Hi all,

I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html

But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?

Basically what I am after is the following

- Remote users install Cisco AnyConnect to establish a VPN connection to HQ

- HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.

I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.

Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.

Cheers

Alvaro