Hello Karsten,

Thanks for your reply i must use IKEv2 and IPSec only VPN and apparenntly there is no way to set up parameteres in the new Annyconnect VPN client how can i accomplish this

Oh, I didn't see the "IPsec" ...

For that on the router the crypto-config is needed (where I don't have a sample this moment) and the primary protocol needs to be changed in the AnyConnect profile:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-1798377

Hi Douglas,

Thanks for your response is it possible for you to share the router config, and yes i am having nighmares with Cisco Annyconnect.

I just checked StronSwan is for linux which client would you recommend for Windows based machines.

I don't have a recommendation for a windows client.  All my work is with Linux.  I sent a copy of a known working good router configuration with instructions added within the configuration to explain things in response to your private message.  Even if it is not exactly what your looking for, it helps to see the structure outside of a Cisco "how to" to make that "how to" more valuable.  I started with Cisco's instructions.  I added info about how certificates are handled.  Generate the key, create the trustpoint, output the CSR, import the CA Cert, and finally the signed CSR.  I hope this helps you along.  Not guaranteed to fit your circumstance, just to aid you on your work. 

Douglas

Thanks a lot!!!

Hey Douglas,

    I came across this thread in my searches.  I've been able to successfully establish IPSec / Ikev2 connections using Anyconnect 4.x with Windows.  I'm now trying to get it working on linux but I'm not a linux guy.  The OS is CENTOS 6 and Anyconnect is installed.  I'm assuming that it's not working because the certs are not installed properly?  It's note ven attempting to initiate ikev2 connections.

    I also just moved over the XML profile in the profile folder from my windows machine into /opt/cisco/anyconnect/profile/ 

     I guess my two questions are.

1.)  If you move over a profile .XML file from a windows machine to a linux machine will it still work?  Is it compatible between the two OS's without modification?

2.)  Is there any documentation out there that gives you step by step instructions with certificates for this procedure? 

I know I have to do the following:

Import CA-Cert

Create keys

Export CSR and get it signed

Import signed certificate.

I replied yesterday while I was transiting through the Atlanta Airport but my post failed.  I will try to update later today.  I have attached a couple files to assist. 

I don't do AnyConnect to a router.  I only support it with an ASA.  But getting the trustpoint completed nicely on the router should be a positive step. 

Also Linux you have to get the certificate store correct.  Firefox or local certificate store is supported.  I usually run AnyConnect in Linux using Debian or SuSE from command line with local certificate store.  Below is my cheat sheet that I keep handy for reference:

AnyConnect

To Connect

/opt/cisco/anyconnect/bin # ./vpn connect asa5515.xxx.ipsec.net

(asa5515.xxx.ipsec.net comes from the anyconnect profile called AnyConnectProfile.xml and located /opt/cisco/anyconnect/profile)

To disconnect:

/opt/cisco/anyconnect/bin # ./vpn disconnect asa5515.xxx.ipsec.net

To Check status:

/opt/cisco/anyconnect/bin # ./vpn status

To restart Service

/etc/init.d/vpnagentd restart

AnyConnect Profile -> /opt/cisco/anyconnect/profile

AnyConnect Local Policy -> /opt/cisco/anyconnect

AnyConnect CA Cert -> /opt/.cisco/certificates/ca

AnyConnect Machine Cert -> /opt/.cisco/certificates/client

AnyConnect Machine Key -> /opt/.cisco/certificates/client/private

Thank you for the cheat sheets.  I was able to get this up and running yesterday once certificates / keys were in their appropriate spots and profile was setup correctly!!

Hi Douglas,

I know it is very old thread but i need help as i am also struggling to make Anyconnect IPSec VPN Remote Access VPN on Router (IOS) , and it would be very helpful if you please share the configs.

Thanks a lot