05-12-2021 06:06 AM
For some reason the router does not recognise “AnyConnect-eap” command at all?
it’s a 2921 15.2 iOS and has securityk9 and base?
I can only use “eap query-identity”?
does this only work on IOS-XE?
I’m in process of setting up flexVPN remote access.
Solved! Go to Solution.
05-13-2021 12:46 PM
No, but the stronger the better
05-12-2021 06:31 AM
Certainly on my ISR G2 (1921) running 15.7 that command is available. Therefore I imagine it's more than likely available on your ISR G2 2921, so you'll probably need to upgrade the IOS.
05-12-2021 07:55 AM - edited 05-12-2021 07:56 AM
just double check its 15.2 and its definitly not there
I tried to download 15.7 to upgrade do I need services account?
05-12-2021 08:08 AM
yes, or get your cisco partner to get it for you.
05-13-2021 12:30 PM
Upgraded to 15.7 all commands now available.
a quick question does cryptography used in the profile of tunnel policy (e.g mine is aes-cbc 256 and uses sha256 for hash)
does the certificate crypto and hash has to be the same as the profile?
05-13-2021 12:46 PM
No, but the stronger the better
05-13-2021 12:57 PM
Getting a crypto mismatch error on client side anyconnect when I attempt to connect
using self signed RSA 256 certificate created in OpenSSL AND converted to pk12 file. Uploaded to flash
will attempt troubleshoot further tonight.
05-16-2021 04:08 AM
hi quick question please
I obviously needed to portfoward 4500 and 500 for my isp router.
Do I also need ACL on my outside interface of the Cisco router permitting those ports? Or is that not necessary?
traffic is being blocked because it keeps retransmitting.
05-14-2021 06:03 AM - edited 05-14-2021 06:07 AM
I am now getting the exact same error msg on both anyconnect mobile and anyconnect(vet 4.9)windows client
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 10.0.1.1
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 15
!
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint IKEv2-TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
!
!
!
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
!
!
!
!
interface Loopback100
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.10.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool ACPOOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
05-14-2021 08:25 AM
here is the crypto debug:
*May 14 14:57:34.251: IKEv2:Received Packet [From 192.168.0.1:51114/To 192.168.0.254:500/VRF i0:f0]
Initiator SPI : DB9FDDC626B324BF - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Verify SA init message
*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Insert SA
*May 14 14:57:34.251: IKEv2:Searching Policy with fvrf 0, local address 192.168.0.254
*May 14 14:57:34.251: IKEv2:Using the Default Policy for Proposal
*May 14 14:57:34.251: IKEv2:Found Policy 'default'
*May 14 14:57:34.251: IKEv2:(SESSION ID = 25,SA ID = 1):Processing IKE_SA_INIT message
*May 14 14:57:34.255: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-GCM-256 AES-GCM-192 AES-GCM-128 SHA384 SHA512 SHA256 SHA1 None DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20 DH_GROUP_521_ECP/Group 21 DH_GROUP_3072_MODP/Group 15 DH_GROUP_4096_MODP/Group 16
*May 14 14:57:34.263:
*May 14 14:57:34.263: Proposal 2: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA384 SHA512 SHA256 SHA1 SHA256 SHA384 SHA96 SHA512 DH_GROUP_256_ECP/Group 19 DH_GROUP_384_ECP/Group 20 DH_GROUP_521_ECP/Group 21 DH_GROUP_3072_MODP/Group 15 DH_GROUP_4096_MODP/Group 16
*May 14 14:57:34.271:
*May 14 14:57:34.271:
*May 14 14:57:34.271: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 AES-CBC-192 AES-CBC-128 SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
*May 14 14:57:34.279:
*May 14 14:57:34.279:
*May 14 14:57:34.283: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):: Failed to find a matching policy
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Sending no proposal chosen notify
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Sending Packet [To 192.168.0.1:51114/From 192.168.0.254:500/VRF i0:f0]
Initiator SPI : DB9FDDC626B324BF - Responder SPI : 8CCAD671C557673E Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Failed SA init exchange
*May 14 14:57:34.283: IKEv2-ERROR:(SESSION ID = 25,SA ID = 1):Initial exchange failed: Initial exchange failed
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Abort exchange
*May 14 14:57:34.283: IKEv2:(SESSION ID = 25,SA ID = 1):Deleting SA
05-14-2021 08:44 AM
I managed to resolve the policy mismatch!
quick question what does the following mean?
SA KE N NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID
*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Verify SA init message
*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Insert SA
*May 14 15:17:05.067: IKEv2:Searching Policy with fvrf 0, local address 192.168.0.254
*May 14 15:17:05.067: IKEv2-ERROR:No Matching policy with fvrf 0, local addr 192.168.0.254
*May 14 15:17:05.067: IKEv2-ERROR:(SESSION ID = 42,SA ID = 1):: Failed to locate an item in the database
*May 14 15:17:05.067: IKEv2:(SESSION ID = 42,SA ID = 1):Failed SA init exchange
*May 14 15:17:05.067: IKEv2-ERROR:(SESSION ID = 42,SA ID = 1):Initial exchange failed: Initial exchange failed
*May 14 15:17:05.071: IKEv2:(SESSION ID = 42,SA ID = 1):Abort exchange
*May 14 15:17:05.071: IKEv2:(SESSION ID = 42,SA ID = 1):Deleting SA
is this NAT issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide