05-18-2021 12:24 PM
Hi there,
I'm not entirely sure what happened to my previous post. I hope this isn't a double post.
I keep getting the following anyconnect error after entering the correct credentials:
ICisco Anyconnect error: The IPsec VPN connection was terminated due to an authentication failure or timeout Please contact your network administrator"
The VPN server is using local AAA and all are correct? I am currently using Anyconnect4.8
Please any help would be so much appreciated, I have been trying to set this up last 5 days.
apologies for the novice questions.
many thanks!
Solved! Go to Solution.
05-19-2021 06:03 PM - edited 05-20-2021 12:39 AM
After nearly a week of investigation and headbanging! I finally got this resolved!
I had to re-write my entire config!
A VPN with Ikev2 requires the following:
IKEv2 proposal
IKEv2 policy
IKEv2 Authorization Policy*
IKEv2 profile
IKEv2 keyring
IPSec:
IPSec transform-set
IPSec profile
nearly all of those have "smart defaults" that will allow you to use pre-defined configs for best practice, subsequently you don't need to even config them at all! The only two that YOU MUST config are:
IKEv2 profile
IKEv2 keyring
--------
When you are configuring the profile
When you are declaring the "aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK' You must FOLLOW this up with the KEv2 Authorization Policy!!
This applies to you if you are using a radius or local authentication!
for example " aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'
even if you are using a policy derived from radius you must use a "dummy" authorization policy!
a fully populated authorization policy example:
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255
a "dummy" authorization policy:
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
(EMPTY)
the issue with smart defaults IS even IF you don't configure it and you let "smart defaults" predefine a "default" authorization policy, that authorization policy name will need to be called in the profile! otherwise authentication will pass but authorization will FAIL!( this is what I was experiencing)
here is my working config!
many thanks to @Sheraz.Salim and @Rob Ingram for there attempted help much appreciated!
This required significant amount of learning/reading ikev2 in short amount of time!
also remember if you are using www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
technotes to setup VPN server! They are using anyconnect 4.6 in that particular example!
AnyConnect 4.9.00086 disables encryption/hash and groups DES, 3DES, MD5, and DH groups 2,5, 14, and 24.
Workaround:
SOLUTION 1: Simply specify all encryption and hash!
crypto ikev2 proposal MY_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal MY_IKEV2_PROPOSAL
Solution 2:
Write separate proposals and specify them in the ikev2 Policy(not to be confused with the "authorization policy")
crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal HIGH
proposal MEDIUM
proposal LOW
Solution 3: Use the identical anyconnect version as utilised in technote example "anyconnect version 4.6.03049"
NOTE: You are then resorting to utilising depreciated cryptography "encryption/hash and groups"
Working Config with depreciated cryptography (pre anyconnect 4.9)
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication fail-message ^CSORRY MAN wrong^C
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name NWL.LAB
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki server R1-CA
no database archive
issuer-name cn="R1-CA"
grant auto
!
crypto pki trustpoint R1-CA
revocation-check crl
rsakeypair R1-CA
!
crypto pki trustpoint R1-CLIENT
enrollment url http://192.168.1.1:80
subject-name cn=R1-CLIENT.LAB.NWL
revocation-check crl
!
!
