04-16-2019 08:06 AM - edited 04-16-2019 08:06 AM
Hi all,
I configure my router the same way FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP.
I have two problems.
1. I cannot access internal web by browser when i use iphone ipad, ( i try to another ios version 11 to 12). But i can access internal web by ip address. I try with android and it's okie.
2. With some wifi network, Cisco anyconnect was connected, but i cannot access internal network with any device. I check ip address it.s not duplicate.
Someone see this problems?
Hope you help me this case.
Thanks
Phan
04-16-2019 08:15 AM
04-16-2019 07:36 PM - edited 04-17-2019 06:53 PM
Here is my configuration in the attach file and the command
vpn#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.254.1/4500 192.168.1.50/63621 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:20, Auth sign: RSA, Auth verify: AnyConnect-EAP
Life/Active Time: 86400/33 sec
CE id: 1502, Session-id: 320
Status Description: Negotiation done
Local spi: 9B29687F83E1DA89 Remote spi: C00225B75E37F290
Local id: 192.168.254.1
Remote id: *$AnyConnectClient$*
Remote EAP id: test
Local req msg id: 0 Remote req msg id: 7
Local next msg id: 0 Remote next msg id: 7
Local req queued: 0 Remote req queued: 7
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Assigned host addr: 172.31.254.97
Initiator of SA : No
IPv6 Crypto IKEv2 SA
Thanks
Phan
04-17-2019 02:43 AM
Hi,
Is the configuration you uploaded the latest and accurate?
In your IKEv2 Profile configuration, you have defined vanphong as the authorization profile, which does not exist. The name of your authorization policy is ikev2-auth-policy, you should change this IKEv2 Profile then you should receive the DNS configuration, the remote route etc as defined.
crypto ikev2 profile vanphong
aaa authorization group anyconnect-eap list a-eap-author-grp vanphong
crypto ikev2 authorization policy ikev2-auth-policy
pool quantri
dns 192.168.254.1
netmask 255.255.255.224
aaa attribute list AAA-attr
route set remote ipv4 192.168.253.0 255.255.255.0
HTH
04-17-2019 06:45 PM - edited 04-20-2019 07:46 PM
Thanks RJI,
I delete some profile and keep profile for mobile in my configuration, so it has already this profile, i upload my configuration again.
crypto ikev2 profile vanphong
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP
aaa authentication anyconnect-eap a-eap-authen
aaa authorization group anyconnect-eap list a-eap-author-grp vanphong
aaa accounting anyconnect-eap a-eap-acc
virtual-template 300
crypto ikev2 authorization policy vanphong
pool vanphong
dns 192.168.254.1
netmask 255.255.255.224
aaa attribute list AAA-attr
route set remote ipv4 192.168.253.0 255.255.255.0
ip local pool vanphong 172.31.254.65 172.31.254.127
Note: VPN connected and assigned ip address the same command i show above: show crypto ikev2 sa detail
Thanks
Phan
04-23-2019 08:41 PM
Hi RJI,
Do you have any comment?
Thanks,
Phan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide