IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect
This guide demonstrates how to configure a client to site IKEv2/IPSec tunnel on a Cisco ISR router.
We will be using certificates for authentication, and Cisco AnyConnect will be used as the VPN client. Both a video guide and sample configuration have been provided, as well as the necessary Cisco AnyConnect XML files.
aaa new-model
aaa authorization network IKEv2_GROUP_AUTHZ local
ip http server
ip domain name cisco.lab
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org
crypto key generate rsa general-keys modulus 2048 exportable label VPN_CA
mkdir flash:ca
crypto pki server VPN_CA
eku server-auth client-auth
grant auto
database url flash:ca
no shut
exit
crypto key generate rsa general-keys modulus 2048 exportable label VPNSERVERCERT
crypto pki trustpoint VPNSERVERCERT
enrollment url http://10.0.20.200
subject-name CN=vpn.cisco.lab,OU=IT,O=RMTech
revocation-check none
rsakeypair VPNSERVERCERT
exit
crypto pki authenticate VPNSERVERCERT
crypto pki enroll VPNSERVERCERT
ip local pool VPNPOOL 10.0.0.1 10.0.0.50
crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19
crypto ikev2 policy default
proposal default
crypto pki certificate map CERT_MAP 10
issuer-name co cn = VPN_CA
crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEv2_PROFILE
interface loopback 0
ip address 172.16.1.1 255.255.255.255
interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
crypto key generate rsa general-keys modulus 2048 exportable label VPNUSERCERT
crypto pki trustpoint VPNUSERCERT
enrollment url http://10.0.20.200
subject-name CN=VPNUSERCERT
revocation-check none
rsakeypair VPNUSERCERT
crypto pki authenticate VPNUSERCERT
crypto pki enroll VPNUSERCERT
crypto pki export VPNUSERCERT pkcs12 tftp://10.0.20.10/VPNUSERCERT.pfx password password
crypto key zeroize rsa VPNUSERCERT
no crypto pki trustpoint VPNUSERCERT
no crypto ikev2 http-url cert
no ip http server
no ip http secure-server
AnyConnect XML Files
Cisco AnyConnect
Did you find this page helpful?
PID: 20211015-00001