Solved: Need som help with FlexVPN and AnyConnect

Chess Norris · ‎03-26-2021

I am trying to setup FlexVPN with AnyConnect on a cisco C1117 router running version 16.12.03, but can't get it to work.

I've been following both the official Cisco guide and some other config examples. Both the router and VPN profile should be correct, but every time I try to conenct, I get the following message "The ipsec vpn connection was terminated due to an authentication failure or timeout"

To troubleshoot the issue, I enabled the following debugs

IKEv2 error debugging is on
IKEv2 default debugging is on
IKEv2 packet debugging is on
IKEv2 internal debugging is on

This is the error I think is most relevant in the debug:

Mar 26 07:56:26.264: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint CLIENT
Mar 26 07:56:26.264: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint FAILED
Mar 26 07:56:26.264: IKEv2-INTERNAL:(SESSION ID = 46,SA ID = 1):Failed to process certificate request
Mar 26 07:56:26.264: IKEv2-INTERNAL:(SESSION ID = 46,SA ID = 1):SM Trace-> SA: I_SPI=2572754B991586EA R_SPI=C7676159C3F8B413 (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
Mar 26 07:56:26.265: IKEv2:(SESSION ID = 46,SA ID = 1):Verification of peer's authentication data FAILED
Mar 26 07:56:26.265: IKEv2:(SESSION ID = 46,SA ID = 1):Sending authentication failure notify
Mar 26 07:56:26.265: IKEv2-INTERNAL:Construct Notify Payload: AUTHENTICATION_FAILED
Mar 26 07:56:26.265: IKEv2:(SESSION ID = 46,SA ID = 1):Building packet for encryption.

It seems to be an issue with the certificate, but not sure exactly what.

Here is the relevant configuration from the router:

!
aaa authentication login EAP_AUTHC local
aaa authorization exec default local
aaa authorization network EAP_AUTHZ local
!
!
crypto pki trustpoint TP_AnyConnect
enrollment selfsigned
usage ike
serial-number none
fqdn Router.com
ip-address none
subject-name cn=r01.companyx.com
subject-alt-name r01.companyx.com
revocation-check none
rsakeypair AnyConnect
!
ip local pool POOL_VPN_LOCAL 192.168.199.100 192.168.199.200
!
crypto ikev2 authorization policy ikev2-auth-policy
pool POOL_VPN_LOCAL
route set access-list split_tunnel
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 15
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
!
crypto ikev2 profile AC_EAP
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint TP_AnyConnect
dpd 60 2 on-demand
aaa authentication anyconnect-eap EAP_AUTHC
aaa authorization group anyconnect-eap list EAP_AUTHZ ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
reconnect timeout 600
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AC_EAP
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip nat inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!

Any help is appreciated

Thanks

/Chess

Rob Ingram · ‎03-26-2021

@Chess Norris

I wasn't referring to getting AnyConnect working on the ISR1100 series router. I was referring to download of the anyconnect profile which you have defined under the IKEv2 profile with the command "anyconnect profile acvpn" - this was only supported on CSR1000v. AnyConnect Remote Access VPN is of course supported on the ISR1000.

This cisco live screenshot confirms my understanding

Whilst not supported on the ISR router, the commands are available. When previously testing this caused issues connecting, remove reference from the IKEv2 profile.

EDIT:- Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html#

View solution in original post

Rob Ingram · ‎03-26-2021

Hi,

As the certifciate is self-signed, does the user computer trusts the certificate presented by the router?

I don't believe that anyconnect profile deployment on an ISR router is support. Last I checked this was only supported on CSR1000v.

Chess Norris · ‎03-26-2021

Hi,

According to this post, someone was able to get AnyConnect working with FlexVPN on an ISR 1000 router - https://community.cisco.com/t5/vpn/isr-1100-flexvpn-with-anyconnect/td-p/4058939
so I guess it should be supported?
We have not configured anything on the client side yet except for the VPN profile and to tell you the truth, certificates is not my strongest suit.
We followed this guide which was easy to follow, but nothing is mentioned about certificates on the client side or if we should enable the CA server on the router
https://zartmann.dk/2018/12/12/flexvpn-with-anyconnect-eap-using-ise-and-zbfw/

Setting up Anyconnect on the ASA or on FTD is a breeze, but this is really getting me a headache.
I would be grateful if someone that has gotten this to work, can walk me through the steps needed - both on the router and on the client side if we want to use self-signed certificates.

Thanks
/Chess

Rob Ingram · ‎03-26-2021