IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect

IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect



Help keep us going…

       

In this video I show how to configure a client to site IKEv2/IPSec tunnel on a Cisco ISR router using Certificates for authentication, as well as configuring Cisco AnyConnect on the client PC.

Downloads

AnyConnect XML Files



Don’t Forget to Subscribe on YouTube



Sample Configuration

aaa new-model
aaa authorization network IKEv2_GROUP_AUTHZ local

ip http server
ip domain name cisco.lab

ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org


crypto key generate rsa general-keys modulus 2048 exportable label VPN_CA


mkdir flash:ca


crypto pki server VPN_CA
eku server-auth client-auth
grant auto
database url flash:ca
no shut
exit


crypto key generate rsa general-keys modulus 2048 exportable label VPNSERVERCERT


crypto pki trustpoint VPNSERVERCERT
enrollment url http://10.0.20.200
subject-name CN=vpn.cisco.lab,OU=IT,O=RMTech
revocation-check none
rsakeypair VPNSERVERCERT
exit


crypto pki authenticate VPNSERVERCERT
crypto pki enroll VPNSERVERCERT


ip local pool VPNPOOL 10.0.0.1 10.0.0.50


crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL


crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19


crypto ikev2 policy default
proposal default


crypto pki certificate map CERT_MAP 10
issuer-name co cn = VPN_CA


crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1


crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEv2_PROFILE


interface loopback 0
ip address 172.16.1.1 255.255.255.255


interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE


crypto key generate rsa general-keys modulus 2048 exportable label VPNUSERCERT


crypto pki trustpoint VPNUSERCERT
enrollment url http://10.0.20.200
subject-name CN=VPNUSERCERT
revocation-check none
rsakeypair VPNUSERCERT


crypto pki authenticate VPNUSERCERT
crypto pki enroll VPNUSERCERT

crypto pki export VPNUSERCERT pkcs12 tftp://10.0.20.10/VPNUSERCERT.pfx password password

crypto key zeroize rsa VPNUSERCERT
no crypto pki trustpoint VPNUSERCERT


no crypto ikev2 http-url cert
no ip http server
no ip http secure-server

 

Leave a Reply

Your email address will not be published. Required fields are marked *