IOS version 15.3 on a 891F router. The phone does have the cert in place after which I was able to see the sign in dialog for username/password. Funny, the config you are pointing to is the one I started out with but due to cert issues ended up with the one I pasted. I will revisit and see if I can make it work. Please note that the cert I am using is not verified as it's been generated solely on the router. Once I can confirm a functional solution my plan is to purchase client AnyConnect licenses and get a real cert.

Shall I upgrade the IOS version?

Thanks!

The router is already setup as a CA and this seems to function properly. Unfortunately, I have to setup a service contract first with a Cisco partner before upgrading IOS, which won't happen right away. In the meantime I setup FreeRadius to verify the initial 'version 15.3 may not support VPN aaa local' theory.  Now I am getting other errors that I am working through, and from what it looks like the MD5 challenge fails: "Failed to receive the AUTH msg before the timer expired".

Actually, there was a misconfiguration on my part. The issue I am seeing now is below in router and FreeRadius output:

--- ROUTER ---

*Dec 6 02:46:44.394: IKEv2:Use authen method list USER

*Dec 6 02:46:44.394: AAA/AUTHEN/LOGIN (000063AE): Pick method list 'USER'
*Dec 6 02:46:44.394: IKEv2:sending TEST [EAP-Id] as username to AAA
*Dec 6 02:46:44.394: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
*Dec 6 02:46:45.182: AAA/AUTHEN/LOGIN (000063AD): Pick method list 'default'
*Dec 6 02:46:45.418: IKEv2:%Unsuccessful AAA response FAIL

*Dec 6 02:46:45.422: IKEv2:(SA ID = 1):[AAA -> IKEv2] Unsuccessful response received
*Dec 6 02:46:45.422: IKEv2:Received response from authenticator
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):: Extensible Authentication Protocol failed
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):SM Trace-> SA: I_SPI=6A9E97D254CBB37E R_SPI=460821D2E3F332D3 (R) MsgID = 3 CurState: R_PROC_EAP_RESP Event: EV_RECV_EAP_FAIL
*Dec 6 02:46:45.422: IKEv2:(SESSION ID = 114,SA ID = 1):Sending EAP status message

--- FreeRadius ---

(22) Received Access-Request Id 50 from 38.88.174.100:1645 to 10.10.191.184:1812 length 135
(22) Service-Type = Login-User
(22) Cisco-AVPair = "service-type=Login"
(22) Calling-Station-Id = "10.1.10.65"
(22) User-Name = "TEST"
(22) EAP-Message = 0x023c0016041082640374eb55332f88e6f89c6b692b2c
(22) Message-Authenticator = 0xc18cb20962b312c7184603cb2401815d
(22) State = 0xe44cdc41e470d83d802dbe7aaae367d0
(22) NAS-IP-Address = 38.88.174.100
(22) session-state: No cached attributes
(22) # Executing section authorize from file /etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "TEST", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 60 length 22
(22) eap: No EAP Start, assuming it's an on-going EAP conversation
(22) [eap] = updated
(22) files: users: Matched entry bob at line 87
(22) [files] = ok
(22) [expiration] = noop
(22) [logintime] = noop
(22) pap: WARNING: Auth-Type already set. Not setting to PAP
(22) [pap] = noop
(22) } # authorize = updated
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0xe44cdc41e470d83d
(22) eap: Finished EAP session with state 0xe44cdc41e470d83d
(22) eap: Previous EAP request found for state 0xe44cdc41e470d83d, released from the list
(22) eap: Peer sent packet with method EAP MD5 (4)
(22) eap: Calling submodule eap_md5 to process data
(22) eap: Sending EAP Failure (code 4) ID 60 length 4
(22) eap: Freeing handler
(22) [eap] = reject
(22) } # authenticate = reject
(22) Failed to authenticate the user
(22) Using Post-Auth-Type Reject
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Post-Auth-Type REJECT {
(22) attr_filter.access_reject: EXPAND %{User-Name}
(22) attr_filter.access_reject: --> TEST
(22) attr_filter.access_reject: Matched entry DEFAULT at line 11
(22) [attr_filter.access_reject] = updated
(22) [eap] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # Post-Auth-Type REJECT = updated
(22) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(22) Sending delayed response
(22) Sent Access-Reject Id 50 from 10.10.191.184:1812 to 38.88.174.100:1645 length 44
(22) EAP-Message = 0x043c0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

