@Rob IngramThank you for the help and this is exactly what I needed, I am using the below link

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

but I am confused about one thing, this guide refers to another guide in the middle saying

Refer to steps 1 through 4 in ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example, and change all instances of crypto ca to crypto pki.

But I don't have an ASA so should I follow these steps or not as steps 1 to 4 are referring to ASDM and I obviously dont have it as I dont have ASA.

@samipk1234 Instead of providing you with the commands for the router, they provided the ASA commands which are similar. Just follow the CLI commands, replace "crypto ca" with "crypto pki".  Obviously ignore the ASDM commands, just start from the "Command Line example".

Or here is an alternative example to generate certificates for FlexVPN, with the correct commands for the router.

@Rob IngramThanks for the clarification, a few questions though:

1. The guide is not clear whether there Radius server should also be a Certificate Authority or just configuring a Radius server will be enough?

2. It refers to flex-hub.example.com randomly without explaining whether its the CA or just a random name given ?

I am sorry to bother you this much but this is helping me immensly.

Regards

Hi @samipk1234 no problem, glad to help.

The RADIUS servers does not need to be a CA, these are just roles the server provides and probably just happen to be the same server in this example.

"flex-hub.example.com" is just the CN in the certificate, this is used to provide a unique identity when authenticating.

 @Rob Ingram Thank you sir for your continuous support, the picture is getting a lot better in my head on what to do, just a question :

My ad domain is Sami.local so in this case do I have to create a sub domain Of flex-hub.sami.local in order to follow the tutorial example of flex-hub example.com or is this sub domain just for reference purposes/alias and will not be used to authenticate the domain user’s connection to the VPN?

@samipk1234 you don't need to create a sub domain sami.local is your domain name, so you'll just issue a certificate to flex-hub.sami.local.

The important thing is the client must trust the certificate issued to the router.

@Rob Ingram @Thank you sir for your reply, my last question before I get busy with the lab is that in the Asa settings page it’s is using the fqdn of webvpn.Cisco.com and in the other it is used as flexi-vpn.example.com I just wanted to be clear these are the same(just used in different blogs) so I can use either one of them for configuration in both examples right?
Also my CA is dc1-Khi.sami .local so I should be using that in its place?