Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14063
Views
11
Helpful
6
Replies

Cisco Anyconnect error: "The IPsec VPN connection was terminated due to an authentication failure or timeout"

Go to solution
tanyatamir53355
Level 1
Level 1

‎05-18-2021 12:24 PM

Hi there,

 

I'm not entirely sure what happened to my previous post. I hope this isn't a double post.

 

I keep getting the following anyconnect error after entering the correct credentials:

ICisco Anyconnect error: The IPsec VPN connection was terminated due to an authentication failure or timeout Please contact your network administrator"

 

The VPN server is using local AAA and all are correct? I am currently using Anyconnect4.8

 

Please any help would be so much appreciated, I have been trying to set this up last 5 days.

 

apologies for the novice questions. 

 

many thanks!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tanyatamir53355
Level 1
Level 1

‎05-19-2021 06:03 PM - edited ‎05-20-2021 12:39 AM

After nearly a week of investigation and headbanging! I finally got this resolved!

 

I had to re-write my entire config! 

A VPN with Ikev2 requires the following:

IKEv2 proposal

IKEv2 policy

IKEv2 Authorization Policy*

IKEv2 profile

IKEv2 keyring

 

IPSec:

IPSec transform-set

IPSec profile

 

nearly all of those have "smart defaults" that will allow you to use pre-defined configs for best practice, subsequently you don't need to even config them at all! The only two that YOU MUST config are:

IKEv2 profile

IKEv2 keyring

--------

When you are configuring the profile

When you are declaring the "aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK' You must FOLLOW this up with the KEv2 Authorization Policy!!

This applies to you if you are using a radius or local authentication!

 

for example " aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'

 

even if you are using a policy derived from radius you must use a "dummy" authorization policy!

 

a fully populated authorization policy example:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255

 

a "dummy" authorization policy:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY

(EMPTY)

 

the issue with smart defaults IS even IF you don't configure it and you let "smart defaults" predefine a "default" authorization policy, that authorization policy name will need to be called in the profile! otherwise authentication will pass but authorization will FAIL!( this is what I was experiencing)

 

here is my working config!

 

many thanks to @Sheraz.Salim  and @Rob Ingram  for there attempted help much appreciated!


This required significant amount of learning/reading ikev2 in short amount of time!

 

also remember if you are using www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
technotes to setup VPN server! They are using anyconnect 4.6 in that particular example!

 

AnyConnect 4.9.00086 disables encryption/hash and groups DES, 3DES, MD5, and DH groups 2,5, 14, and 24.

Workaround:

SOLUTION 1: Simply specify all encryption and hash! 

crypto ikev2 proposal MY_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 5 2

crypto ikev2 policy MY_IKEV2_POLICY
proposal MY_IKEV2_PROPOSAL
Solution 2:

Write separate proposals and specify them in the ikev2 Policy(not to be confused with the "authorization policy")

crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal HIGH
proposal MEDIUM
proposal LOW
Solution 3: Use the identical anyconnect version as utilised in technote example "anyconnect version 4.6.03049"
NOTE: You are then resorting to utilising depreciated cryptography "encryption/hash and groups"

 

Working Config with depreciated cryptography (pre anyconnect 4.9)

 

 

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication fail-message ^CSORRY MAN wrong^C
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name NWL.LAB
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki server R1-CA
 no database archive
 issuer-name cn="R1-CA"
 grant auto
!
crypto pki trustpoint R1-CA
 revocation-check crl
 rsakeypair R1-CA
!
crypto pki trustpoint R1-CLIENT
 enrollment url http://192.168.1.1:80
 subject-name cn=R1-CLIENT.LAB.NWL
 revocation-check crl
!
!
crypto pki certificate chain R1-CA
 certificate ca 01
  308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
  345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
  2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
  C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
  A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
  3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
  ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
  1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
  12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
  1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
  EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
  7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
        quit
crypto pki certificate chain R1-CLIENT
 certificate 02
  3082020C 30820175 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353434
  395A170D 32323035 31393139 35343439 5A303731 1A301806 03550403 13115231
  2D434C49 454E542E 4C41422E 4E574C31 19301706 092A8648 86F70D01 0902160A
  52312E4E 574C2E4C 41423081 9F300D06 092A8648 86F70D01 01010500 03818D00
  30818902 818100BC CAA60B23 894A5442 37C5A734 90C2CBDD 6C36FA5E 77E24E57
  88055EAC 5ED5955E 2320954D 8ED48434 51B41122 AA88A357 52732BF0 BEC800C4
  94560AE8 C5053B2B F9D200CE 0CD94A4B 147898E7 DD1F14AE 3EC0CD34 4251350E
  C6BE397F 25A8DFE3 366FB769 390F2D7E 50DDBF88 C410F821 444CDBB0 7DB932DD
  5096802E C658D502 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
  03551D23 04183016 80145C8C 866A69D8 18F2CFED 1715F958 916C5599 D22D301D
  0603551D 0E041604 1448ABCC 69AB2CDA BE74C0BD D54D5D58 B2BE2E67 62300D06
  092A8648 86F70D01 01050500 03818100 4ADAD0C2 609BD195 5095D906 47F049A8
  CF32E584 08301546 3940048E AFF7E32C A94C5287 06EECEDE 32F6F089 E0AE7655
  3114A393 5DA731B5 B5EC158A 1E77EEEC 580C197D 1E493D8E 5CF2D4AE 50877ECE
  080D9F9E 390E8410 CF70A420 AE8693CB FFA5CC11 579E177B B58CE745 0957E6CE
  4B23E84C 2BEDB18A 7A71F164 6D25E318
        quit
 certificate ca 01
  308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
  345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
  2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
  C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
  A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
  3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
  ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
  1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
  12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
  1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
  EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
  7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
        quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
username admin privilege 15 password 0 cisco12345
!
redundancy
!
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
 pool VPN_POOL
 dns 1.1.1.1
 def-domain NWL.LAB
 route set remote ipv4 1.1.1.1 255.255.255.255
!
crypto ikev2 proposal IKEV2_PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 15
!
!
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote key-id *$AnyConnectClient$*
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint R1-CLIENT
 aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
 aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
 aaa authorization user anyconnect-eap cached
 virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile IKEV2_PROFILE
 set transform-set TRANSFORM_SET
 set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IKEV2_PROFILE
!
ip local pool VPN_POOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
 vstack
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
!
end

 

 

View solution in original post

6 Replies 6

Go to solution
Sheraz.Salim
VIP
VIP

‎05-18-2021 12:56 PM

similar post here same issue the work around is to one of which downloaded a profile, than affected my connection to another VPN. Just deleted everything in that folder (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile), and was on Windows 10. 

please do not forget to rate.

Go to solution
tanyatamir53355
Level 1
Level 1
In response to Sheraz.Salim

‎05-18-2021 01:21 PM

I have tried to delete everything in that folder and copied my xml profile again still same problem.

 

 EAP

May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Stopping timer to wait for auth message
May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Processing AnyConnect EAP ack response
May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Generating AnyConnect EAP success request
May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Sending AnyConnect EAP success status message
May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Building packet for encryption.
Payload contents:
 EAP

May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Sending Packet [To 192.168.1.101:49577/From 192.168.1.1:4500/VRF i0:f0]
Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

May 18 21:19:22.187: IKEv2:(SESSION ID = 35,SA ID = 1):Starting timer (90 sec) to wait for auth message

May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Received Packet [From 192.168.1.101:49577/To 192.168.1.1:4500/VRF i0:f0]
Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 AUTH

May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Stopping timer to wait for auth message
May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Send AUTH, to verify peer after EAP exchange
May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Verify peer's authentication data
May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 64
May 18 21:19:22.195: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
May 18 21:19:22.195: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Verification of peer's authenctication data PASSED
May 18 21:19:22.195: IKEv2:(SESSION ID = 35,SA ID = 1):Processing INITIAL_CONTACT
May 18 21:19:22.195: IKEv2:Using mlist AAA_AUTHORIZATION_NETWORK and username test for group author request
May 18 21:19:22.195: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
May 18 21:19:22.195: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
May 18 21:19:22.195: IKEv2-ERROR:AAA authorization request failed
May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):AAA group authorization failed

May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):
May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Verification of peer's authentication data FAILED
May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Sending authentication failure notify
May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Building packet for encryption.
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Sending Packet [To 192.168.1.101:49577/From 192.168.1.1:4500/VRF i0:f0]
Initiator SPI : B1A3CEDADBB3A7BB - Responder SPI : 7D7035042731B2FF Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Auth exchange failed
May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 35,SA ID = 1):: Auth exchange failed
May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Abort exchange
May 18 21:19:22.199: IKEv2:(SESSION ID = 35,SA ID = 1):Deleting SA
May 18 21:19:22.199: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
May 18 21:19:22.199: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to tanyatamir53355

‎05-18-2021 02:23 PM

 

May 18 21:19:22.195: IKEv2-ERROR:AAA authorization request failed
May 18 21:19:22.199: IKEv2-ERROR:(SESSION ID = 35,SA ID = 1):: Auth exchange failed

 

probably a successful authentication, but authorization has still failed.

 

have a look at below post

https://community.cisco.com/t5/security-documents/flexvpn-ikev2-eap-secure-connection-between-iphone-ipad-and-a/ta-p/3136285

please do not forget to rate.
0 Helpful

Go to solution
tanyatamir53355
Level 1
Level 1
In response to Sheraz.Salim

‎05-19-2021 03:20 PM

What can make authorization and make authentication successful.

 

it’s using local DB for AAA. I made sure the username and password are correct on router?

 

However when I enter these details on the anyconnct Prompt for credentials(after accepting self signed certificate warning).

 

I get this error?

0 Helpful

Go to solution
tanyatamir53355
Level 1
Level 1

‎05-19-2021 06:03 PM - edited ‎05-20-2021 12:39 AM

After nearly a week of investigation and headbanging! I finally got this resolved!

 

I had to re-write my entire config! 

A VPN with Ikev2 requires the following:

IKEv2 proposal

IKEv2 policy

IKEv2 Authorization Policy*

IKEv2 profile

IKEv2 keyring

 

IPSec:

IPSec transform-set

IPSec profile

 

nearly all of those have "smart defaults" that will allow you to use pre-defined configs for best practice, subsequently you don't need to even config them at all! The only two that YOU MUST config are:

IKEv2 profile

IKEv2 keyring

--------

When you are configuring the profile

When you are declaring the "aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK' You must FOLLOW this up with the KEv2 Authorization Policy!!

This applies to you if you are using a radius or local authentication!

 

for example " aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'

 

even if you are using a policy derived from radius you must use a "dummy" authorization policy!

 

a fully populated authorization policy example:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255

 

a "dummy" authorization policy:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY

(EMPTY)

 

the issue with smart defaults IS even IF you don't configure it and you let "smart defaults" predefine a "default" authorization policy, that authorization policy name will need to be called in the profile! otherwise authentication will pass but authorization will FAIL!( this is what I was experiencing)

 

here is my working config!

 

many thanks to @Sheraz.Salim  and @Rob Ingram  for there attempted help much appreciated!


This required significant amount of learning/reading ikev2 in short amount of time!

 

also remember if you are using www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
technotes to setup VPN server! They are using anyconnect 4.6 in that particular example!

 

AnyConnect 4.9.00086 disables encryption/hash and groups DES, 3DES, MD5, and DH groups 2,5, 14, and 24.

Workaround:

SOLUTION 1: Simply specify all encryption and hash! 

crypto ikev2 proposal MY_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 5 2

crypto ikev2 policy MY_IKEV2_POLICY
proposal MY_IKEV2_PROPOSAL
Solution 2:

Write separate proposals and specify them in the ikev2 Policy(not to be confused with the "authorization policy")

crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal HIGH
proposal MEDIUM
proposal LOW
Solution 3: Use the identical anyconnect version as utilised in technote example "anyconnect version 4.6.03049"
NOTE: You are then resorting to utilising depreciated cryptography "encryption/hash and groups"

 

Working Config with depreciated cryptography (pre anyconnect 4.9)

 

 

