All resources are in the same 10.1.10.0/24 network, LAN and VPN. I tested by 1) trying to ping from phone by ip and 2) from router to ping phone ip. See attached images and below output. I changed our real domain to domain.com. Pinging the assigned phone IP from the router succeeds but fails from any other connected device, e.g., my desktop. Same is true for phone not reaching anything in the 10.1.10.0/24 network. Also not sure if this may help, I attached the test user as configured in FreeRadius. --- FreeRadius users entry for TEST user --- Service-Type = Framed-User, Service-Type = Login, Cisco-AVPair +="ipsec:addr-pool=FlexVPN_POOL", Cisco-AVPair +="ipsec:route-set-interface=1" --- router1#show crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 184.108.40.206/4500 10.1.10.110/52074 none/none READY Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: EAP Life/Active Time: 86400/66 sec CE id: 2082, Session-id: 16 Status Description: Negotiation done Local spi: 5EC9C186087014E4 Remote spi: D62A76DB900E940D Local id: ipaddress=220.127.116.11+hostname=vpn.domain.com,cn=vpn.domain.com,ou=TAC Remote id: TESTID Remote EAP id: TEST Local req msg id: 0 Remote req msg id: 7 Local next msg id: 0 Remote next msg id: 7 Local req queued: 0 Remote req queued: 7 Local window: 5 Remote window: 1 DPD configured for 60 seconds, retry 2 Fragmentation not configured. Extended Authentication configured. NAT-T is detected outside Cisco Trust Security SGT is disabled Assigned host addr: 10.1.10.214 Initiator of SA : No IPv6 Crypto IKEv2 SA ---
... View more
I am extremely new to IOS routing. Below is the config I do have. Hope that helps to identify what I am missing. I left out the working FlexVPN configs. --- interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! interface GigabitEthernet0 switchport access vlan 2 no ip address ! interface GigabitEthernet8 ip address 18.104.22.168 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in duplex full speed 100 media-type sfp ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile FlexVPN_IPsec_PROFILE ! interface Vlan2 ip address 10.1.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly in ! encapsulation slip ! ip local pool FlexVPN_POOL 10.1.10.200 10.1.10.249 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list NAT interface GigabitEthernet8 overload ip route 0.0.0.0 0.0.0.0 22.214.171.124 ! ip access-list standard NAT permit 10.1.10.0 0.0.0.255
... View more
Ok, I successfully setup a FreeRadius server and followed yet another setup @ https://community.cisco.com/t5/security-documents/flexvpn-ikev2-eap-secure-connection-between-iphone-ipad-and-a/ta-p/3136285. With additional modifications I finally was able to log in to VPN without even upgrading IOS. The last thing I am stuck on now is to be able to access internal resources. Basically, the AnyConnect stats show that I can send packets but not receive any. Could this be a route issue on the headend?
... View more
The router is already setup as a CA and this seems to function properly. Unfortunately, I have to setup a service contract first with a Cisco partner before upgrading IOS, which won't happen right away. In the meantime I setup FreeRadius to verify the initial 'version 15.3 may not support VPN aaa local' theory. Now I am getting other errors that I am working through, and from what it looks like the MD5 challenge fails: "Failed to receive the AUTH msg before the timer expired".
... View more
IOS version 15.3 on a 891F router. The phone does have the cert in place after which I was able to see the sign in dialog for username/password. Funny, the config you are pointing to is the one I started out with but due to cert issues ended up with the one I pasted. I will revisit and see if I can make it work. Please note that the cert I am using is not verified as it's been generated solely on the router. Once I can confirm a functional solution my plan is to purchase client AnyConnect licenses and get a real cert. Shall I upgrade the IOS version? Thanks!
... View more
I set up FlexVPN with help of https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html. But instead of using a RADIUS server I want to use local users. Below is an excerpt from my AAA and FlexVPN setup followed by the error message I am getting when testing through iPhone AnyConnect client. The TEST user verifies on the command line just fine. Any help much appreciated. router1#show run aaa ! aaa authentication login default local aaa authentication login USER local aaa authorization exec default local aaa authorization network GROUP local username TEST privilege 15 password 0 test ! aaa attribute list FlexVPN_ATTRIBUTE_LIST attribute type interface-config "ip mtu 1100" attribute type interface-config "tunnel key 10" ! aaa new-model aaa session-id common crypto ikev2 authorization policy FlexVPN_LOCAL_POLICY pool FlexVPN_POOL dns 126.96.36.199 netmask 255.255.255.0 def-domain beamtechnology.com aaa attribute list FlexVPN_ATTRIBUTE_LIST route set interface ! crypto ikev2 proposal FlexVPN_PROPOSAL encryption 3des integrity sha1 group 2 ! crypto ikev2 policy FlexVPN_IKEv2_POLICY match address local 188.8.131.52 proposal FlexVPN_PROPOSAL ! ! crypto ikev2 profile FlexVPN_IKEv2_PROFILE match identity remote address 0.0.0.0 match identity remote key-id SECRET authentication remote eap query-identity authentication local rsa-sig pki trustpoint FlexVPN_TP aaa authentication eap USER aaa authorization group eap list GROUP FlexVPN_LOCAL_POLICY virtual-template 1 ! no crypto ikev2 http-url cert ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip scp server enable ! ! ! crypto ipsec transform-set FlexVPN_TRANSFORM esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile FlexVPN_IPsec_PROFILE set transform-set FlexVPN_TRANSFORM set ikev2-profile FlexVPN_IKEv2_PROFILE --- *Dec 5 02:54:55.304: AAA/BIND(0000511A): Bind i/f *Dec 5 02:54:55.304: IKEv2:Use authen method list USER *Dec 5 02:54:55.304: AAA/AUTHEN/LOGIN (0000511A): Pick method list 'USER' *Dec 5 02:54:55.304: IKEv2:pre-AAA: client sent TEST as EAP-Id response *Dec 5 02:54:55.304: IKEv2:sending TEST [EAP-Id] as username to AAA *Dec 5 02:54:55.304: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent *Dec 5 02:54:55.304: IKEv2:%Unsuccessful AAA response FAIL *Dec 5 02:54:55.304: IKEv2:(SA ID = 1):[AAA -> IKEv2] Unsuccessful response received *Dec 5 02:54:55.308: IKEv2:Received response from authenticator *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):: Extensible Authentication Protocol failed *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):SM Trace-> SA: I_SPI=DC166CB622FC43CC R_SPI=6F311212AB7AEE68 (R) MsgID = 2 CurState: R_PROC_EAP_RESP Event: EV_DELETE *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Action: Action_Null *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):SM Trace-> SA: I_SPI=DC166CB622FC43CC R_SPI=6F311212AB7AEE68 (R) MsgID = 2 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Verification of peer's authentication data FAILED *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Sending authentication failure notify *Dec 5 02:54:55.308: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED *Dec 5 02:54:55.308: IKEv2:(SESSION ID = 84,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED ---
... View more
Thanks a bunch for the pointer to FlexVPN and IPSEC IKEv2 option. From everything I have read now it appears the only way to connect properly from Mac is to use AnyConnect client. I also came across the following helpful presentation that seems to confirm
In addition, I just obtained a demo license for our router and will go ahead trying to setup a remote VPN. I will come back to this thread in case I succeed or have more questions. In the meantime, any help in router configuration is much appreciated.
... View more
We recently purchased a 891F router for our new fiber connection. This was a recommendation from our fiber provider. Never having dealt with Cisco IOS before, we eventually were able to mange the setup via CLI and are very happy about the performance. Now we would like to leverage its VPN capabilities but ran into several issues.
It's unclear whether we
1. ... need any license for providing access to remote employees working on Mac and Windows desktops?
2. ... which client to use, AnyConnect or native OS? SSL or IPSEC?
3. ... do we need to activate any license on 891F server? (Our version is 15.3)
4. ... how many remote users are supported? There appears to be different info on the web ranging from 10, to 50 all up to 100.
5. ... what is the right configuration? I read easyvpn for site-to-site but then some folks appear to use this with EOL EasyVPN client for remote access.
It would be great if someone could help me understand what is needed and where to obtain any potential licenses needed.
Thanks in advance,
... View more