Showing results for 
Search instead for 
Did you mean: 

FlexVPN/Ikev2/EAP secure connection between Iphone/Ipad and a Cisco router





With the release of AC 3.0 on mobile devices we have the chance of connecting any smartphone to an ikev2 flexvpn headend.


AC 30 has been released for Apple.


Release notes are available here:


Design considerations



Anyconnect on smart device will integrate seamlessly into a flexvpn head end without any tweaking on the router.


Per RFC5996, If we use EAP to authenticate a client, the hub MUST be authenticated by providing a certificate.


The underlying reason is the following:

iIf we were using a PSK instead and one person has access to the client and to the head end infrastructure, by using arp poisoining he could impersonate the hub and then decode the user password.


By using a certificate we avoid this situation.


  • Anyconnect expect the router to present a certificate with the right Extended Key Usage [ TLS webserver - Typically using the webserver template on a microsoft CA server].
  • The certificate Common Name need to be equal to the connection  DNS name defined on the anyconnect.
  • If the CN on the certificate is not populated in your dns, then you need to have a Subject Alternate Name [SAN] defined.   
    • SAN will restrict to connect to an ip that will be resolved as
    • SAN DNS:* will allow to connect to any router where the DNS lookup point to something in



Router configuration


! Definition of Radius config since when EAP is defined, the router proxy simply the request to a radius server

! Working radius are Cisco ACS [ EAP-MD5] Cisco ISE [ EAP-MSCHAP-V2, EAP-MD5, EAP-GTC]  Microsoft Radius [ EAP-MSCHAP-V2] Linux Freeradius [ EAP-MD5/EAP-GTC/EAP-MSCHAP-V2]

aaa new-model



aaa group server radius freeradius

server-private auth-port 1812 acct-port 1813 key cisco123


aaa authentication login win7 group freeradius

aaa accounting network default start-stop group freeradius


!Definition of the local certificate truspoint.

!Here I'm using enrollment terminal since I want to select the Webserver template from the Microsoft win2008 CA. SCEP gives access to the ike intermediate template which is not suitable


crypto pki trustpoint anyconnect

enrollment terminal


revocation-check none

rsakeypair flexanyconnect 2048



crypto pki certificate chain anyconnect

certificate 18180951000000000A8D

certificate ca 77E790F86C3BAD9647633D8428015203



! Integrity SHA-1 is required by anyconnect to properly select the right PRF

crypto ikev2 proposal myprop

encryption aes-cbc-256

integrity sha1

group 5


crypto ikev2 policy mypol

match fvrf any

proposal myprop



!Ikev2 profile definition matching the IKE IDentity defined on the client

crypto ikev2 profile default

match identity remote key-id anyconnect_remote_access

match identity remote key-id

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint anyconnect

dpd 60 2 on-demand

aaa authentication eap win7

aaa authorization user eap cached

aaa accounting eap default

virtual-template 1

! Authentication local is rsa sig / remote is EAP - We need to query the remote identity.

! PKI trustpoint need to be anchored as security measure. Without that we can't select our certificate

! accounting is important if the radius provide the pool ip address

! authorization user eap cached will load up the attributes received by the radius during the EAP authentication [ eg IP , IKE Routing, ...]

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

mode tunnel


crypto ipsec profile default

set ikev2-profile default






! Virtual template loopback unnumbered address

interface Loopback0

description VT source interface

ip address


interface Ethernet0/0

description LAN

ip address


interface Ethernet0/1

description WAN

ip address


!Virtual template do not need a tunnel source [ not required]

! ip unnumbered to loopback is required

! Tunnel mode ipsec ipv4 needed for AnyConnect

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile default


ip local pool mypool


ip route name route_to_internet


access-list 99 permit any


Radius config


In this example radius is provided on a Linux PC running freeradius.


cisco   Cleartext-Password := "cisco"

        Framed-IP-Address =,

        Service-Type = Framed-User,

        Service-Type = Login,

        Cisco-AVPair +="ipsec:route-set-interface=1"


Radius is providing:

  • an ip address for the client, Alternatively you could setup a Cisco-AVPair +="ipsec:addr-pool=<an_ip_pool_defined_on_the_router"
  • route-set-interface=1 will inject the spoke tunnel ip into the routing table in order to make it reachable via the virtual-access [mandatory]


Smartphone config



Upgrade or install Anyconnect from your vendor store.
The configuration is really simple. It's just a matter of few fields to fill in.


Install Root CA


First of all, you have to install the CA server in your trusted profile. The easiest is to access that CA Certificate via http




When we download the CA cert, we are prompted to enter the pin and the CA server is installed in the smart device.



Launch app and select "Add VPN connection"




Enter router destination address


Very easy operation either add the IP or the dns name you will connect.


Remember if it's an IP, then you need a SAN field in your router certificate that will match the dns reverse resolution the client will do when connecting.


If it's a valid DNS name, then it need to match the CN from the router certificate or at least the SAN field from the same certificate


Self signed certs are NOT working.






Select "Advanced" and configure the ikev2 parameters


Turn on "Connect with IPSEC"




Modify Authentication from "EAP-Anyconnect" [ which is ASA specific] to EAP-MD5 / GTC / MSCHAP-V2 depending on the radius infrastructure you've in house] . Here in my example, I will use EAP-MD5.




Define the ikev2 identity in order to select the right ikev2 profile on the router




In our case it's ""


Store the connection by selecting "save"






During the negotiation, Anyconnect will prompt for user and password.

That user will be checked against the radius server by using the eap framework.

At this stage, the router is forwarding the request back and forward between Anyconnect and the radius.





As soon the ACCESS-ACCEPT has been received by the router [ from the radius].


The router will parse the attributes and provide the required IP / IKE routing / Other parameters either to the client and to the virtual-access interface that has been created on the router.








FlexVPN is a modular VPN that simplify designs and deployment.


This is the next generation solution.


If you have any questions, please feel free to comment.


Olivier Pelerin

CCIE Security #20306

TAC Escalation VPN - Brussels


Great post
can you btw tell me how to get EAP-GTC to work in ACS ?

And do you know if I can integrate ACS with LDAP identity store if I use EAP-GTC as an authentication mechanism ?

again great post and thanks alot 

Cisco Employee

Thanks for your feedback.

My bad. EAP-GTC is not implemented as radius Phase I , just as inner method. I will update the document.

It seems ISE supports more protocols [ table-5-1]





Np at all .. I was hoping that I missed something
I have also tried to get EAP-GTC working with ISE but without any luck so I am beginning to suspect that EAP-GTC is only supported as an inner method in ISE



Cisco Employee

Could be - I never used ISE so far.

Community Member

thanks for doing this great post

just have small question, how can we enable split tunnel in this scenario.

best regards


Cisco Employee

Hello Bebo,

Thanks for your comments.

Flexvpn / Anyconnect supports Split-tunneling

If your policy is on the radius, then you would add the following setting

Cisco-AVPair += "ipsec:route-set=prefix"

[ Assuming you want to tunnel ONLY traffic to 10/8

If your policy is local, then you would add the following attribute under your local authorization policy

route set access-list <..>

The ACL as well will contains the destination networks you want to reach from the client




Great post Olivier,

I have a cuestion,,, Do you need any license in the headend? I hay a router ASR1000 and i would implement this solution,,

Thanks in advance,



Cisco Employee


The only platforms where licensing is required (ASR1001 or ASR1002-X) just requires the 'normal' ipsec license.



It's working ! Thanks a lot

Content for Community-Ad