Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6153
Views
10
Helpful
3
Replies

ASR 1000 SSL VPN

Go to solution
Andrey Avdeev
Level 1
Level 1

‎02-08-2016 05:36 AM

Hi !

Is it possible to configure SSL VPN remote access with anyconnect  at asr 1002?

I have this version of software: Cisco IOS XE Software, Version 03.13.05.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(3)S5, RELEASE SOFTWARE (fc1)

Thanks.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎02-08-2016 03:13 PM

Hi Andrey, 

Yes , is possible to configure Anyconnect in a device running IOS-XE, however it must be a flexVPN (Ikev2) connection, SSL connections are not supported.

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

Hope it helps

-Randy-

Please rate helpful post to help other users to find the answer quickly. 

View solution in original post

3 Replies 3

Go to solution
carlguer
Level 1
Level 1

‎02-08-2016 02:55 PM

Hi Andrey,

The ASR 1000 series don't support SSL VPN for remote access, in this case if you want to set a remote access you can use the AnyConnect with IKEV2 or test the connection with the old IPsec client, but the old IPsec client is now End of Life and End of Support.

Here you can find a link with all the vpn capabilities for the Cisco ASR 1000 series:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/solution_overview_c22-450825.html

Regards,

- Javier-

Go to solution
Andrey Avdeev
Level 1
Level 1
In response to carlguer

‎02-09-2016 01:18 AM

Hi!

So , this is my config for ikev2 at ASR 1002 :

crypto ikev2 authorization policy SERV-POLICY
pool IPPOOL_Serv-VPN
dns x.x.x.x
netmask 255.255.254.0
crypto ikev2 proposal SERV-PROP
encryption aes-cbc-256
integrity sha256 sha1 md5
group 5 2
crypto ikev2 policy SERV-PROP
proposal SERV-PROP
crypto ikev2 profile SERV-PROF
match identity remote key-id serv-vpn
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint CA
aaa authentication eap AUTHLIST_Serv-VPN
aaa authorization group eap list local_list SERV-POLICY
virtual-template 21
no crypto ikev2 http-url cert


aaa group server radius radius-server
server-private 10.2.97.2 key 7 xxxxxxxxxxx
server-private 10.2.97.3 key 7 xxxxxxxxxxx
ip vrf forwarding Mgmt-intf
aaa authentication login AUTHLIST_Serv-VPN group radius-server
aaa authorization network AUTHLIST_Serv-VPN group radius-server
aaa authorization network local_list local

crypto ipsec transform-set TS-IKEv2 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile SERV-ANYCONNECT
set transform-set TS-IKEv2
set ikev2-profile SERV-PROF

interface Virtual-Template21 type tunnel
ip unnumbered GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SERV-ANYCONNECT

Is it correct configuration file ? Maybe i forgot something?

Many thanks!

0 Helpful

Go to solution
rvarelac
Level 7
Level 7

‎02-08-2016 03:13 PM

Hi Andrey, 

Yes , is possible to configure Anyconnect in a device running IOS-XE, however it must be a flexVPN (Ikev2) connection, SSL connections are not supported.

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

Hope it helps

-Randy-

Please rate helpful post to help other users to find the answer quickly. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents