IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect

IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect



Help keep us going…

       

In this video I show how to configure a client to site IKEv2/IPSec tunnel on a Cisco ISR router using Certificates for authentication, as well as configuring Cisco AnyConnect on the client PC.

Downloads

AnyConnect XML Files



Don’t Forget to Subscribe on YouTube



Sample Configuration

aaa new-model
aaa authorization network IKEv2_GROUP_AUTHZ local

ip http server
ip domain name cisco.lab

ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

crypto key generate rsa general-keys modulus 2048 exportable label VPN_CA

mkdir flash:ca

crypto pki server VPN_CA
eku server-auth client-auth
grant auto
database url flash:ca
no shut
exit

crypto key generate rsa general-keys modulus 2048 exportable label VPNSERVERCERT

crypto pki trustpoint VPNSERVERCERT
enrollment url http://10.0.20.200
subject-name CN=vpn.cisco.lab,OU=IT,O=RMTech
revocation-check none
rsakeypair VPNSERVERCERT
exit

crypto pki authenticate VPNSERVERCERT
crypto pki enroll VPNSERVERCERT

ip local pool VPNPOOL 10.0.0.1 10.0.0.50

crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19

crypto ikev2 policy default
proposal default

crypto pki certificate map CERT_MAP 10
issuer-name co cn = VPN_CA

crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEv2_PROFILE

interface loopback 0
ip address 172.16.1.1 255.255.255.255

interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

crypto key generate rsa general-keys modulus 2048 exportable label VPNUSERCERT

crypto pki trustpoint VPNUSERCERT
enrollment url http://10.0.20.200
subject-name CN=VPNUSERCERT
revocation-check none
rsakeypair VPNUSERCERT

crypto pki authenticate VPNUSERCERT
crypto pki enroll VPNUSERCERT

crypto pki export VPNUSERCERT pkcs12 tftp://10.0.20.10/VPNUSERCERT.pfx password password

crypto key zeroize rsa VPNUSERCERT
no crypto pki trustpoint VPNUSERCERT

no crypto ikev2 http-url cert
no ip http server
no ip http secure-server