Solved: The Anyconnect client should

Grant Curell · ‎01-27-2015

Attached is the full configuration for the router. Additional configuration includes forwarding ports 443 (both tcp/udp), udp 4500, udp 500, and udp 50 to 192.168.1.20.

Objective: Configure a Cisco 1700 router as a VPN server, which a Cisco Anyconnect client will VPN into. The VPN server is behind a NAT.

Question 1: Does the Cisco Anyconnect client pull its entire configuration from the router? Do I just need to point at the right IP address and hit connect and it will figure out the rest? If not what additional client side configuration needs to be done? I noticed it tries to connect over port 443 to my router, but I'm not really sure why and I know my router isn't listening on that port so I know I'm missing something :-D.

Question 2: What features specifically comprise easy vpn server? I'm confused as to exactly what it is. From what I can tell when you configure easy vpn server you're just configuring a regular VPN.

Question 3: Does Cisco Easy VPN Remote have anything to do with Cisco Anyconnect or are they completely separate?

Sorry about the newbie questions. It's really hard to understand the different systems and features on this one and the vast majority of the examples I found dealt with router to router VPNs rather than configurations just meant for end user computers, but I'll be the first to admit I'm new to this hahaha.

Thanks for your help.

PS: Any feedback on misconfigs are welcome. I'm still trying to understand fully exactly what each command does.

Grant

Marcin Latosiewicz · ‎01-28-2015

Grant,

Anyconnect can only do SSLVPN or IPsec (with IKEv2), ezvpn is all about IKEv1, it will not work.

There are (3rd party) clients which will be able to connect to ezvpn, along with legacy Cisco VPN client, but AC is not that.

BTW .... it's not UDP/50, it's IP protocol 50 (and/or sometimes 51) - ESP (and/or AH).

You do not need TCP and UDP 443 for IPsec, but you might need them for SSL.

And seriously... 1700 series? Wow, that's some 'retro' kit :-) Support finished 6 years ago.

M.

View solution in original post

Marcin Latosiewicz · ‎01-28-2015

Grant,

Anyconnect can only do SSLVPN or IPsec (with IKEv2), ezvpn is all about IKEv1, it will not work.

There are (3rd party) clients which will be able to connect to ezvpn, along with legacy Cisco VPN client, but AC is not that.

BTW .... it's not UDP/50, it's IP protocol 50 (and/or sometimes 51) - ESP (and/or AH).

You do not need TCP and UDP 443 for IPsec, but you might need them for SSL.

And seriously... 1700 series? Wow, that's some 'retro' kit :-) Support finished 6 years ago.

M.

Grant Curell · ‎01-28-2015

The Anyconnect client should pull down its configuration from the router right? If I understand correctly, it should pull from the config from the client settings.

Richard Burts · ‎01-28-2015

Grant

You had another post in this forum about using crypto map on a 1700. Am I correct in assuming that this question and that question are related?

You are correct that the AnyConnect client is designed to pull its config from the device that terminates the VPN. I agree with Marcin that the 1700 is pretty old for supporting this type of VPN. I have done lots of site to site VPN on 1700 routers and it worked quite well for that. But I am not familiar with 1700 supporting AnyConnect based Remote Access VPN. Do you have sources that indicate that AnyConnect VPN is supported on 1700 routers?

HTH

Rick

HTH

Rick

Grant Curell · ‎01-28-2015

I'll double check tomorrow but when I started this I looked it up and the feature navigator said my IOS supported easy vpn server, which I assumed meant it supported cisco easy vpn. From what I could then figure out cisco easy VPN is no longer in service and was replaced by anyconnect. Since I couldn't find anything concrete on the subject I assumed Anyconnect would work with easy VPN server. Though I realized today that easy VPN server seems to be a gui application rather than something configured on the cli. By the way, thanks for the help. Things are coming together, but understanding IPSec, isakmp, all the features of iOS, etc has been a very steep learning curve lol. The overloaded terminology was particularly confusing at first.

Marcin Latosiewicz · ‎01-28-2015

Grant,

ezvpn is very much alive and supported but it's a IKEv1-based technology.

Anyconnect however will not work with it, it's using SSL or IKEv2, only.

ezvpn is a blanket term for remote access VPNs, whether hardware or software endpoints connecting in a framework (typically) with authentication using xauth ("user" authentication). It can be configured using crypto maps or DVTI.

M.

Grant Curell · ‎01-30-2015

That's helpful to know that ezvpn is just a blanket term for a remote access VPN. In the documentation that was unclear. I just picked up a 866vae and I'm going to try it with that. It very well might be possible to support a remote access VPN on the 1700, but I just can't find any documentation for it and none of the commands match up. I can't tell what version of IKE it is using, but I assume it's just implicitly v1. I'll just wait for the new router and give it a go on that one.

Marcin Latosiewicz · ‎01-30-2015

Grant,

IKEv2 is tad more complicated , you might want to starts with AC + sslvpn instead.

M.

Configuring Cisco 1700 as VPN Concentrator for Cisco Anyconnect