Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
3
Replies

AnyConnect clients cannot access the network over IPSec

Yuri Kazankin
Level 1
Level 1

‎09-14-2018 01:02 AM

Hello!

 

Cisco CSR1000V router to which AnyConnect users and terminated IPSec with remote LAN.

LANs 10.251.0.0/24 hosts are available via IPSec to remote LAN hosts 10.120.0.0/16

To Clients AnyConnect 10.251.100.0/24 is available LAN 10.251.0.0/24

The problem is that the remote LAN 10.120.0.0/16 is not available for AnyConnect 10.251.100.0/24 clients((

AnyConnect Clients on the workstations have the necessary route, but the traceroute has lost on the CSR1000, does not go to IPSec... Unfortunately, I did not find any clear reasons why such a scheme does not work. Please help. The sample from the config and the diagram below.

 

gKn4h.jpg

crypto pki trustpoint anyconnectvpn
 enrollment selfsigned
 subject-name CN=vpn.host.ru
 revocation-check none
 rsakeypair anyconnect
!

.....

crypto ssl proposal sslvpn-proposal
 protection rsa-aes256-sha1
!
crypto ssl authorization policy sslvpn-auth-policy
 include-local-lan
 pool SSL_Client
 dns dns.host.ru
 def-domain host.ru
 route set access-list sslvpn-tunnel
!
crypto ssl policy sslvpn-policy
 ssl proposal sslvpn-proposal
 pki trustpoint anyconnectvpn sign
 ip address local vpn.host.ru port 443
!
crypto ssl profile sslvpn-profile
 match policy sslvpn-policy
 aaa authentication user-pass list sslvpn
 aaa authorization group user-pass list sslvpn sslvpn-auth-policy
 authentication remote user-pass
 max-users 20
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-macos-4.6.02074-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.02074-webdeploy-k9.pkg sequence 2
!
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 16
 lifetime 28800
!
crypto isakmp key SuPerPSK address 1.2.3.4
!
crypto map WAN_map 10 ipsec-isakmp
 set peer 1.2.3.4
 set security-association lifetime seconds 10800
 set transform-set ESP-AES-256-SHA-256
 set pfs group16
 match address l2l-tunnel

....


ip local pool SSL_Client 10.251.100.2 10.241.100.254


.....
ip access-list standard sslvpn-tunnel
 permit 10.251.0.0 0.0.255.255
 permit 10.120.0.0 0.0.255.255
ip access-list extended l2l-tunnel
 permit ip 10.251.0.0 0.0.255.255 10.120.0.0 0.0.255.255
Labels:
0 Helpful
3 Replies 3

cdusio
Level 4
Level 4

‎09-18-2018 09:42 AM

post the other device's config
0 Helpful

mikael.lahtela
Level 4
Level 4

‎09-19-2018 09:16 AM

Could also be a NAT issue on the CSR from Anyconnect client to tunnel, so please provide more sanitized configuration.

br, Micke
0 Helpful

shawn.qiu
Level 1
Level 1
In response to mikael.lahtela

‎10-10-2018 02:04 AM

 
0 Helpful
Customers Also Viewed These Support Documents