01-27-2016 11:44 PM - edited 02-21-2020 08:39 PM
Hi!
Is it possible to configure VPN at ASR 1002 and use anyconnect client?
Version of software :
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 23-Jul-12 19:02 by mcpre
IOS XE Version: 03.07.00.S
Best regards,
Andrew
01-28-2016 12:19 AM
Hi Andrew
I am assuming that you are asking about SSL VPN when you are asking about AnyConnect Client connectivity. AnyConnect Client can also be used with IKEv2 to connect to IOS XE based ASR platform (FlexVPN Client).
For SSL VPN : it is supported from the version Cisco IOS XE Release 3.12S and above
Please go through this Doc for more information : http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book/sec-conn-sslvpn-ssl-vpn.html
For IKEv2 : Please go through the following links for more information on the same:
http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-flex-clnt.html
Regards
Jagmeet
01-28-2016 12:40 AM
Thanks for answer!
Now the question is that i want to use ikev 2 VPN type.
I made a config , but i have a problem with anyconnect connection. The issue is - "Could not connect to server. Please verify internet connectivity and server address".
Best regards,
Andrew
P.S. i did not configure a trustpoint.
01-28-2016 12:45 AM
Sure, let me have look into the config.
Regards
Jagmeet
01-29-2016 01:53 AM
Hi Jagmeet!
Can i make my configuration without trustpoint ? So is trustpoint realy need? Can i use external trustpoint , for example my domain CA server ?
01-28-2016 12:54 AM
Hi Andrew
Your IKEv2 profile says that the local authentication is used as rsa-sig, that will require an identity certificate trustpoint to be configured the on the profile.
Please configure an identity certificate trustpoint and apply it to the profile.
Also i am not able to see "aaa authorization group eap list" being configured in the IKEv2 profile.Please configure the same as well.
Refer this doc for full configuration assistance on the same:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
Regards
Jagmeet Singh
01-28-2016 01:01 AM
Jagmeet,
I must be forget to add this section to config file:
crypto ikev2 authorization policy SERV-POLICY
pool IPPOOL_Serv-VPN
dns x.x.x.x
netmask 255.255.255.0
banner ^CCC Welcome ^C
def-domain example.com
Can i make my configuration without trustpoint ? So is trustpoint realy need? Can i use external trustpoint , for example my domain CA server ?
thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide