01-18-2024 04:48 AM
I'm migrating from an old cisco 520 to a new ISR 1131-8PLTWE router with sec license (boot system flash:c1100-universalk9.17.09.04a.SPA.bin)
previously we use the old Cisco VPN Client 5
but i not found the correct config for ikev1 on 1100 series
We need configure remote access vpn for 3 user (local user, no radius)
We need to use Cisco Anyconnect App from Apple Ipad (from apple store), android App (from Play store), and windows vpn default client (windows store) or old Cisco VPN Client 5
i have to configure FlexVpn? with certificate, can i use self certificate ?
can i use ikev1 + ikev2 ?
01-18-2024 04:53 AM
@CM72 the router needs a proper certificate installed on it, and it cannot be a self-signed certificate.
No you cannot use IKEv1 with FlexVPN, as it only supports IKEv2.
This is a FlexVPN guide with local users - https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
01-18-2024 06:58 AM - edited 01-18-2024 07:17 AM
can I use IKEv1 and IKEv2 ? NO you need IKEv2
for self Cert. Yes you can use it BUT not for IKEv2 but for SSL VPN (for IKEv2 there is bug prevent use self singed Cert.)
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc11
MHM
01-18-2024 07:03 AM
01-18-2024 08:02 AM
i can use IKEv1 and IKEv2 at the same time on ISR 1131-8 ? or this router non have the configuration for the old Cisco client ?
Thanks
01-18-2024 08:05 AM
friend I think you meaning
IKEv1 for IPsec Site to Site
IKEv2 for Remote access IPSec
Yes you can use both in router, what I meaning by using only IKEv2 is using it only for Remote access IPsec VPN
MHM
01-18-2024 08:34 AM
I mean: is it possible to use the old and obsolete cisco client with the new ISR 1131?
the old configuration not work as is
the original row
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
need to be modified
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1 password $PASSWORD$
but not work
IKEv2-ERROR:%Unsuccessful AAA response
---
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local group radius
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local group radius
crypto isakmp policy 1
encryption 3des
hash sha
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key $PASSWORD$
dns 192.168.26.161
pool SDM_POOL_1
acl 100
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1 password $PASSWORD$
client configuration address respond
virtual-template 5
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
01-18-2024 08:39 AM
@CM72 the old EasyVPN solution is long depreciated and EOL, so is the old Cisco VPN client software. The crypto in your configuration is also insecure and depreciated in newer IOS software.
I suggest you upgrade your client to AnyConnect 4.10 or Secure Client 5.0, you have to purchase 25 licenses at a minimum. You can then use the FlexVPN configuration which is supported.
01-18-2024 08:41 AM
i cant use the windows store Anyconnect ? or the app from AppleStore and google Play Store without buy the 25 license ? f
01-18-2024 08:08 AM
@CM72 FlexVPN supports IKEv2 only (Site to Site or Remote Access VPN).
You'd have to use the old legacy configuration for remote access vpn if you need to use it.
01-18-2024 08:44 AM
@CM72 you need to be licensed, and even by having the really old client I am not sure you'd be licensed/supported.
If you are using the VPN on those mobile devices I'd be surprised if they supported the old weak crypto as per your example.
01-18-2024 08:45 AM
no i mean FlexVpn whit mobile apps
01-18-2024 08:49 AM
Yes I know what you meant, but you need to be licensed to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide