ā05-17-2017 02:27 AM
Hi
looking for help on anyconnect ! any ideas appreciated - thank you
I am trying to setup an anyconnect IKEv2 service. I have installed
asa9.17
anyconnect mobility client 3.1.141018-pre-deploy-k9 at a windows 7 machine
I have a self signed certificate for now.
I am NOT using SSL and am pre-loading the client ,
The client reports "the vpn server is not enabled " ... although it does seem to pick up the certificate .
The asa reports : May 17 2017 10:04:54: %ASA-4-722050: Group <GroupPolicy_AnyconnectConnprofile> User <bob> IP <9x.x.x.x session terminated SVC not enabled for user.
I used the adsm to configure the anyconnect profile.
Partial asa config:
ip local pool AnyConnectNetworkPool 172.29.24.5-172.29.24.10 mask 255.255.255.0
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
webvpn
anyconnect image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
anyconnect profiles AnyconnectConnprofile_client_profile disk0:/AnyconnectConnprofile_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy GroupPolicy_AnyconnectConnprofile internal
group-policy GroupPolicy_AnyconnectConnprofile attributes
wins-server none
dns-server value 10.1.1.1 10.1.1.2
default-domain value blah.co.uk
vpn-tunnel-protocol ikev2
webvpn
anyconnect profiles value AnyconnectConnprofile_client_profile type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username bob password DFuQvmadeup ted privilege 15
tunnel-group AnyconnectConnprofile type remote-access
tunnel-group AnyconnectConnprofile general-attributes
address-pool AnyConnectNetworkPool
default-group-policy GroupPolicy_AnyconnectConnprofile
tunnel-group AnyconnectConnprofile webvpn-attributes
group-alias AnyconnectConnprofile enable
ā05-17-2017 05:07 AM
Your config is missing the following:
webvpn
enable outside
replace "outside" with the name of the public interface.
ā05-17-2017 05:17 AM
H Karsten
thanks for the reply ... however not sure what you mean - the outside interface of the asa is the "public " or internet facing .interface ..if so config is right.
is this what you mean or something else ...
ā05-17-2017 05:25 AM
The name of the public interface is "outside" by default, but it doesn't have to be that name. On my ASA the public interfaces are outside1 and outside2. Only you can know how your interfaces are named. Thats's the reason I mentioned that you have to use the correct name from your config. But if it's "outside", then you can directly use the config above.
ā05-17-2017 05:46 AM
I understand Karsten - Thank you
I made the change :
(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
but i get teh same error as before I am afraid.
ā05-19-2017 06:56 AM
I got thsi working with a chnage as below:
group-policy GroupPolicy_AnyconnectConnprofile attributes
wins-server none
dns-server value 10.128.161.193 10.128.161.194
vpn-tunnel-protocol ssl-client
if however i change this back to vpn-tunnel-protocol ikev2 it fails
I was hoping just to do an ikev2 tunnel .... must be missing something else on original but happy anyconnect is working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide