Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3612
Views
5
Helpful
6
Replies

Anyconnect VPN at Cisco ASR 1002

Andrey Avdeev
Level 1
Level 1

‎01-27-2016 11:44 PM - edited ‎02-21-2020 08:39 PM

Hi!

Is it possible to configure VPN at ASR 1002 and use anyconnect client? 

Version of software :

Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 23-Jul-12 19:02 by mcpre

IOS XE Version: 03.07.00.S

Best regards,

Andrew

1 person had this problem
Labels:
0 Helpful
6 Replies 6

jagmeesi
Level 1
Level 1

‎01-28-2016 12:19 AM

Hi Andrew

I am assuming that you are asking about SSL VPN when you are asking about AnyConnect Client connectivity. AnyConnect Client can also be used with IKEv2 to connect to IOS XE based ASR platform (FlexVPN Client).

For SSL VPN : it is supported from the  version Cisco IOS XE Release 3.12S  and above

Please go through this Doc for more information : http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book/sec-conn-sslvpn-ssl-vpn.html

For IKEv2 : Please go through the following links for more information on the same:

http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-flex-clnt.html

Regards

Jagmeet

Andrey Avdeev
Level 1
Level 1
In response to jagmeesi

‎01-28-2016 12:40 AM

Thanks for answer!

Now the question is that i want to use ikev 2 VPN type.

I made a config , but i have a problem with anyconnect connection. The issue is - "Could not connect to server. Please verify internet connectivity and server address".

Best regards,

Andrew

P.S. i did not configure a trustpoint.

Preview file
1 KB
0 Helpful

jagmeesi
Level 1
Level 1
In response to Andrey Avdeev

‎01-28-2016 12:45 AM

Sure, let me have look into the config.

Regards

Jagmeet

0 Helpful

Andrey Avdeev
Level 1
Level 1
In response to jagmeesi

‎01-29-2016 01:53 AM

Hi Jagmeet!

Can i make my configuration without trustpoint ? So is  trustpoint realy need? Can i use external trustpoint , for example my domain CA server ? 

0 Helpful

jagmeesi
Level 1
Level 1
In response to Andrey Avdeev

‎01-28-2016 12:54 AM

Hi Andrew

Your IKEv2 profile says that the local authentication is used as rsa-sig, that will require an identity certificate trustpoint to be configured the on the profile.

Please configure an identity certificate trustpoint and apply it to the profile.

Also i am not able to see "aaa authorization group eap list" being configured in the IKEv2 profile.Please configure the same as well.

Refer this doc for full configuration assistance on the same:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

Regards

Jagmeet Singh 

0 Helpful

Andrey Avdeev
Level 1
Level 1
In response to jagmeesi

‎01-28-2016 01:01 AM

Jagmeet, 

I must be forget to add this section to config file:

crypto ikev2 authorization policy SERV-POLICY
pool IPPOOL_Serv-VPN
dns x.x.x.x
netmask 255.255.255.0
banner ^CCC Welcome ^C
def-domain example.com

Can i make my configuration without trustpoint ? So is  trustpoint realy need? Can i use external trustpoint , for example my domain CA server ?

thanks!

0 Helpful
Customers Also Viewed These Support Documents