cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1391
Views
0
Helpful
17
Replies

FlexVPN with built-in clients

johankrug
Level 1
Level 1

Hello all,

 

I'm trying to set up my ISR4321 running IOS XE 17.03.05 as a FlexVPN-server for Remote Access (RA) with various clients (Windows 10, Apple's iOS, Android, no AnyConnect), based on ikev2, without using client-side certificates. My current production-setup is based on a 1921, acting as a L2TP/IPSec-server, which I would like to upgrade. Unfortunately, I'm running into quite some issues.

My first issue is with the certification-side of things. If I understood correctly, a certificate is required on at least the VPN-server side. I'm struggeling with creating and/or importing the certificate. 

Can someone please point me in the right direction regarding the certification-side of things?

 

Thank you!

 

Kind regards,

 

Johan

17 Replies 17

johankrug
Level 1
Level 1

Modest bump.. Anyone that can help me with this issue?

crypto pki trustpoint VPN_TP
 enrollment terminal
 serial-number none
 fqdn CSR2.lab.net
 ip-address none
 subject-name cn=CSR2.lab.net,o=Default Company Ltd,ou=HQ,st=Zuid-Holland,c=NL
 subject-alt-name CSR2.lab.net
 revocation-check none
 rsakeypair VPN_KEY

you add SN and SAN to CSR and that OK 
the Cisco recommend use EKU 

  eku server-auth client-auth

in both Server and client  

aaa authorization network AAA_AUTHORIZATION_NETWORK local
crypto ikev2 profile ikev2profile
 match identity remote address 10.0.10.0 255.255.255.0
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint VPN_TP
 aaa authorization group cert list xxxxxx
 virtual-template 1

first we use remote and local auth rsa-sig so no need more aaa auth under ikev2 profile 
second the aaa authorization use aaa local, so use AAA_AUTHORIZATION_NETWORK as methods 
MHM