.255.255.255

5.2 Create the pool:
ip local pool ACPOOL 192.168.10.5 192.168.10.10

5.3 IKEv2 Proposal
crypto ikev2 proposal IKEV2-PROP1
encryption aes-cbc-256
integrity sha256
group 19

5.4 IKEv2 Policy:
crypto ikev2 policy IKEV2-POL
proposal IKEV2-PROP1

5.5 IKEv2 Profile:
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint R1-CLIENT
aaa authentication anyconnect-eap A-EAP-AUTHEN-LOCAL
aaa authorization group anyconnect-eap list A-EAP-AUTHOR-GRP IKEV2-AUTH-POLICY
virtual-template 1
=============================================
6. IPSec:
6.1 IPSec transform set:
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac

6.2 Create IPSec profile:
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
=============================================
7. Create virtual-template1 and bind the IPSec profile to it:
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP

Windows configuration

1. Install these 2 files

 

2. Open VPN profile editor and create your profile

3. Save the profile and move it to C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile

4.Open AnyConnectLocalPolicy.xml and edit BypassDownloader=true

5.Open Anyconnect and connect to server

1 Comment

  1. Tayeeba Tarannum
    Tayeeba Tarannum on October 4, 2024 at 9:30 am

    It has been broken down so well that anyone can follow!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.