crypto pki certificate chain R1-CA
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
quit
crypto pki certificate chain R1-CLIENT
certificate 02
3082020C 30820175 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353434
395A170D 32323035 31393139 35343439 5A303731 1A301806 03550403 13115231
2D434C49 454E542E 4C41422E 4E574C31 19301706 092A8648 86F70D01 0902160A
52312E4E 574C2E4C 41423081 9F300D06 092A8648 86F70D01 01010500 03818D00
30818902 818100BC CAA60B23 894A5442 37C5A734 90C2CBDD 6C36FA5E 77E24E57
88055EAC 5ED5955E 2320954D 8ED48434 51B41122 AA88A357 52732BF0 BEC800C4
94560AE8 C5053B2B F9D200CE 0CD94A4B 147898E7 DD1F14AE 3EC0CD34 4251350E
C6BE397F 25A8DFE3 366FB769 390F2D7E 50DDBF88 C410F821 444CDBB0 7DB932DD
5096802E C658D502 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
03551D23 04183016 80145C8C 866A69D8 18F2CFED 1715F958 916C5599 D22D301D
0603551D 0E041604 1448ABCC 69AB2CDA BE74C0BD D54D5D58 B2BE2E67 62300D06
092A8648 86F70D01 01050500 03818100 4ADAD0C2 609BD195 5095D906 47F049A8
CF32E584 08301546 3940048E AFF7E32C A94C5287 06EECEDE 32F6F089 E0AE7655
3114A393 5DA731B5 B5EC158A 1E77EEEC 580C197D 1E493D8E 5CF2D4AE 50877ECE
080D9F9E 390E8410 CF70A420 AE8693CB FFA5CC11 579E177B B58CE745 0957E6CE
4B23E84C 2BEDB18A 7A71F164 6D25E318
quit
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
username admin privilege 15 password 0 cisco12345
!
redundancy
!
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 15
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint R1-CLIENT
aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
aaa authorization user anyconnect-eap cached
virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IKEV2_PROFILE
set transform-set TRANSFORM_SET
set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile IKEV2_PROFILE
!
ip local pool VPN_POOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end
05-18-2021 12:56 PM
similar post here same issue the work around is to one of which downloaded a profile, than affected my connection to another VPN. Just deleted everything in that folder (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile), and was on Windows 10.
05-18-2021 01:21 PM
I have tried to delete everything in that folder and copied my xml profile again still same problem.
EAP May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Stopping timer to wait for auth message May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Processing AnyConnect EAP ack response May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Generating AnyConnect EAP success request May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Sending AnyConnect EAP success status message May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Sending Packet [To 192.168.1.101:49577/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 4 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Received Packet [From 192.168.1.101:49577/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 5 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: AUTH May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Stopping timer to wait for auth message May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Send AUTH, to verify peer after EAP exchange May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Verify peer's authentication data May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 64 May 18 21:19:22.195: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 18 21:19:22.195: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Verification of peer's authenctication data PASSED May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Processing INITIAL_CONTACT May 18 21:19:22.195: IKEv2:Using mlist AAA_AUTHORIZATION_NETWORK and username test for group author request May 18 21:19:22.195: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent May 18 21:19:22.195: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response May 18 21:19:22.195: IKEv2-ERROR:AAA authorization request failed May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):AAA group authorization failed May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1): May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Verification of peer's authentication data FAILED May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Sending authentication failure notify May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Sending Packet [To 192.168.1.101:49577/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 5 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Auth exchange failed May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 35,SA ID = 1):: Auth exchange failed May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Abort exchange May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Deleting SA May 18 21:19:22.199: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session May 18 21:19:22.199: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
05-18-2021 02:23 PM
May 18 21:19:22.195: IKEv2-ERROR:AAA authorization request failed
May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 35,SA ID = 1):: Auth exchange failed
probably a successful authentication, but authorization has still failed.
have a look at below post
05-19-2021 03:20 PM
What can make authorization and make authentication successful.
it’s using local DB for AAA. I made sure the username and password are correct on router?
However when I enter these details on the anyconnct Prompt for credentials(after accepting self signed certificate warning).
I get this error?
05-19-2021 06:03 PM - edited 05-20-2021 12:39 AM
After nearly a week of investigation and headbanging! I finally got this resolved!
I had to re-write my entire config!
A VPN with Ikev2 requires the following:
IKEv2 proposal
IKEv2 policy
IKEv2 Authorization Policy*
IKEv2 profile
IKEv2 keyring
IPSec:
IPSec transform-set
IPSec profile
nearly all of those have "smart defaults" that will allow you to use pre-defined configs for best practice, subsequently you don't need to even config them at all! The only two that YOU MUST config are:
IKEv2 profile
IKEv2 keyring
--------
When you are configuring the profile
When you are declaring the "aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK' You must FOLLOW this up with the KEv2 Authorization Policy!!
This applies to you if you are using a radius or local authentication!
for example " aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'
even if you are using a policy derived from radius you must use a "dummy" authorization policy!
a fully populated authorization policy example:
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255
a "dummy" authorization policy:
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
(EMPTY)
the issue with smart defaults IS even IF you don't configure it and you let "smart defaults" predefine a "default" authorization policy, that authorization policy name will need to be called in the profile! otherwise authentication will pass but authorization will FAIL!( this is what I was experiencing)
here is my working config!
many thanks to @Sheraz.Salim and @Rob Ingram for there attempted help much appreciated!
This required significant amount of learning/reading ikev2 in short amount of time!
also remember if you are using www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
technotes to setup VPN server! They are using anyconnect 4.6 in that particular example!
AnyConnect 4.9.00086 disables encryption/hash and groups DES, 3DES, MD5, and DH groups 2,5, 14, and 24.
Workaround:
SOLUTION 1: Simply specify all encryption and hash!
crypto ikev2 proposal MY_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal MY_IKEV2_PROPOSAL
Solution 2:
Write separate proposals and specify them in the ikev2 Policy(not to be confused with the "authorization policy")
crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal HIGH
proposal MEDIUM
proposal LOW
Solution 3: Use the identical anyconnect version as utilised in technote example "anyconnect version 4.6.03049"
NOTE: You are then resorting to utilising depreciated cryptography "encryption/hash and groups"
Working Config with depreciated cryptography (pre anyconnect 4.9)
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication fail-message ^CSORRY MAN wrong^C
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name NWL.LAB
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki server R1-CA
no database archive
issuer-name cn="R1-CA"
grant auto
!
crypto pki trustpoint R1-CA
revocation-check crl
rsakeypair R1-CA
!
crypto pki trustpoint R1-CLIENT
enrollment url http://192.168.1.1:80
subject-name cn=R1-CLIENT.LAB.NWL
revocation-check crl
!
!
crypto pki certificate chain R1-CA
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
quit
crypto pki certificate chain R1-CLIENT
certificate 02
3082020C 30820175 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353434
395A170D 32323035 31393139 35343439 5A303731 1A301806 03550403 13115231
2D434C49 454E542E 4C41422E 4E574C31 19301706 092A8648 86F70D01 0902160A
52312E4E 574C2E4C 41423081 9F300D06 092A8648 86F70D01 01010500 03818D00
30818902 818100BC CAA60B23 894A5442 37C5A734 90C2CBDD 6C36FA5E 77E24E57
88055EAC 5ED5955E 2320954D 8ED48434 51B41122 AA88A357 52732BF0 BEC800C4
94560AE8 C5053B2B F9D200CE 0CD94A4B 147898E7 DD1F14AE 3EC0CD34 4251350E
C6BE397F 25A8DFE3 366FB769 390F2D7E 50DDBF88 C410F821 444CDBB0 7DB932DD
5096802E C658D502 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
03551D23 04183016 80145C8C 866A69D8 18F2CFED 1715F958 916C5599 D22D301D
0603551D 0E041604 1448ABCC 69AB2CDA BE74C0BD D54D5D58 B2BE2E67 62300D06
092A8648 86F70D01 01050500 03818100 4ADAD0C2 609BD195 5095D906 47F049A8
CF32E584 08301546 3940048E AFF7E32C A94C5287 06EECEDE 32F6F089 E0AE7655
3114A393 5DA731B5 B5EC158A 1E77EEEC 580C197D 1E493D8E 5CF2D4AE 50877ECE
080D9F9E 390E8410 CF70A420 AE8693CB FFA5CC11 579E177B B58CE745 0957E6CE
4B23E84C 2BEDB18A 7A71F164 6D25E318
quit
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
username admin privilege 15 password 0 cisco12345
!
redundancy
!
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 15
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint R1-CLIENT
aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
aaa authorization user anyconnect-eap cached
virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IKEV2_PROFILE
set transform-set TRANSFORM_SET
set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile IKEV2_PROFILE
!
ip local pool VPN_POOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end
07-02-2022 05:43 AM
Thank you very much, this is very helpful!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide