FlexVPN with built-in clients - Page 2

johankrug · ‎12-19-2023

Hello all,

I'm trying to set up my ISR4321 running IOS XE 17.03.05 as a FlexVPN-server for Remote Access (RA) with various clients (Windows 10, Apple's iOS, Android, no AnyConnect), based on ikev2, without using client-side certificates. My current production-setup is based on a 1921, acting as a L2TP/IPSec-server, which I would like to upgrade. Unfortunately, I'm running into quite some issues.

My first issue is with the certification-side of things. If I understood correctly, a certificate is required on at least the VPN-server side. I'm struggeling with creating and/or importing the certificate.

Can someone please point me in the right direction regarding the certification-side of things?

Thank you!

Kind regards,

Johan

johankrug · ‎12-29-2023

Modest bump.. Anyone that can help me with this issue?

MHM Cisco World · ‎01-01-2024

crypto pki trustpoint VPN_TP
 enrollment terminal
 serial-number none
 fqdn CSR2.lab.net
 ip-address none
 subject-name cn=CSR2.lab.net,o=Default Company Ltd,ou=HQ,st=Zuid-Holland,c=NL
 subject-alt-name CSR2.lab.net
 revocation-check none
 rsakeypair VPN_KEY

you add SN and SAN to CSR and that OK
the Cisco recommend use EKU

  eku server-auth client-auth

in both Server and client

MHM Cisco World · ‎01-01-2024

aaa authorization network AAA_AUTHORIZATION_NETWORK local

crypto ikev2 profile ikev2profile
 match identity remote address 10.0.10.0 255.255.255.0
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint VPN_TP
 aaa authorization group cert list xxxxxx
 virtual-template 1

first we use remote and local auth rsa-sig so no need more aaa auth under ikev2 profile
second the aaa authorization use aaa local, so use AAA_AUTHORIZATION_NETWORK as methods
MHM