cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
20
Helpful
9
Replies

Remote Access VPN Issues

samipk1234
Level 1
Level 1

I am having problems using Anyconnect,  I have a remote access vpn configured but I am unable to login to the vpn as there is no option to define group based authentication or to specify a username, the only option I get is to provide a key.

The client connects (although showing the (Attribute is unacceptable, next payload is 0 error) and shows up in

sh crypto isakmp sa

and  but then gets the ISAKMP purging error and kicks the client.

The settings are as follows, any help is appreciated by this noob.

 

aaa new-model

 

aaa authentication login mylist local

 

aaa authorization network mynet local

 

username admin password admin

 

crypto isakmp policy 1

        encryption 3des
        hash md5
        authentication pre-share
        group 2


ip local pool VPNPOOL 192.168.3.1 192.168.3.50

 

crypto isakmp client configuration group mygroup
                 key mykey123
                pool VPNPOOL

 

crypto ipsec transform-set set1 esp-3des esp-md5-hmac

 

crypto dynamic-map map1 10

       set transform-set set1
       reverse-route

crypto map map1 client configuration address respond

crypto map map1 client authentication list mylist

crypto map map1 isakmp authorization list mynet

crypto map map1 10 ipsec-isakmp dynamic map1

 

interface fastEthernet 0/0
crypto map map1

1 Accepted Solution

Accepted Solutions

@samipk1234 Yes they are referring to the same thing. You should just define the FQDN of the FlexVPN router as "routername.sami.local" and get this signed by your CA dc1-khi.sami.local.

View solution in original post

9 Replies 9

@samipk1234 

You've configured authentication as PSK, if you are using AnyConnect you'll need to use either certificates or EAP (username/password). Use one of the following guides on how to configure a Remote Access VPN on a Cisco IOS router.

 

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

 

@Rob IngramThank you for the help and this is exactly what I needed, I am using the below link

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

 

but I am confused about one thing, this guide refers to another guide in the middle saying

 

Refer to steps 1 through 4 in ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example, and change all instances of crypto ca to crypto pki.

 

But I don't have an ASA so should I follow these steps or not as steps 1 to 4 are referring to ASDM and I obviously dont have it as I dont have ASA.

@samipk1234 Instead of providing you with the commands for the router, they provided the ASA commands which are similar. Just follow the CLI commands, replace "crypto ca" with "crypto pki".  Obviously ignore the ASDM commands, just start from the "Command Line example".


Or here is an alternative example to generate certificates for FlexVPN, with the correct commands for the router.

@Rob IngramThanks for the clarification, a few questions though:

 

1. The guide is not clear whether there Radius server should also be a Certificate Authority or just configuring a Radius server will be enough?

2. It refers to flex-hub.example.com randomly without explaining whether its the CA or just a random name given ?

 

I am sorry to bother you this much but this is helping me immensly.

 

Regards

Hi @samipk1234 no problem, glad to help.

 

The RADIUS servers does not need to be a CA, these are just roles the server provides and probably just happen to be the same server in this example.

 

"flex-hub.example.com" is just the CN in the certificate, this is used to provide a unique identity when authenticating.

 

 

 @Rob Ingram Thank you sir for your continuous support, the picture is getting a lot better in my head on what to do, just a question :

 

My ad domain is Sami.local so in this case do I have to create a sub domain Of flex-hub.sami.local in order to follow the tutorial example of flex-hub example.com or is this sub domain just for reference purposes/alias and will not be used to authenticate the domain user’s connection to the VPN?

@samipk1234 you don't need to create a sub domain sami.local is your domain name, so you'll just issue a certificate to flex-hub.sami.local.

 

The important thing is the client must trust the certificate issued to the router.

@Rob Ingram @Thank you sir for your reply, my last question before I get busy with the lab is that in the Asa settings page it’s is using the fqdn of webvpn.Cisco.com and in the other it is used as flexi-vpn.example.com I just wanted to be clear these are the same(just used in different blogs) so I can use either one of them for configuration in both examples right?
Also my CA is dc1-Khi.sami .local so I should be using that in its place?

@samipk1234 Yes they are referring to the same thing. You should just define the FQDN of the FlexVPN router as "routername.sami.local" and get this signed by your CA dc1-khi.sami.local.