Ok, I successfully setup a FreeRadius server and followed yet another setup @ https://community.cisco.com/t5/security-documents/flexvpn-ikev2-eap-secure-connection-between-iphone-ipad-and-a/ta-p/3136285. With additional modifications I finally was able to log in to VPN without even upgrading IOS. The last thing I am stuck on now is to be able to access internal resources. Basically, the AnyConnect stats show that I can send packets but not receive any. Could this be a route issue on the headend?

I am extremely new to IOS routing. Below is the config I do have. Hope that helps to identify what I am missing. I left out the working FlexVPN configs.

---

interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0
switchport access vlan 2
no ip address
!
interface GigabitEthernet8
ip address 38.88.174.10 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type sfp
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile FlexVPN_IPsec_PROFILE
!
interface Vlan2
ip address 10.1.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
encapsulation slip
!
ip local pool FlexVPN_POOL 10.1.10.200 10.1.10.249
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 38.88.174.9
!
ip access-list standard NAT
permit 10.1.10.0 0.0.0.255

All resources are in the same 10.1.10.0/24 network, LAN and VPN. I tested by 1) trying to ping from phone by ip and 2) from router to ping phone ip. See attached images and below output. I changed our real domain to domain.com. Pinging the assigned phone IP from the router succeeds but fails from any other connected device, e.g., my desktop. Same is true for phone not reaching anything in the 10.1.10.0/24 network. Also not sure if this may help, I attached the test user as configured in FreeRadius.

--- FreeRadius users entry for TEST user ---

Service-Type = Framed-User,
Service-Type = Login,
Cisco-AVPair +="ipsec:addr-pool=FlexVPN_POOL",
Cisco-AVPair +="ipsec:route-set-interface=1"

---

router1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 38.88.174.10/4500 10.1.10.110/52074 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/66 sec
CE id: 2082, Session-id: 16
Status Description: Negotiation done
Local spi: 5EC9C186087014E4 Remote spi: D62A76DB900E940D
Local id: ipaddress=38.88.174.10+hostname=vpn.domain.com,cn=vpn.domain.com,ou=TAC
Remote id: TESTID
Remote EAP id: TEST
Local req msg id: 0 Remote req msg id: 7
Local next msg id: 0 Remote next msg id: 7
Local req queued: 0 Remote req queued: 7
Local window: 5 Remote window: 1
DPD configured for 60 seconds, retry 2
Fragmentation not configured.
Extended Authentication configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 10.1.10.214
Initiator of SA : No

IPv6 Crypto IKEv2 SA

---

Just wondering if my additional information that was being asked for will help to sort out what am I missing?

Thanks

Hi Vifilio,

Your inside hosts will never send their packets to the default gateway (router in this case) trying to reach a VPN client as they are in the same IP range 10.1.10.0/24. You should separate the IP ranges for the LAN on Vlan2 and the FlexVPNpool to make the hosts and the VPN client communicate. 

The reason why your router is able to reach the VPN client is the specific route in the routing table while the VPN client is connected.

Hope this helps. Let me know.

That was very helpful and did do the trick. Now I am able to ping from within the lan and to the lan. The last piece I need to sort out is to know how to route traffic to my WLAN when connected via VPN. I tried a few routes but wasn't successful.

Thanks so much for all your help to this point.

Alright, I finally managed to make it work by realizing that I had to bring the NAT configurations in. Case closed!

Thanks everyone!