07-23-2018 11:31 PM
Hi, I`m a newbie in Cisco at all. And I have a task to complete. I have to set up a Headend on 4331ISR as a part of an IPSec tunnel with AnyConnect clients.
I`ve already checked out this document and read through the forum. But still cannot find a full tutorial from the beginning to end - how to get my job done. I mean I`ve created an ACL, ikev2 proposal and transformation set, crypto map and 'attached' it to both my int and ext interfaces.
Then I connect to my cisco 4331 from anyconnect client and get 'Connection attempt has failed' error. I`ve turned on debug but can`t see any output at all during the connection attempts. What am I missing?
I see some tutorials here on 'ASA+AnyConnect IPSec' topic but I`m not sure ISR and ASA are the same beast.
Can anybody give me any help on the issue?
07-24-2018 12:18 AM
Hi,
Have you looked at Cisco Live Online library? (Its a free registration)
There are several FlexVPN sessions there fex BRKSEC-3054 - FlexVPN Remote Access, IoT and Site to Site VPN design
And others with good info in as well, just search for FlexVPN
Cheers
07-24-2018 01:28 AM
Hi,
Checkout this link, this blogpost describes how to setup a FlexVPN Remote Access VPN on an ISR/CSR router. The link you provided was for an ASA which won't help to configure a ISR router.
The Cisco Live link already provided is also definately a good source of information.
HTH
07-24-2018 01:47 AM
Thanks, guys!
I`ve just got through your links (CiscoLive and the blog post).
Is there any chance to setup vpn remote access for AnyConnect clients without FlexVPN? It looks like it`s just a useful tool and there are options but I can`t finad any tutorials for AnyConnect that don`t use FlexVPN on the headend.
And how can I be sure that my ISR 4331 supports FlexVPN?
and I`m sorry - a newbie question - how can I 'translate' a config lines from the blog post to actual commands?
07-24-2018 01:51 AM
Hi,
If you are configuring IKEv2 on an ISR router then you are configuring FlexVPN, that is just the name of the solution.
What license do you have on the ISR router? You will need a Security license, as per ISR datasheet.
HTH
07-24-2018 01:57 AM
07-24-2018 06:36 AM
You may refer to the following to guides:
- https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
- http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html
One important step is to configure the client to use IPSec instead of TLS, since by default it will try to establish the tunnel over TLS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide