09-19-2021 08:43 AM
Hello Guys,
i moved from sslvpn to ip sec vpn.
I verified the connection with Cisco Vpn client, but i have a question.
It is possible to connect with any connect to IPSEC? when i try with AnyConnect app for i ios i get an error: the cryptografic algorithm requested by the gateway are not supported by the AnyConnect APP.
Please can you suggest me what i have to change?
thank you
!
aaa authentication login default local aaa authentication login userlist local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local aaa authorization network grouplist local crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 20 encr aes authentication pre-share group 2 ! crypto isakmp client configuration group -group- key password domain internal pool VPN-POOL acl 182 ! crypto isakmp profile ip--group- match identity group -group- client authentication list userlist isakmp authorization list grouplist client configuration address respond virtual-template 2 ! crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac mode tunnel crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile ip--group- set transform-set tr-aes-sha set isakmp-profile ip--group- interface Virtual-Template2 type tunnel ip unnumbered Dialer0 tunnel source Dialer0 tunnel mode ipsec ipv4 tunnel protection ipsec profile ip--group- access-list 182 remark # VPN Users # access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.10 access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.11 access-list 182 permit ip 192.168.1.0 0.0.0.255 host 192.168.69.12
Solved! Go to Solution.
09-20-2021 02:55 AM
Diffie-Hellman (DH) groups 2, 5, 14, and 24 are deprecated as of AnyConnect 4.9.
You need an ISAKMP policy that includes one of the currently supported DH groups. Here's a list of them:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/feature/guide/anyconnect49features.html#pgfId-102311
(Groups 15-16 and 19-21 FYI)
09-19-2021 10:55 PM
- Possibly obsolete ciphers being offered , you may find this thread informational :
M.
09-20-2021 02:55 AM
Diffie-Hellman (DH) groups 2, 5, 14, and 24 are deprecated as of AnyConnect 4.9.
You need an ISAKMP policy that includes one of the currently supported DH groups. Here's a list of them:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/feature/guide/anyconnect49features.html#pgfId-102311
(Groups 15-16 and 19-21 FYI)
09-20-2021 05:41 AM
SOLVED! thank you guys
basically i go for this conf taken from here https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html with some modification in bold.
For Anyconnect PC you need to make an Anycoonect profile, btw the link above explain this
aaa new-model aaa authentication login a-eap-authen-local local aaa authorization network a-eap-author-grp local ip access-list standard split_tunnel permit 192.168.1.0 0.0.0.255 crypto ikev2 authorization policy ikev2-auth-policy pool VPN-POOL dns 192.168.1.1 route set access-list split_tunnel ! crypto ikev2 proposal Anyconnect-proposal encryption aes-cbc-256 integrity sha512 group 21 ! crypto ikev2 policy Anyconnect-policy proposal Anyconnect-proposal ! crypto ikev2 profile AnyConnect-EAP match identity remote key-id *$AnyConnectClient$* authentication local rsa-sig authentication remote anyconnect-eap aggregate pki trustpoint TEST aaa authentication anyconnect-eap a-eap-authen-local aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy aaa authorization user anyconnect-eap cached virtual-template 2 anyconnect profile acvpn ! ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile AnyConnect-EAP set transform-set TS set ikev2-profile AnyConnect-EAP ! ! ! interface Virtual-Template2 type tunnel ip unnumbered Dialer0 ip mtu 1400 tunnel mode ipsec ipv4 tunnel protection ipsec profile AnyConnect-EAP !
here i listed the usable values (the ones not deprecatet on Apple Anyconnect apps
C897VA-K9(config-ikev2-proposal)#group ?
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
20 DH 384 ECP
21 DH 521 ECP
C897VA-K9(config-ikev2-proposal)#encryption ?
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
aes-gcm-128 Combined-mode,128 bit key,16 byte ICV(Authentication Tag)
aes-gcm-256 Combined-mode,256 bit key,16 byte ICV(Authentication Tag)
C897VA-K9(config-ikev2-proposal)#integrity ?
sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide