Re: ISR 1100 VPN with ikev1 / ikev2 with windows vpn client and apps

CM72 · ‎01-18-2024

I'm migrating from an old cisco 520 to a new ISR 1131-8PLTWE router with sec license (boot system flash:c1100-universalk9.17.09.04a.SPA.bin)
previously we use the old Cisco VPN Client 5
but i not found the correct config for ikev1 on 1100 series

We need configure remote access vpn for 3 user (local user, no radius)

We need to use Cisco Anyconnect App from Apple Ipad (from apple store), android App (from Play store), and windows vpn default client (windows store) or old Cisco VPN Client 5

i have to configure FlexVpn? with certificate, can i use self certificate ?
can i use ikev1 + ikev2 ?

Rob Ingram · ‎01-18-2024

@CM72 the router needs a proper certificate installed on it, and it cannot be a self-signed certificate.

No you cannot use IKEv1 with FlexVPN, as it only supports IKEv2.

This is a FlexVPN guide with local users - https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

MHM Cisco World · ‎01-18-2024

can I use IKEv1 and IKEv2 ? NO you need IKEv2
for self Cert. Yes you can use it BUT not for IKEv2 but for SSL VPN (for IKEv2 there is bug prevent use self singed Cert.)
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc11

MHM

Rob Ingram · ‎01-18-2024

@MHM Cisco World no you cannot use self signed certificate.

CM72 · ‎01-18-2024

i can use IKEv1 and IKEv2 at the same time on ISR 1131-8 ? or this router non have the configuration for the old Cisco client ?

Thanks

MHM Cisco World · ‎01-18-2024

friend I think you meaning
IKEv1 for IPsec Site to Site
IKEv2 for Remote access IPSec
Yes you can use both in router, what I meaning by using only IKEv2 is using it only for Remote access IPsec VPN
MHM

CM72 · ‎01-18-2024

I mean: is it possible to use the old and obsolete cisco client with the new ISR 1131? 

the old configuration not work as is 

the original row
  isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

need to be modified
  isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1 password $PASSWORD$
but not work

IKEv2-ERROR:%Unsuccessful AAA response
---

aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local group radius
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local group radius 

crypto isakmp policy 1
encryption 3des
hash sha
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key $PASSWORD$
dns 192.168.26.161
pool SDM_POOL_1
acl 100
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1 password $PASSWORD$
client configuration address respond
virtual-template 5
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA 
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA 
reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!

Rob Ingram · ‎01-18-2024

@CM72 the old EasyVPN solution is long depreciated and EOL, so is the old Cisco VPN client software. The crypto in your configuration is also insecure and depreciated in newer IOS software.

I suggest you upgrade your client to AnyConnect 4.10 or Secure Client 5.0, you have to purchase 25 licenses at a minimum. You can then use the FlexVPN configuration which is supported.

CM72 · ‎01-18-2024

i cant use the windows store Anyconnect ? or the app from AppleStore and google Play Store without buy the 25 license ? f

Rob Ingram · ‎01-18-2024

@CM72 FlexVPN supports IKEv2 only (Site to Site or Remote Access VPN).

You'd have to use the old legacy configuration for remote access vpn if you need to use it.

Rob Ingram · ‎01-18-2024

@CM72 you need to be licensed, and even by having the really old client I am not sure you'd be licensed/supported.

If you are using the VPN on those mobile devices I'd be surprised if they supported the old weak crypto as per your example.

CM72 · ‎01-18-2024

no i mean FlexVpn whit mobile apps

Rob Ingram · ‎01-18-2024

Yes I know what you meant, but you need to be licensed to connect.