IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect

IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect



Downloads

Sample Configuration

aaa new-model
aaa authorization network IKEv2_GROUP_AUTHZ local

ip http server
ip domain name cisco.lab

ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

crypto key generate rsa general-keys modulus 2048 exportable label VPN_CA

mkdir flash:ca

crypto pki server VPN_CA
eku server-auth client-auth
grant auto
database url flash:ca
no shut
exit

crypto key generate rsa general-keys modulus 2048 exportable label VPNSERVERCERT

crypto pki trustpoint VPNSERVERCERT
enrollment url http://10.0.20.200
subject-name CN=vpn.cisco.lab,OU=IT,O=RMTech
revocation-check none
rsakeypair VPNSERVERCERT
exit

crypto pki authenticate VPNSERVERCERT
crypto pki enroll VPNSERVERCERT

ip local pool VPNPOOL 10.0.0.1 10.0.0.50

crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19

crypto ikev2 policy default
proposal default

crypto pki certificate map CERT_MAP 10
issuer-name co cn = VPN_CA

crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1

crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEv2_PROFILE

interface loopback 0
ip address 172.16.1.1 255.255.255.255

interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

crypto key generate rsa general-keys modulus 2048 exportable label VPNUSERCERT

crypto pki trustpoint VPNUSERCERT
enrollment url http://10.0.20.200
subject-name CN=VPNUSERCERT
revocation-check none
rsakeypair VPNUSERCERT

crypto pki authenticate VPNUSERCERT
crypto pki enroll VPNUSERCERT

crypto pki export VPNUSERCERT pkcs12 tftp://10.0.20.10/VPNUSERCERT.pfx password password

crypto key zeroize rsa VPNUSERCERT
no crypto pki trustpoint VPNUSERCERT

no crypto ikev2 http-url cert
no ip http server
no ip http secure-server


In this video I show how to configure a client to site IKEv2/IPSec tunnel on a Cisco ISR router using Certificates for authentication, as well as configuring Cisco AnyConnect on the client PC.

Video Timeline

0:00 – Introduction
1:42 – Basic Router Configuration
       -Internet Connectivity
       -Domain Name
       -Name Servers
       -Date/Time Synchronization with NTP Server
5:35 – AAA Configuration
       -Enable AA New-Model
       -AAA Authorization List
6:46 – Certificate Authority Configuration
       -Enable HTTP Server
       -RSA Keypair
       -Configure CA
12:36 – Router Trustpoint/Certificate Configuration
       -RSA Keypair
       -Configure Trustpoint
       -Authenticate and Enroll
19:02 – Core IKEv2 Configuration Components
       -IP POOL
       -IKEv2 Authorization Policy
       -IKEv2 Proposal
       -IKEv2 Policy
       -Certificate Map
       -IKEv2 Profile
       -IPSec Profile
       -Create Loopback Interface
       -Create Virtual Template
33:43 – Client/User Trustpoint/Certificate Configuration
       -RSA Keypair
       -Configure Trustpoint
       -Authenticate and Enroll
       -Export Cert
       -Zeroize Keys and Remove Trustpoint
41:30 – Some Final Things Before Configuring AnyConnect
       -No crypto ikev2 http-url cert
       -No ip http server
42:49 – AnyConnect Installation and Configuration
       -Install AnyConnect
       -Import Client/User Cert
       -Configure AnyConnect
       -Test Connection
52:50 – Finalizing the Configuration for Internet Access Through the Tunnel
       -Setting DNS Server(s)
       -Finalizing NAT



Don’t Forget to Subscribe on YouTube





Help us continue creating free content like this…