08-06-2020 07:06 AM
I have to migrate a VRF-aware SSL VPN configuration from an C3900e-UNIVERSALK9-M running IOS 15.7.. to a Cisco CSR1000 running IOS-XE v. 16.12.4 with the AX license active.
In the C3900 I have many clients on different VRFs and different webvpn contexts where they are hooked up to virtual-template interfaces on their own VRFs. So my question is how can I do this on the CSR1000 as the configuration is very different?
I have followed this tutorial https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-16-12/sec-conn-sslvpn-xe-16-12-book.pdf
Any help is greatly appreciated
Solved! Go to Solution.
08-15-2020 05:54 AM - edited 08-15-2020 05:59 AM
Did you work this out on your own? Cisco's recommended Remote Access VPN when using a router is FlexVPN, which is IKEv2/IPSec. SSL-VPN support on IOS/IOS-XE routers is limited and not widely deployed (in my experience) compared to FlexVPN.
FlexVPN supports VRF, examples here:-
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116000-flexvpn-config-00.html
https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/
More information on FlexVPN Remote Access VPN here:-
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3054.pdf
HTH
08-15-2020 05:54 AM - edited 08-15-2020 05:59 AM
Did you work this out on your own? Cisco's recommended Remote Access VPN when using a router is FlexVPN, which is IKEv2/IPSec. SSL-VPN support on IOS/IOS-XE routers is limited and not widely deployed (in my experience) compared to FlexVPN.
FlexVPN supports VRF, examples here:-
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116000-flexvpn-config-00.html
https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/
More information on FlexVPN Remote Access VPN here:-
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3054.pdf
HTH
09-14-2023 12:16 AM
Did You find the solution for Your problem? We are currently having the same task - c3900 with VRFs and SSL VPN have to be migrated somehow
Glad if You could post Your solution!
09-14-2023 01:14 AM
Hi @teetk I found out that the SSL VPN could not be VRF aware on Cisco CSR1000 running IOS-XE v. 16.12.4 (could have changed the last 3 years) and we had to move to another ASA based solution where interface zones and NAT are used to delegate between VRFs.
I did not look in to the FlexVPN solution but it looks promising as Rob points out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide