cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1389
Views
0
Helpful
17
Replies

FlexVPN with built-in clients

johankrug
Level 1
Level 1

Hello all,

 

I'm trying to set up my ISR4321 running IOS XE 17.03.05 as a FlexVPN-server for Remote Access (RA) with various clients (Windows 10, Apple's iOS, Android, no AnyConnect), based on ikev2, without using client-side certificates. My current production-setup is based on a 1921, acting as a L2TP/IPSec-server, which I would like to upgrade. Unfortunately, I'm running into quite some issues.

My first issue is with the certification-side of things. If I understood correctly, a certificate is required on at least the VPN-server side. I'm struggeling with creating and/or importing the certificate. 

Can someone please point me in the right direction regarding the certification-side of things?

 

Thank you!

 

Kind regards,

 

Johan

17 Replies 17

@johankrug yes you need a certificate configured for "local" authentication on the router. Which CA certificate signed that certificate on the router then needs to be imported into the certificate store on the computers.

What is your CA that has signed the router's certificate?

You could use these guides - https://www.cisco.com/c/en/us/support/docs/security/flexvpn/220471-configure-flexvpn-ikev2-for-windows-buil.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html

 

Hello Rob,

Thank you for your swift reply!

I followed this guide for the creation of a certificate. I guess that makes my certificate not signed by a CA.
Since on the clients (Windows, Apple iOS, etc), there's an option for authentication using username/password, I figured that it would be possible to use FlexVPN without client certificates, is that a wrong assumption?

I used snippets from that guides to configure my ikev2profile. However, the Windows 10 built-in client (based on username/password sign-in) tells me "IKE authtentication credentials are unacceptable", which points to an error in the certificate used if I understood correctly. The log, however, tells me " Getting of cert chain for the trustpoint PASSED". However, it also tells me "Verification of peer's authentication data FAILED". 

Any idea where this goes wrong?

Thanks!

MHM

@johankrug if you followed that guide, then that provides instructions on how to create the root certificate and an identity certificate for the router. That same root certificate that must be imported to the router (as well as the signed client certificate) must be imported into the client devices. The client devices can be configured to use EAP (username and password). Provide your configuration if you require further assistance.

If you can shed some light on my config, that'd be great!

 

!
! Last configuration change at 19:19:04 UTC Tue Dec 19 2023
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level boost
!
hostname Diamond
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
!
!
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
aaa attribute list attr-list1
 attribute type interface-config "ip mtu 1100"
 attribute type interface-config "tunnel key 10"
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name cinderella.local
ip dhcp excluded-address 10.17.123.0 10.17.123.100
!
ip dhcp pool LAN
 network 10.17.123.0 255.255.255.0
 default-router 10.17.123.1
 dns-server 10.0.10.10
 lease 20
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki server CA
 no database archive
 grant auto
 hash sha1
 eku server-auth client-auth
!
crypto pki trustpoint ecdh
 enrollment terminal
 revocation-check none
 eckeypair Diamond.cinderella.local
!
crypto pki trustpoint TP-self-signed-1843133077
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1843133077
 revocation-check none
 rsakeypair TP-self-signed-1843133077
!
crypto pki trustpoint VPN_TP
 enrollment terminal
 serial-number none
 fqdn CSR2.lab.net
 ip-address none
 subject-name cn=CSR2.lab.net,o=Default Company Ltd,ou=HQ,st=Zuid-Holland,c=NL
 subject-alt-name CSR2.lab.net
 revocation-check none
 rsakeypair VPN_KEY
!
!
!
crypto pki certificate map certmap1 1
 subject-name co cisco
!
crypto pki certificate map CERT_MAP 5
 issuer-name co lab-pki-ca
!
crypto pki certificate chain ecdh
crypto pki certificate chain TP-self-signed-1843133077
crypto pki certificate chain VPN_TP
 certificate 1002
  308204F0 308202D8 A0030201 02020210 02300D06 092A8648 86F70D01 010B0500
  30819231 0B300906 03550406 13024E4C 31153013 06035504 080C0C5A 7569642D
  486F6C6C 616E6431 12301006 03550407 0C094D61 6173736C 75697331 1C301A06
  0355040A 0C134465 6661756C 7420436F 6D70616E 79204C74 64310B30 09060355
  040B0C02 48513110 300E0603 5504030C 07446961 6D6F6E64 311B3019 06092A86
  4886F70D 01090116 0C726F6F 74406469 616D6F6E 64301E17 0D323331 32313931
  38303735 365A170D 32383132 31373138 30373536 5A306631 0B300906 03550406
  13024E4C 31153013 06035504 08130C5A 7569642D 486F6C6C 616E6431 1C301A06
  0355040A 13134465 6661756C 7420436F 6D70616E 79204C74 64310B30 09060355
  040B1302 48513115 30130603 55040313 0C435352 322E6C61 622E6E65 74308201
  22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 01009D98
  D84CE9AB 7646F204 8BED5BB0 3C558830 B78DAE8D AC225B11 1BDA44FC FCD455AA
  38692EEB 6F7D7163 9B18D738 F05E992E 6AA321C1 E938A19E BAC19419 93FE237C
  EB85A557 17F31738 1EFE084D 27465E81 9D24BE24 AD67A7F0 D1E9BB81 DBA98FBD
  FA040203 91DA37BC B0F13000 2A699520 0C8A0DE7 F9A05448 3C5CF516 09A95C3E
  0BF2C09C 23C261C1 32B3928A DDC916AA BAC6A59F 21A1A777 A54D3E0C 4922B6A0
  A5A92BD7 4F4FC0B5 07A2DB96 363DBBB8 10EEB895 38A9A29C 629A75C5 BE5F2B2B
  6F05D2CC 517F96CE 303224B0 8C4824A2 3CE587B9 55D7B800 CB1CD188 BFA92F7C
  BD3769E0 E9A18DD3 9F965868 C513EC56 36DEFAE0 5CC182B0 F8DF0731 6B0B0203
  010001A3 7B307930 09060355 1D130402 3000302C 06096086 480186F8 42010D04
  1F161D4F 70656E53 534C2047 656E6572 61746564 20436572 74696669 63617465
  301D0603 551D0E04 1604147B D93B4ECB 4D13DD5D 995E29F8 E0DB0B4D 2B240130
  1F060355 1D230418 30168014 AE989795 FA3AF490 EB45CBA4 95F76B53 24EEEEAF
  300D0609 2A864886 F70D0101 0B050003 82020100 956C4229 2277C5FC 16E7FF2C
  72BFAFF0 75F16CC3 F2579371 0BBE00C5 CB5A4690 1A9F60B3 BD91E5AE 93CD9C77
  47EEAB2B D36FD178 20CFD70E 46D70C33 8A2BC60B A78D568C 1BC32695 9063DBF3
  869A178C 693C6BD0 55D0BA5E B1F36764 37E9CB83 E6BF0863 15722129 B8DEB20D
  A736821B 1800F020 9A55AAFD A75EDC06 5C444251 057603D4 0BF8A15A F8C5F2F9
  F09DBBD8 2FACA162 28081221 E4043690 A278D4F9 25789845 073D26C7 B55EA882
  E21C0F51 4A9D064A FD002570 32A77E88 B68A89DB 9CFCB7B2 1A1F957E 2154D512
  327C6256 FCFB630A CD73AB70 B24853F5 E90C0828 DDF082A6 D3D8D1E7 D38A9A02
  A7575026 6B46C059 D957E3D6 FECD059D C6BD1D4C 26DAA15F 7A2DF386 8319B1C5
  DDA4088E 6966134C BD2D5E01 65C245D7 F37A8BED BC35377D 3D7B3270 EC279537
  F76D0E28 524BC5D2 934FB6C3 04BDBEB2 6D9475DE 1DC06972 7E5C0C88 9C52A34D
  BC610B68 A104A047 36E82401 884BC756 AF906FD0 85BC8B93 846B0F99 CB3CED5A
  43EBDEAB AF3DD69B 7D39223B C33CBE8A E67CDC78 06D558B2 339EC8B6 74C232C9
  450FDFA4 E4576667 ED4B3249 14D68A0E 1F90A2F0 FFB6F9DB D2E029C0 2D1187E9
  E507CCD8 514BCD0A 94DC22A2 1AAC02C4 7B7F72BB 611DAFD4 7E0B590C 1EC88648
  019181B8 1FBBD081 4A3F6166 08BD1B63 52C70C2D BCB3856E F4BFAD5A 97BA1511
  6B7B2464 464BA3F4 977BDF6F 83AE5C20 20259BBB
        quit
 certificate ca 00
  308205F4 308203DC A0030201 02020100 300D0609 2A864886 F70D0101 0B050030
  8192310B 30090603 55040613 024E4C31 15301306 03550408 0C0C5A75 69642D48
  6F6C6C61 6E643112 30100603 5504070C 094D6161 73736C75 6973311C 301A0603
  55040A0C 13446566 61756C74 20436F6D 70616E79 204C7464 310B3009 06035504
  0B0C0248 51311030 0E060355 04030C07 4469616D 6F6E6431 1B301906 092A8648
  86F70D01 0901160C 726F6F74 40646961 6D6F6E64 301E170D 32333132 31393137
  34343534 5A170D34 33313231 34313734 3435345A 30819231 0B300906 03550406
  13024E4C 31153013 06035504 080C0C5A 7569642D 486F6C6C 616E6431 12301006
  03550407 0C094D61 6173736C 75697331 1C301A06 0355040A 0C134465 6661756C
  7420436F 6D70616E 79204C74 64310B30 09060355 040B0C02 48513110 300E0603
  5504030C 07446961 6D6F6E64 311B3019 06092A86 4886F70D 01090116 0C726F6F
  74406469 616D6F6E 64308202 22300D06 092A8648 86F70D01 01010500 0382020F
  00308202 0A028202 0100ABDE 2F6D7798 1716438E 8C90C8E4 2619ACDC 2D411145
  1997389C 7B93C0E8 00F8E6C6 FEDBEC3C 0EF246B0 4620EBA4 731E112D 593D40A8
  3398C037 93C839D6 865D011D DD5DFC99 B9870BBA 564BED90 B8BD36BE 6CBA6BD6
  D800627C B5F7C5EB A18C2ECA CC3C467E 7F689FDC 989AF76C 6CA0208A C67FB08E
  E66AE641 9FB17061 EE6DC0A1 1FAAF57A 4E756848 CCBEA7D1 B8ED8647 9E843B24
  941962CB E2C27EA1 00433C64 A3FD5B70 9F0121C0 FAFB471F CFE49D5F 6CCD1DBE
  49AF1C50 A12876E0 B12EE7EE E046776F 209F0558 E337D2E8 2211059D B5133A30
  1ED327CC 12AEA70B BFD99186 DF8EB174 8390F85F A7D1C96B A232FE2B 95F682B6
  E4CF24C6 089C3A79 DD9F8538 F4171DBB 9C96E3AF A1D661DB 27450A86 48C8E8E0
  36A4D0B3 B8EBB301 E9E100BC 37CEC936 77AE21B8 D40BC7D5 CD0701DF FAD83C00
  9DEA31E1 D9A225C7 BE57F564 3520E933 4FC3ED81 CD90CF8C D9B6392F 7909843B
  EC30FC07 1D1BA257 BB7239CC E48703ED A31441DB 05FC88F1 7279066E 80051F8B
  99FE7270 A954591F 57725359 9B9874D9 A67AE477 62663477 83A7B4CB 152CE73F
  4CE3CC9C 8E806DF5 45BE403B F3CD1604 112264B6 FB4F5483 FFC5A1A4 31FE2702
  29EDEEE1 52953BF0 4EB7BDB7 A3A3EDC2 A3441276 740EC395 1804097F 3753C434
  799ED181 F54880D8 FEF4AB44 AF1AE305 CD595F65 F6F23C05 C2EC7C55 A4E311AA
  8FDBA4AC CF0B9601 67410203 010001A3 53305130 1D060355 1D0E0416 0414AE98
  9795FA3A F490EB45 CBA495F7 6B5324EE EEAF301F 0603551D 23041830 168014AE
  989795FA 3AF490EB 45CBA495 F76B5324 EEEEAF30 0F060355 1D130101 FF040530
  030101FF 300D0609 2A864886 F70D0101 0B050003 82020100 536B8272 1E983D69
  26A31C72 D21379D3 DA92422F DEA3EC2A 865CB2E7 29414E3A 2D84BDD1 C345B90B
  BDFC26C3 9CC346A4 A32CE382 B060B457 E34CB688 F2A3597C 9F53117C 962B4A42
  862596FF BFFC4B9D 76289195 37E80058 5DF5FA73 62337D46 1EFBF91A 4E8ECEB3
  C243C1A2 24FACCB3 B720476A E371BECA 40F8D8D7 774D5A3F 62B154B1 216E7D69
  1FCA7EFE 79A3DCE1 A8D06019 BF1D5C1B 1793A340 D68B0867 C4ADD2BC 1DE383F7
  489CC085 824CF307 BEC9FA4C 87E67C32 2DEE0713 2C4D4430 F9FC8326 EB2BC4BC
  3FAF2626 F7B80386 9316F260 78EBA093 23244AD6 184445EA 99602545 FE0CD381
  5F9338AE 42BA7BCB 4AB4E7D7 01BE0C46 38F7D9A4 59FB6758 A4A68404 C7394680
  1F82ABA0 0330EA60 24527D69 915E5082 F56477FC D0FF407B DD873D18 BDBF16D6
  429190C7 10B8238F FE832C94 A33A596C 5B25C3E4 96AD5C3A 1DC0DC7A 486C069A
  FA2C0696 4D8132D0 0590E9FA F6E780A1 FBDD61B0 794D51D0 616A78FF BFBE9335
  18E1536A C4A3B2AE 038D83B2 8BF797A6 C0C13881 1B2C5ABC 7641B7FB BF26C5BB
  8DC6035D AF4BA362 166BF75C 6E40BF7E 7D8F6CD0 004D5105 86354311 1CE22843
  8BD636EA 571FE95D F7AB2A11 8908CAAB C067064C 58E758E9 83056099 B062AE6A
  4492F488 14D7984A 02BA6467 FD4DAE25 7C6A552B 46AD0124 719F9382 A40746D6
  31D05C60 D0E34B37 AFCD73D2 4B0118A9 F4E967B5 6347F9B9
        quit
!
crypto pki certificate pool
 cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FDO193916ND
license boot suite AdvUCSuiteK9
memory free low-watermark processor 69063
!
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
username cisco123 password 0 cisco123
username johan privilege 15 secret 9 <secret>
!
redundancy
 mode none
!
crypto ikev2 authorization policy ikev2-auth-policy
 pool ACPOOL
 dns 10.0.1.1
!
crypto ikev2 authorization policy windows-authorisation
 ipv6 pool VPN-2
 pool default
 dns 192.168.100.20 192.168.102.133
 def-domain my-domain.local
 pfs
 route set interface
!
crypto ikev2 authorization policy author-policy1
 pool pool1
 dhcp server 192.168.4.1
 dhcp giaddr 192.168.1.1
 dhcp timeout 10
 dns 10.1.1.1 10.1.1.2
 wins 192.168.1.2 192.168.1.3
 netmask 255.0.0.0
 banner C flexvpn server
 configuration url http://www.abc.com
 configuration version 10
 def-domain abc.com
 split-dns dns1
 split-dns dns2
 split-dns dns3
 backup-gateway gw1
 backup-gateway gw2
 backup-gateway gw3
 smartcard-removal-disconnect
 include-local-lan
 pfs
 aaa attribute list attr-list1
 route set access-list acl1
!
crypto ikev2 proposal FlexVPN
 encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
 integrity sha256
 group 19
crypto ikev2 proposal HIGH
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 19
crypto ikev2 proposal LOW
 encryption aes-cbc-128 3des
 integrity sha1 md5
 group 5 2
crypto ikev2 proposal MEDIUM
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha256 sha1
 group 16 14
crypto ikev2 proposal ikev2proposal
 encryption aes-cbc-128
 prf sha256
 integrity sha1
 group 19
!
crypto ikev2 policy ikev2policy
 match fvrf any
 proposal HIGH
 proposal MEDIUM
 proposal LOW
!
crypto ikev2 keyring WTI
 peer cisco
  description example.com
  address 0.0.0.0 0.0.0.0
  pre-shared-key xyz-key
 !
!
!
crypto ikev2 profile ikev2profile
 match identity remote address 10.0.10.0 255.255.255.0
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint VPN_TP
 aaa authentication anyconnect-eap a-eap-authen-local
 aaa authorization group cert list winclient winclient_author
 virtual-template 1
!
!
!
!
!
class-map type inspect match-any accept
  description Default, match-all
 match access-group name accept4
class-map type inspect match-any outbound
  description Traffic bound for Internet
 match access-group name internet4
class-map type inspect match-all dns-inbound
 match access-group name dns-in
class-map type inspect match-all ICMP-cmap
 match access-group name ICMP
class-map type inspect match-all WAN-WWWaccess
 match access-group name WAN-WWWAccess
class-map type inspect match-all DHCP-outbound
 match access-group name dhcp-out
class-map type inspect match-all DHCP-inbound
 match access-group name dhcp-in
class-map type inspect match-all IPSEC-cmap
 match access-group name ISAKMP_IPSEC
!
policy-map type inspect router-services
 class type inspect ICMP-cmap
  pass
 class type inspect IPSEC-cmap
  inspect
 class type inspect DHCP-inbound
  pass
 class type inspect dns-inbound
  inspect
 class class-default
  drop
policy-map type inspect accept
 description Accept all (pass)
 class type inspect accept
  pass
 class class-default
  drop log
policy-map type inspect router
 description Traffic originating from the router
 class type inspect DHCP-outbound
  pass
 class type inspect accept
  inspect
 class class-default
  drop
policy-map type inspect outbound
 description Traffic bound for Internet
 class type inspect outbound
  inspect
 class class-default
  drop
policy-map type inspect LAN-services
 class type inspect ICMP-cmap
  inspect
 class type inspect WAN-WWWaccess
  inspect
 class class-default
  drop log
!
zone security LAN
 description Local Area Network
zone security WAN
 description Wide Area Network (Internet)
zone security VPN
 description VPN remote
zone security DMZ
 description DMZ services
zone-pair security LAN-Router source LAN destination self
 service-policy type inspect accept
zone-pair security LAN-VPN source LAN destination VPN
 service-policy type inspect accept
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect outbound
zone-pair security Router-LAN source self destination LAN
 service-policy type inspect accept
zone-pair security Router-VPN source self destination VPN
 service-policy type inspect accept
zone-pair security Router-WAN source self destination WAN
 service-policy type inspect router
zone-pair security VPN-LAN source VPN destination LAN
 service-policy type inspect accept
zone-pair security VPN-Router source VPN destination self
 service-policy type inspect accept
zone-pair security VPN-WAN source VPN destination WAN
 service-policy type inspect outbound
zone-pair security WAN-LAN source WAN destination LAN
 service-policy type inspect LAN-services
zone-pair security WAN-Router source WAN destination self
 service-policy type inspect router-services
zone-pair security WAN-VPN source WAN destination VPN
 service-policy type inspect router-services
!
!
!
!
!
!
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group group1
 key cisco123
 pool group1pool
 save-password
crypto isakmp profile vpn1-ra
   match identity group group1
   client authentication list local_list
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile test-vti1
 set transform-set VTI-TS
!
!
crypto map cmap 10 ipsec-isakmp
 set peer 166.130.98.152
 set security-association lifetime seconds 86400
 set transform-set TS
 set ikev2-profile ikev2profile
 match address SITE1-SITE2-CACL
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip address 10.0.10.60 255.255.255.0
 ip nat outside
 negotiation auto
 crypto map cmap
!
interface GigabitEthernet0/0/1
 ip address 10.17.123.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
ip local pool group1pool 192.168.1.1 192.168.1.4
ip local pool ACPOOL 192.168.10.5 192.168.10.10
ip http server
ip http authentication local
no ip http secure-server
ip http secure-trustpoint Diamond-CA
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/0
ip nat inside source static tcp 10.17.123.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source static udp 10.17.123.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source static tcp 10.17.123.10 5001 interface GigabitEthernet0/0/0 5001
ip nat inside source list DYNAMIC-NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.10.10
ip route 0.0.0.0 0.0.0.0 172.18.143.1
!
!
ip access-list extended DYNAMIC-NAT
 10 permit ip 10.17.123.0 0.0.0.255 any
ip access-list extended ICMP
 10 permit icmp any any echo
 20 permit icmp any any echo-reply
 30 permit icmp any any traceroute
ip access-list extended ISAKMP_IPSEC
 10 permit udp any any eq isakmp
 20 permit ahp any any
 30 permit esp any any
 40 permit udp any any eq non500-isakmp
 50 permit udp any any eq 1701
ip access-list extended SITE1-SITE2-CACL
 10 permit ip 192.168.50.0 0.0.0.255 172.19.0.0 0.0.0.255
ip access-list extended WAN-WWWAccess
 10 permit tcp any host 10.17.123.10 eq 3389
 20 permit udp any host 10.17.123.10 eq 3389
 30 permit tcp any host 10.17.123.10 eq 5001
ip access-list extended accept4
 10 remark 0**************************0
 10 remark 0* Default IPv4 allow all *1
 10 remark 0**************************2
 10 permit ip any any
ip access-list extended dhcp-in
 10 permit udp any any eq bootpc
 20 permit udp any any eq bootps
ip access-list extended dhcp-out
 10 permit udp any any eq bootps
ip access-list extended dns-in
 10 permit tcp any any eq domain
ip access-list extended internet4
 10 remark 0************************0
 10 remark 0* Allowed IPv4 traffic *1
 10 remark 0************************2
 10 permit ip 10.17.0.0 0.0.255.255 any
 20 deny   ip any any
!
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 transport input ssh
line vty 5 30
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
ntp master 7
ntp server 185.51.192.61 prefer source GigabitEthernet0/0/0
!
!
!
!
!
!
end

 

 Thanks again,

 

Johan

 

<double post>

@johankrug

Where is "virtual-template 1" configuration?

You have configured your IKEV2 profile to reference a method list called "winclient" and an authorisation policy called "winclient_author", neither exist in your configuration.

And the IKEV2 profile is configured for rsa (cert) remote authentication, I though you wanted to use un/pwd authentication?

I would look to start again and reconfigure from scratch and confirm you haven't missed anything else.

Yes, things got messy with trying out various configurations. Indeed it would be good to start from scratch.
I have to say that I'm still somewhat vague on the certificate-side of things. As MHM replied, I only need a certificate on the router-side. However, you stated that I need to import them on the clients as well. Am I right in stating that this depends on the configuration of the "authentication local" and "authentication remote" settings? When set "authentication remote rsa-sig", the VPN-server expects a signed certificate?

@johankrug you should import only the root certificate to the client machines to ensure mutual trust and avoid errors, this is so the server (router) authenticates itself to the client. This is "authentication local rsa" under the IKEv2 profile.

For the client authentication then this refers to "authentication remote eap....." under the IKEv2 profile.

Here are all the cisco FlexVPN guides - https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

Thank you. A bit less vague now.
Following your advice, I started from scratch. Imported the p12-certificate which I created using the tutorial I linked earlier, and applied various bits and pieces to my config:

 

aaa new-model
!
!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!
crypto pki trustpoint IKEv2-TP
 enrollment pkcs12
 revocation-check crl
 rsakeypair IKEv2-TP
!
crypto pki certificate chain IKEv2-TP
 certificate 1001
 <certificate here>
        quit
!
username test password 0 cisco123
!
crypto ikev2 authorization policy ikev2-auth-policy
 pool ACPOOL
 dns 10.0.1.1
 route set access-list split_tunnel
!
crypto ikev2 proposal HIGH
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 19
crypto ikev2 proposal IKEv2-prop1
 encryption aes-cbc-256
 integrity sha256
 group 14
crypto ikev2 proposal LOW
 encryption aes-cbc-128 3des
 integrity sha1 md5
 group 5 2
crypto ikev2 proposal MEDIUM
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha256 sha1
 group 16 14
!
crypto ikev2 policy IKEv2-pol
 proposal IKEv2-prop1
 proposal HIGH
 proposal MEDIUM
 proposal LOW
!
!
crypto ikev2 profile AnyConnect-EAP
 match identity remote address 10.0.10.0 255.255.255.0
 authentication local rsa-sig
 authentication remote eap query-identity
 pki trustpoint IKEv2-TP
 aaa authentication eap a-eap-authen-local
 aaa authorization group eap list a-eap-author-grp ikev2-auth-policy
 aaa authorization user eap cached
 virtual-template 100
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto ipsec profile AnyConnect-EAP
 set transform-set TS
 set ikev2-profile AnyConnect-EAP
!
interface Virtual-Template100 type tunnel
 ip unnumbered Loopback100
 ip mtu 1400
 ip nat inside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AnyConnect-EAP
!

 

 I got a bit more luck now when connecting:

*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):Get my authentication method
*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):My authentication method is 'RSA'
*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):Sign authentication data
*Dec 20 13:45:07.038: IKEv2:(SA ID = 11):[IKEv2 -> PKI] Getting private key
*Dec 20 13:45:07.039: IKEv2:(SA ID = 11):[PKI -> IKEv2] Getting of private key PASSED
*Dec 20 13:45:07.039: IKEv2:(SA ID = 11):[IKEv2 -> Crypto Engine] Sign authentication data
*Dec 20 13:45:07.075: IKEv2:(SA ID = 11):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Dec 20 13:45:07.075: IKEv2:(SESSION ID = 38,SA ID = 11):Authentication material has been sucessfully signed

 

Unfortunately, no luck with authentication:

*Dec 20 13:45:07.075: IKEv2:(SESSION ID = 38,SA ID = 11):Asking the authenticator to send EAP request
*Dec 20 13:45:07.076: IKEv2-ERROR:Address type 2147516386 not supported

*Dec 20 13:45:07.076: IKEv2:Received response from authenticator
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Generating EAP request
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Constructing IDr payload: '10.0.10.60' of type 'IPv4 address'
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP

*Dec 20 13:45:07.077: IKEv2:(SESSION ID = 38,SA ID = 11):Sending Packet [To 10.0.10.120:4500/From 10.0.10.60:4500/VRF i0:f0]
Initiator SPI : 53E45F01EC2C9E19 - Responder SPI : AABF97489360DD96 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Dec 20 13:45:07.078: IKEv2:(SESSION ID = 38,SA ID = 11):Starting timer (90 sec) to wait for auth message
*Dec 20 13:45:16.865: IKEv2-ERROR:(SESSION ID = 37,SA ID = 10):: Failed to receive the AUTH msg before the timer expired
*Dec 20 13:45:16.865: IKEv2:(SESSION ID = 37,SA ID = 10):Verification of peer's authentication data FAILED
*Dec 20 13:45:16.865: IKEv2:(SESSION ID = 37,SA ID = 10):Sending authentication failure notify
*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Sending Packet [To 10.0.10.120:4500/From 10.0.10.60:4500/VRF i0:f0]
Initiator SPI : A4AAD3E0B72A538A - Responder SPI : 4AF2ED494B9811EE Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Auth exchange failed
*Dec 20 13:45:16.866: IKEv2-ERROR:(SESSION ID = 37,SA ID = 10):: Auth exchange failed

 

It seems like this has something to do with the line "authentication remote eap..." in my profile. I tried "authentication remote eap query-identity" and "authentication remote eap", but the latter gives me errors on "Cannot use IP address as EAP identity".

 

I'm really struggling with finding guides/tutorials/configuration examples online. It seems like this is quite an unusual configuration, am I right?

 

Thanks again!

@johankrug from memory local database authentication on older IOS versions was not initially supported, you might need 16.x, which your 1921 won't support. If not using local database authentication you can use RADIUS or local certificates.

Better still use an ASA or FTD for remote access VPN, there is much better support and community knowledge than FlexVPN RAVPN.

I'm trying to make this config work on my ISR4321 running IOS XE 17.03.05. Should be relatively new in terms of supported features, hence my wish to move to a IKEv2 VPN-server-config.

Plan B would be to move to ASA but I was hoping to make it work on the router...

@johankrug as you are using the windows native supplicant read the section on the windows client https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-flex-serv-0.html

 

Alright. So, if I understand correctly, "query-identity" is to be set, which queries the identity of the client. However, Windows replies with its IP-address and this is not a valid identity, so the authentication fails. When "query-identity" is not set, the identity won't be sent by Windows so the server will never know the identity and authentication fails. This is indeed the behaviour I'm experiencing. 

Is there no way around this? Does that mean that IOS-XE 17.x is simply not compatible with the Windows ikev2-client?