Re: Flex VPN server(Hub and Spoke) for windows client or anyconnect

tanyatamir53355 · ‎05-09-2021

Hi,

i am using this FlexVPN "Hub to Spoke" configuration for my home lab hub router its using Keyring pre-shared key, and AAA is done locally.

This work fine when the client is a router.

However I want to modify this so that remote clients (windows or even anyconnect) can become spokes?

using username and password as authentication is preferred as opposed to certificates(whichever is easier)

many thanks in advance!

Loopback 192.168.10.1/24(emulate LAN)----HUB(cisco 2921)---->gig0/0<----ISP router

hostname FLEX-SERVER
!
aaa new-model
aaa authorization network IKE_LIST local
!
crypto ikev2 authorization policy default
route set access-list PROTECTED_ACL
!
crypto ikev2 keyring ANY
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile FLEX_SERVER_PROF
match identity remote address 0.0.0.0
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local ANY
aaa authorization group psk list IKE_LIST default
virtual-template 1
!
crypto ipsec profile default
set ikev2-profile FLEX_SERVER_PROF
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEtherenet0/0
ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered loopback0
tunnel source GigabitEtherenet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip access-list standard PROTECTED_ACL
permit 192.168.10.0 0.0.0.255

Rob Ingram · ‎05-09-2021

@tanyatamir53355

All the FlexVPN guides are here.

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

Specific to your requirements

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

Follow the guides carefully and ensure the windows client trusts the certificate used by the router.

tanyatamir53355 · ‎05-11-2021

Everything is easy to follow except step 2. Creating trust point I have no experience in setting certificate up, tried different resources, can you tell me how and why we need this step? The example uses Pkcs11 file import stored in the flash?
How do make this file pkcs file? I know how to place in the flash.

however all other steps are fully understood.

sorry for this

Many thanks

tanyatamir53355 · ‎05-12-2021

@Rob Ingram

Hi rob i am getting policy match error on windows client and on anyconnect "The cryptographic algorithms required by the secure gateway do not match those supported by anyconnect".

I have been banging my head trying to resolve this... please help!

p.s. "the certificate issue CSR was manually created and self signed using OpenSSL then imported to router in p12 format so that's all resolved"

here is the router config

hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint IKEv2-TP
revocation-check crl
rsakeypair IKEv2-TP
!
!
crypto pki certificate chain IKEv2-TP
certificate ca 6ED5B23B7D6CE1BC22DA7F659F5E9AF5E2D85344
3082033F 30820227 02146ED5 B23B7D6C E1BC22DA 7F659F5E 9AF5E2D8 5344300D
06092A86 4886F70D 01010B05 00305C31 0B300906 03550406 13024742 310F300D
06035504 080C064C 6F6E646F 6E310F30 0D060355 04070C06 4C6F6E64 6F6E3113
30110603 55040A0C 0A546168 61205975 73756631 16301406 03550403 0C0D3930
2E323231 2E313331 2E333230 1E170D32 31303531 31323230 3034345A 170D3232
30353131 32323030 34345A30 5C310B30 09060355 04061302 4742310F 300D0603
5504080C 064C6F6E 646F6E31 0F300D06 03550407 0C064C6F 6E646F6E 31133011
06035504 0A0C0A54 61686120 59757375 66311630 14060355 04030C0D 39302E32
32312E31 33312E33 32308201 22300D06 092A8648 86F70D01 01010500 0382010F
00308201 0A028201 0100D623 A66EDF8A 449AFB81 91D200F3 9A1CF586 235EAEFF
2140EA02 6A222325 522B4FE3 7C5C79C9 27065DC2 809D0507 88F8EBA9 92ED6D85
BCB8ED6C 8BA005BC 522C88EE 7A598AE4 35FA4B73 3864E65F EC5EA0DA 022EFFBF
B77336B6 E19C9D2E 0109DA05 73F18A46 44753E26 A83317EB F3091250 C92996B3
DB45BF26 45592841 C1E84F2E 50A453AA 55DE4C66 39D10267 F230BF30 50A19EE8
18C2C375 02E9ADD5 39B25FEA F8ED17F1 B9144479 1030F1B2 466616AD 5661AB7E
3C53DA0A E4094FBD E3247F7C 11617E0C B24B5F20 ADEE54CA 8B1B23C3 3980BE81
1A07132B EAA11DCC 633E99E0 2CDFC9D4 73B110A8 361FAC04 1C1FBF11 1F301C06
A45CF299 7BD322F0 D7F10203 01000130 0D06092A 864886F7 0D01010B 05000382
010100C6 4E69558E AC8DA5A7 A5756E6C F936850F EDCFA46D 803E2AEF 2E525042
A889D9BC 1CEF312C 1AE80336 4A00C82F 58011E63 3724399F C184069C 44AC7C04
50ACC22A B2B969E4 34013CA2 AAEC371B 79ECC7FB 1B10E5D9 A73E02EE 7B9C9A8B
75102423 00556B35 30A1CCB5 1F17468E B9517123 32A089C1 2AD3F52B EC2A05A8
2822DD12 13396792 1490F0D6 5826B25C 8086205C 63D613CF 3216D06E 4944169F
E004090D 18EF33FE B4BB0432 11C738C3 0C2E6FB8 F0C34F14 3B57D89C DA7C51B2
35260F8E 8F6ACDBB 657C26A4 802E3C55 715E86CE 55566B8D 0CB2DA1C 5870E4BB
11F62E76 83EF4FF1 7DAB06B0 4C8AAB61 2838F493 E304203A B8CD8184 E3559400 247A11
quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
!
redundancy
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 10.0.1.1
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote key-id *$AnyConnectClient$*
authentication remote eap
authentication local rsa-sig
pki trustpoint IKEv2-TP
aaa authentication eap a-eap-authen-local
aaa authorization group eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user eap cached
virtual-template 100
!
no crypto ikev2 http-url cert
!
!
!
!
crypto vpn anyconnect profile acvpn flash:/acvpn.xml
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
!
!
!
!
!
!
interface Loopback100
ip address 10.0.0.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool ACPOOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!