I have configured a Cisco 2921 router (with IOS 15.4) for IKEv2 and AnyConnect (4.4.00243) with Suite-B Cryptography, including certificates of course. This router has a L3 24 port Enhanced EtherSwitch Service Module SM-ES3G-24-P. I have 3 different sets of ikev2 profile, ikev2 authorization policy and ipsec profile, along with three different and unique IP pools. The 2921 has a default route to the Internet and static routes to the networks on the EtherSwitch Service Module. The 2921 virtual link G1/0 is configured with 172.16.7.254 and the G0/26 on the Service Module is configured 172.16.7.253. The Service Module has a default route to 172.16.7.254
I do not have any problem connecting to the router with AnyConnect; if I connect with three different certificates I get three different IP addresses, just like I should. Also, I do not have any problem pinging the 172.16.7.253 or 172.16.7.254 addresses. The problem I have is accessing any network beyond the directly connected networks on the 2921; for example:
crypto ikev2 authorization policy vpn_users_g1 pool vpn_users_g1 route set interface route set remote ipv4 192.168.2.0 255.255.255.0 route set remote ipv4 192.168.5.0 255.255.255.0 route set remote ipv4 172.16.7.0 255.255.255.0
I can access the 172.16.7.0/24 network, which is directly connected to the 2921, but I can not access the other two networks, which are connected to the EtherSwitch Service Module. In this case I can access the Internet because of the split tunnel. On the other hand if I do this:
crypto ikev2 authorization policy vpn_users_g1 pool vpn_users_g1 route set interface
I can not access the Internet or any internal network regardless if it is connected to the 2921 or to the EtherSwitch Service Module, even though all traffic should be secured because there is no split tunnel. I have tried quite a few variants, but always with only partial success. It sounds like an ARP problem, but I can't pin it down.
I have same IOS router 2921 with version 15.4 , I try a lot to make AnyConnect work with it but no luck , so please if you have a working configuration for AnyConnect can you please share it for testing .