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication fail-message ^CSORRY MAN wrong^C
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name NWL.LAB
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki server R1-CA
 no database archive
 issuer-name cn="R1-CA"
 grant auto
!
crypto pki trustpoint R1-CA
 revocation-check crl
 rsakeypair R1-CA
!
crypto pki trustpoint R1-CLIENT
 enrollment url http://192.168.1.1:80
 subject-name cn=R1-CLIENT.LAB.NWL
 revocation-check crl
!
!
crypto pki certificate chain R1-CA
 certificate ca 01
  308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
  345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
  2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
  C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
  A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
  3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
  ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
  1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
  12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
  1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
  EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
  7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
        quit
crypto pki certificate chain R1-CLIENT
 certificate 02
  3082020C 30820175 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353434
  395A170D 32323035 31393139 35343439 5A303731 1A301806 03550403 13115231
  2D434C49 454E542E 4C41422E 4E574C31 19301706 092A8648 86F70D01 0902160A
  52312E4E 574C2E4C 41423081 9F300D06 092A8648 86F70D01 01010500 03818D00
  30818902 818100BC CAA60B23 894A5442 37C5A734 90C2CBDD 6C36FA5E 77E24E57
  88055EAC 5ED5955E 2320954D 8ED48434 51B41122 AA88A357 52732BF0 BEC800C4
  94560AE8 C5053B2B F9D200CE 0CD94A4B 147898E7 DD1F14AE 3EC0CD34 4251350E
  C6BE397F 25A8DFE3 366FB769 390F2D7E 50DDBF88 C410F821 444CDBB0 7DB932DD
  5096802E C658D502 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
  03551D23 04183016 80145C8C 866A69D8 18F2CFED 1715F958 916C5599 D22D301D
  0603551D 0E041604 1448ABCC 69AB2CDA BE74C0BD D54D5D58 B2BE2E67 62300D06
  092A8648 86F70D01 01050500 03818100 4ADAD0C2 609BD195 5095D906 47F049A8
  CF32E584 08301546 3940048E AFF7E32C A94C5287 06EECEDE 32F6F089 E0AE7655
  3114A393 5DA731B5 B5EC158A 1E77EEEC 580C197D 1E493D8E 5CF2D4AE 50877ECE
  080D9F9E 390E8410 CF70A420 AE8693CB FFA5CC11 579E177B B58CE745 0957E6CE
  4B23E84C 2BEDB18A 7A71F164 6D25E318
        quit
 certificate ca 01
  308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313931 39353131
  345A170D 32343035 31383139 35313134 5A301031 0E300C06 03550403 13055231
  2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B3B6315E BEE3D75C 9FE076FB 7332BAEE 254A2BE6 E17B5F1F 988DC152 8097FAA4
  C7E00CB1 DD24C79E 0717E7BE 1E7032D7 E654A882 184634E4 D52B27DB 0487BA56
  A459C84F B7235D14 F970FC8D 897F7E5A A6CBD21C B5F9352F 5942E754 3F75DE3F
  3087258A E128858A F33E53B8 8C91C32F A702B1F8 10D553F1 818CAC94 B7FE46FD
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  0F0101FF 04040302 0186301F 0603551D 23041830 1680145C 8C866A69 D818F2CF
  ED1715F9 58916C55 99D22D30 1D060355 1D0E0416 04145C8C 866A69D8 18F2CFED
  1715F958 916C5599 D22D300D 06092A86 4886F70D 01010405 00038181 00790FD3
  12F85A4D 1C9834EE 62DFAF6F 19F14F05 FC63EDAC 8262D80D E98DBFA2 9E4DD612
  1672499F AB49924A EBC9E6E0 992CF6E7 29474025 04076509 FAADEBCC 70D97F83
  EADD2E82 6E34A61D A8552C2E 11364FA8 F1937B4D 13054219 1400DCD1 EC2468F5
  7DA396B1 B3757AB0 38668A18 94879D72 C2DE5CAC 394D5503 23DBEF8A F4
        quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
username admin privilege 15 password 0 cisco12345
!
redundancy
!
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
 pool VPN_POOL
 dns 1.1.1.1
 def-domain NWL.LAB
 route set remote ipv4 1.1.1.1 255.255.255.255
!
crypto ikev2 proposal IKEV2_PROPOSAL
 encryption aes-cbc-256
 integrity sha256
 group 15
!
!
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote key-id *$AnyConnectClient$*
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint R1-CLIENT
 aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
 aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
 aaa authorization user anyconnect-eap cached
 virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile IKEV2_PROFILE
 set transform-set TRANSFORM_SET
 set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IKEV2_PROFILE
!
ip local pool VPN_POOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
 vstack
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input all
!
scheduler allocate 20000 1000
!
end

 

 

Go to solution
silla
Level 1
Level 1
In response to tanyatamir53355

‎07-02-2022 05:43 AM

Thank you very much, this is very helpful!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents