Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
0
Replies

Remote access VPN with ISR4331

Brian Sizemore
Level 1
Level 1

‎09-23-2016 07:35 AM - edited ‎02-21-2020 08:59 PM

Hello, I am trying to use an ISR4331 as a VPN headend for remote access clients (mostly Macs).

From what I have found online, it sounds like I have two options basically:

1) with native OS X client, I can use IPsec with PSK

2) with AnyConnect client, I can use IPsec with certificates

I am having difficulty getting either one of these working.  

Specifically, with option 1), I am able to connect to the VPN, but there seem to be some issues with DNS, as once I connect, I am unable to reach any internal FQDNs (the same router is the DNS server), however private IP addresses, and the internet is still reachable, and internal FQDNs are resolvable with "nslookup".  There seems to be very limited documentation on this scenario.

With option 2), I am unable to get AnyConnect to connect, and it looks like a certificate issue.  I am trying to use the router as the CA, and I see IKEv2 debugs saying "Validation of certificate chain FAILED" and "Verification of peer's authentication data FAILED".  The only good documentation I can find for this scenario is around using the ASA instead of a router, and the configuration seems to be different enough to not translate directly to IOS.

What is the recommended setup I should use in this scenario?  Can you point me to a comprehensive tutorial?

Thanks!

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents