IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect

IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect


This guide demonstrates how to configure a client to site IKEv2/IPSec tunnel on a Cisco ISR router.

We will be using certificates for authentication, and Cisco AnyConnect will be used as the VPN client. Both a video guide and sample configuration have been provided, as well as the necessary Cisco AnyConnect XML files.  

Quick Links: Video Guide Sample Configuration Downloads


Video Guide


Sample Configuration

aaa new-model
aaa authorization network IKEv2_GROUP_AUTHZ local

ip http server
ip domain name cisco.lab

ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

crypto key generate rsa general-keys modulus 2048 exportable label VPN_CA

mkdir flash:ca

crypto pki server VPN_CA
eku server-auth client-auth
grant auto
database url flash:ca
no shut
exit

crypto key generate rsa general-keys modulus 2048 exportable label VPNSERVERCERT

crypto pki trustpoint VPNSERVERCERT
enrollment url http://10.0.20.200
subject-name CN=vpn.cisco.lab,OU=IT,O=RMTech
revocation-check none
rsakeypair VPNSERVERCERT
exit

crypto pki authenticate VPNSERVERCERT
crypto pki enroll VPNSERVERCERT

ip local pool VPNPOOL 10.0.0.1 10.0.0.50

crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19

crypto ikev2 policy default
proposal default

crypto pki certificate map CERT_MAP 10
issuer-name co cn = VPN_CA

crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEv2_PROFILE

interface loopback 0
ip address 172.16.1.1 255.255.255.255

interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

crypto key generate rsa general-keys modulus 2048 exportable label VPNUSERCERT

crypto pki trustpoint VPNUSERCERT
enrollment url http://10.0.20.200
subject-name CN=VPNUSERCERT
revocation-check none
rsakeypair VPNUSERCERT

crypto pki authenticate VPNUSERCERT
crypto pki enroll VPNUSERCERT

crypto pki export VPNUSERCERT pkcs12 tftp://10.0.20.10/VPNUSERCERT.pfx password password

crypto key zeroize rsa VPNUSERCERT
no crypto pki trustpoint VPNUSERCERT

no crypto ikev2 http-url cert
no ip http server
no ip http secure-server


Downloads

AnyConnect XML Files




Did you find this page helpful?

PID: 20211015-00001