AnyConnect IPSec Ikev2 - ISR4331 Router

wribeiro2305 · ‎01-21-2020

Hi all,

I'm setting up AnyConnect client in an ISR Router. I can't get them working.

I've followed this instructions and it doesn't work.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

Here's my configuration.

aaa authentication login ANYCONNECT local
aaa authorization network ANYCONNECT local
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint ANYCONNECT
enrollment selfsigned
serial-number
revocation-check crl
rsakeypair ANYCOONECT 2048
!
crypto pki certificate chain ANYCONNECT
certificate self-signed 01
30820368 30820250 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4D314B30 12060355 0405130B 46444F32 3334334D 30585030 3506092A 864886F7
0D010902 16284D4E 452D4455 54594652 45452D57 482D524F 2E6D6F6E 74656E65
67726F64 75747966 7265652E 6D65301E 170D3139 31323032 31343030 31335A17
0D333030 31303130 30303030 305A304D 314B3012 06035504 05130B46 444F3233
34334D30 58503035 06092A86 4886F70D 01090216 284D4E45 2D445554 59465245
452D5748 2D524F2E 6D6F6E74 656E6567 726F6475 74796672 65652E6D 65308201
22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 0100B9B6
F459C6C2 73F26F8B 89F57031 772D5F31 BB6A6697 2356EF70 CD1367CE A60F8050
D09E51E6 2064EAFA 1F76519C 4DCC7373 B5D01D6D CA60AD22 94CC0508 6CC04553
F807F91F D8572175 E940240F 564A5F96 D107F42A 6C10F20C 7746E2E0 22C4454C
6E80FA8E D1913015 310FB1F8 9C8A8C72 DA4DC1D3 AD81FE1B 762A7109 2CC52FC5
2F027FA6 F53278ED F342E18C 6DBD0688 4E0B6AF3 56251A7B F5BE04C8 154E0A3F
F7ECAB66 BBBB3B03 C72C4826 B0DDCDFA 2E4B6C3D 2F760A7C 67935B84 EDEC9668
DF4C85FB AD537BE8 944FBA15 D24FEC49 F9E44952 64FB4216 0F69DA01 5B8915C5
2020925F 77D3DA50 8CB044B8 FD7D4947 11FDAA95 6392AE64 D3C9A97F F6250203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1434E84F 3C4B25AD 749FA4FB C5ADA476 86449886 C7301D06 03551D0E
04160414 34E84F3C 4B25AD74 9FA4FBC5 ADA47686 449886C7 300D0609 2A864886
F70D0101 05050003 82010100 022184B7 71B57DA0 240F6887 61F984E3 9CF4D041
CCB86F4F A2D63F37 31A7C0A7 67C26D26 012D8CD3 222342C1 DC3997C8 2FC5F479
1D303544 D7742FF5 F0A58571 F83DCDD7 D8912D25 66164A6E FE768353 56644A5B
EFEE8DE2 070B1021 1BF10F26 7B94A9A4 DCBF3C6D F24C2B04 8A71821D 30D5BD21
14222B13 AE2E4B3D F504C620 985675A3 82ACA077 6710E73C BED03C93 D3F1FD2B
92DA98C8 1843CF0B 4F264CBD 728942A5 0F6DD7EC 7EE36F1D 35191F63 22DAB1CD
A85BBCA0 B9B22B12 2E6FE375 26531FF7 DFE926F2 1C946042 40F937C6 4AD598E9
8099DD3C 2FD6F114 E06D21B1 4E9459BA CC2AAFE8 82B35583 CB649FCC CE8ED1F9
76A3F2A2 7D2AB26C 5E154675
quit
!
ethernet-internal subslot 1/0
platform switchport svi
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

!
redundancy
mode none
!
crypto ikev2 authorization policy ANYCONNECT
pool SSLVPN
dns 10.5.5.60 8.8.8.8
route set access-list SPLIT_TUNNEL
!
crypto ikev2 proposal ANYCONNECT
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy ANYCONNECT
proposal ANYCONNECT
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint ANYCONNECT
aaa authentication anyconnect-eap ANYCONNECT
aaa authorization group anyconnect-eap list ANYCONNECT ANYCONNECT
aaa authorization user anyconnect-eap cached
virtual-template 100
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800

!

crypto ipsec transform-set ANYCONNECT esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set ANYCONNECT
set ikev2-profile AnyConnect-EAP
!
interface Loopback100
ip address 192.168.1.1 255.255.255.255
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
zone-member security LAN
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool SSLVPN 172.16.27.10 172.16.27.50
end

If I disable the auto-update in the XML. I get the error: 'Automatic profile updates are disabled and the local VPN profile does not match the secure gateway VPN profile.'

If I enable the auto-update in the XML. I get the error: 'Failed to get configuration from secure gateway'

Anyconnect version running on Router is: anyconnect-win-4.8.01090-predeploy-k9

It's the same version running in Laptop.

I can see Virtual-access Interface going up and down while I try to log in.

Does anyone have a clue why it's not working?

Thanks.

Rob Ingram · ‎01-21-2020

Hi,
What version of IOS are you running on the router? Deployment of the AnyConnect profile was only available in newer versions. Have you tried without deploying the anyconnect profile to confirm whether the tunnel establishes?

wribeiro2305 · ‎01-21-2020

Cisco IOS XE Software, Version 16.09.04

No, it doesn't even give me the prompt to insert credentials when I try without the AnyConnect profile

Rob Ingram · ‎01-21-2020

I can establish a VPN if I disable the anyconnect profile from downloading. There isn't much information regarding this feature, the debugs don't appear to be too helpful either. I suggest you log a TAC call.

EDIT: Cisco Live session BRKSEC-3054 confirms this feature is only available on CSR1000v, the guide you previous provided was based on CSR1000v also. I assume the feature is not yet available on ISR hardware yet. Check with TAC.

jeckert · ‎05-05-2020

Did you ever get this worked out. I have a similar config and seem to be having an issue with the profile update process.

I did manage to get it to connect by manually making the profile on the PC and the router the same. But if they are different it fails.

bbishop4901 · ‎04-22-2021

Scenario: ISR 4000 series IKEv2 VPN configured for Anyconnect EAP client username passwords. The profile stored on the ISR and the client must be the same file name 'acvpn.xml' and must contain identical contents. Otherwise the connection fails. Workaround of disabling the profiles download feature of Anyconnect is not acceptable for my environment due to the server list that I must update.

My solution: Use the Anyconnect Profile Editor to create a 'vanilla' acvpn.xml file. This file contains my global basic preferences (Part 1 and Part 2) we use for every device (FP, ISR, ASA, RV). No other settings are defined, especially no server list entries. Copy this file to the ISR, re-issue the proper commands from the guide :

no crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml

crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml

Anytime the acvpn.xml is replaced on the ISR, these commands must be performed again or the connection will fail. I determined this thru trial and error.

Copy the acvpn.xml to the proper location on the client

Ex Windows: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Now, create (or add to existing) an anyconnect profile that includes a new <HostEntry> in the <ServerList> section:

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>true

<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

Save the file to the proper location on the client.

Do not copy this file to the ISR.

Close (Quit Anyconnect from tray icon), restart Anyconnect.

New VPN entry will appear in the Anyconnect drop down list.

Should connect with no problems.

Add more host entries as needed..

Simply make sure the same vanilla acvpn.xml is used on every ISR and client.

All other xml profiles on clients can be different.

donald.strifler · ‎11-22-2023

thank you, this was exactly what I needed for my multi-discrete endpoint solution I was working on.. This one note fixed over a week of troubleshooting.. I wish this was in the config guide spelled out like this.