Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3878
Views
0
Helpful
6
Replies

AnyConnect IpSec IKEv2 Cisco 4331 - how to?

Konstantin Raven
Level 1
Level 1

‎07-23-2018 11:31 PM

Hi, I`m a newbie in Cisco at all. And I have a task to complete. I have to set up a Headend on 4331ISR as a part of an IPSec tunnel with AnyConnect clients.

 

I`ve already checked out this document and read through the forum. But still cannot find a full tutorial from the beginning to end - how to get my job done. I mean I`ve created an ACL, ikev2 proposal and transformation set, crypto map and 'attached' it to both my int and ext interfaces.

Then I connect to my cisco 4331 from anyconnect client and get 'Connection attempt has failed' error. I`ve turned on debug but can`t see any output at all during the connection attempts. What am I missing?

I see some tutorials here on 'ASA+AnyConnect IPSec' topic but I`m not sure ISR and ASA are the same beast.

Can anybody give me any help on the issue?

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Mikael Gustafsson
Level 5
Level 5

‎07-24-2018 12:18 AM

Hi,

 

Have you looked at Cisco Live Online library? (Its a free registration)

 

There are several FlexVPN sessions there fex BRKSEC-3054 - FlexVPN Remote Access, IoT and Site to Site VPN design

 

And others with good info in as well, just search for FlexVPN

 

 

Cheers

0 Helpful

Rob Ingram
VIP
VIP

‎07-24-2018 01:28 AM

Hi,

Checkout this link, this blogpost describes how to setup a FlexVPN Remote Access VPN on an ISR/CSR router. The link you provided was for an ASA which won't help to configure a ISR router.

 

The Cisco Live link already provided is also definately a good source of information.

 

HTH

0 Helpful

Konstantin Raven
Level 1
Level 1
In response to Rob Ingram

‎07-24-2018 01:47 AM

Thanks, guys!

I`ve just got through your links (CiscoLive and the blog post).

Is there any chance to setup vpn remote access for AnyConnect clients without FlexVPN? It looks like it`s just a useful tool and there are options but I can`t finad any tutorials for AnyConnect that don`t use FlexVPN on the headend.

 

And how can I be sure that my ISR 4331 supports FlexVPN?

 

and I`m sorry - a newbie question - how can I 'translate' a config lines from the blog post to actual commands?

0 Helpful

Rob Ingram
VIP
VIP
In response to Konstantin Raven

‎07-24-2018 01:51 AM

Hi,
If you are configuring IKEv2 on an ISR router then you are configuring FlexVPN, that is just the name of the solution.

 

What license do you have on the ISR router? You will need a Security license, as per ISR datasheet.

 

HTH

0 Helpful

Konstantin Raven
Level 1
Level 1
In response to Rob Ingram

‎07-24-2018 01:57 AM

I see at least securityk9 license type there
0 Helpful

mdussana
Level 1
Level 1

‎07-24-2018 06:36 AM

You may refer to the following to guides:

 

- https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

- http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

 

One important step is to configure the client to use IPSec instead of TLS, since by default it will try to establish the tunnel over TLS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents