Solved: FlexVPN without using certificates

shamax_1983 · ‎01-01-2013

Hi All,

Is there a way we can use Anyconnect VPN clinets with FlexVPN without the Certificate based authentication ( Like in old Cisco VPN clients using Group Key) ?

Is there a way to use the Cisco router itslef as the CA wihtout getting external Windows server involved in the whole setup (with FlexVPN setup + Anyconnect) ?

Thanks in Advance !

Marcin Latosiewicz · ‎01-02-2013

Shamal,

Have a look at the doc I wrote earlier:

https://supportforums.cisco.com/docs/DOC-23967

(a proper document will be published on CCO during next could of weeks)

The RFC for IKEv2 mentions that if you will use EAP you MUST use certificate authentication.

Yes IOS router can act as a IOS CA and FlexVPN headend, although you present yourself with a problem of single point of failure.

Note that you will need to authenticate and enroll the trustpoint on your headend/CA as though it was an external devices.

M.

View solution in original post

Marcin Latosiewicz · ‎01-02-2013

Shamal,

Have a look at the doc I wrote earlier:

https://supportforums.cisco.com/docs/DOC-23967

(a proper document will be published on CCO during next could of weeks)

The RFC for IKEv2 mentions that if you will use EAP you MUST use certificate authentication.

Yes IOS router can act as a IOS CA and FlexVPN headend, although you present yourself with a problem of single point of failure.

Note that you will need to authenticate and enroll the trustpoint on your headend/CA as though it was an external devices.

M.

shamax_1983 · ‎01-02-2013

Hi Marcin,

Thanks so much for your explanation. Just one small thing to clarify here,

When you say if you will use EAP..

"The RFC for IKEv2 mentions that if you will use EAP you MUST use certificate authentication."

what are my other options here ?

Thanks

Shamal

shamax_1983 · ‎01-02-2013

Hi Marcin,

I tried to configure as per your doco. The Anyconnect client seem to be trying to connect the Flexvpn server ( Router ) using SSL not IKEv2. Is there any way we can force it to use IKEv2 ? or does the clinet first tries SSL and then IKEv2 ?

Thanks for your support

Shamal

Marcin Latosiewicz · ‎01-02-2013

Shamal,

When using IOS as headend there is no need to use SSL during initial connect, with the caveat that profile NEEDS to be provisioned to client out of band.

Now once the profile is there, you need to make sure that it's being called - i.e. provide the hostname of the gateway you are trying to connect to.

In my documentation it was :

bsns-1941-4.cisco.com

So this is what as destination of my connection. Anyconnect will lookup profile based on the tag.

Regarding EAP currently we are limited to non-tunneled EAP methods on Anyconnect VPN.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html

EAP methods: MD5, GTC, and MSCHAPv2

But if you go with the mothod I provided

true

IKE-RSA

there is no need to use EAP. However you CAN use it.

M.

test2000 · ‎12-27-2013

Would someone be able to confirm if using a RADIUS server is possible without using certificates for flexvpn hub and spoke?.. This is for cisco routers at remote sites...

Sent from Cisco Technical Support iPad App

Marcin Latosiewicz · ‎12-28-2013

Lee,

If you're planning to use RADIUS for authorization only there is no need to use certificates in authentication.

In fact you don't need to use RADIUS (for authorization), you can use local AAA.

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bf9d4e.shtml

M.

test2000 · ‎12-28-2013

Ok, great thanks for the confirmation.... Planning on using PSK for remote routers auth and for the headend router auth.... With RADIUS to manage the PSKs for remotes... So headend proxies to RADIUS to auth remotes.... Was thinking that a cert would be needed at headend.... Glad that it isn't!

Cheers lee

Sent from Cisco Technical Support iPad App