Cisco Anyconnect Ios
IFM supplies network engineering services for $NZ180+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
Perhaps your visiting this page because you want to use the latest (as of 2015) cryptography standards available - Suite-B. Perhaps you are interested in fully migrating to IKEv2. Or perhaps you are one of the many people using the 'end of life' Cisco IPSec VPN Client, upgraded to Windows 10, and then found the support somewhat lacking. Perhaps you have come across some articles on the Internet showing solutions, but you don't have Cisco ISE, a RADIUS server or a certificate server, so they wont work for you. Or perhaps you just want to keep your Cisco technology current.
The first solution you should consider is using the Cisco SSL VPN technology. It doesn't use Suite-B cryptography, but it is much easier to setup. If you don't need super strong cryptography (and don't mind paying the licencing cost) then you should seriously consider this option (which Google can help you find the answers too).
You're still reading this article so that means you do want to use super strong cryptograpy or want to minimise additional licencing costs. This article will show you how to deploy a IKEv2 Suite-B Compliant VPN using the Cisco AnyConnect client (V3.1.12020 or newer) using nothing more than a Cisco IOS router running IOS V15.4(3)M4 or later. You need to be using a minimum of Windows 7 to make Suite-B work. This is perfect for small sites that are light on infrastructure.
For support, resources, or to download software, please visit the Cisco AnyConnect Secure Mobility Client resource center. For the latest AnyConnect application support for Apple iOS or Android, refer to Apple app support or Google Play support. To download the AnyConnect application for Apple iOS or Android mobile devices, click below. The Cisco AnyConnect Secure Mobility Client for Apple iOS provides seamless and secure remote access to enterprise networks. AnyConnect allows installed applications to communicate as though connected directly to the enterprise network. That was very informative and helpful. Unfortunately for me I am going to be using the IPSEC / IKE-RSA (For Certificate Authorization / Authentication) with iOS 15.3 software on a ISR router 891 model. I believe the identity of the Anyconnect client is set inside of the OU of the certificate. Cisco provides system administrators with a comprehensive guide to deploy AnyConnect, customize and localize the client and installer, and edit AnyConnect profiles. More info is available for configuring VPN access, the network access manager, posture, and web security.
If you don't currently have the Cisco AnyConnect client you will need to get a Cisco support contract (such as a SmartNet contract) to be able to download the client. If you need to upgrade the software on your router to 15.4(3)M4 then you will need the same support contract to download the new router software.
Note that AnyConnect with IKEv2 on IOS does not currently support the use of split-acls. Everything will get sent back to the router. If you want the user to have Internet access you'll need to NAT their traffic and send it back out to the Internet. Also note the use of certificates is compulsory. It is not possible to use usernames and passwords (IOS local authentication does not support EAP and AnyConnect only supports EAP for username/password authentication). You will also need a TFTP server on one machine to get certificates off the router. A great free TFTP server is tftpd32.
Basic IOS Functionality Needed
We need some basic fundamentals enabled.
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local
ip http server
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org
Its pretty critical that your router has at least the right date. Having the right time is even better. We have't configured the time zone, but make sure the date and time are about right before continuing (relative to the timezone displayed). If NTP above isn't working in your configuration above then manually set the date and time using the 'clock set ...' command.
REPEAT: DO NOT CONTINUE UNTIL THE DATE AND TIME ARE CORRECT
Certificate Server
You have to deploy certificates. There is no other way to get it going.
First define the new CA.
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit
exit
crypto key generate rsa general modulus 4096 exportable label ca-server
do crypto pki server ca-server start
Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients.Ideally you will have a DNS entry for this, but a static IP address should also be fine. The 'IP Address'below is the external public IPv4 address of the router.
Cisco Anyconnect Ios 13
crypto pki trustpoint router
enrollment url http://<ip address>:80
ip-address <ip address>
fqdn <DNS entry pointing to router>
subject-name CN=<site name>,OU=user-vpn,O=<company name>
revocation-check crl
rsakeypair router
auto-enroll regenerate
hash sha512
exit
crypto pki authenticate router
crypto pki enroll router
The certificate server should now have a pending request.
Once you can see the request number you can approve it.
Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:
Crypto Configuration
Below I have allowed for users VPNing in to get an IP address from 192.168.255.1 to 192.168.255.254. You can modify this to use a free IP address block at your site.
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
crypto ikev2 policy default
match fvrf any
proposal default
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
crypto ikev2 profile staff
match certificate staff-certificate-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 1
no crypto ikev2 http-url cert
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff
Replace GigabitEthernet0/0 below with whatever is your outside interface which has a public IPv4 address on it. If you are using the zone based firewall then make the below Virtual-Template belong to the 'inside' zone. If you want the user to have Internet access while VPN'ed in then make this the inside NAT interface.
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff
Take a break, you have now completed the main config on the router, and its time to move onto configuration relating to the client.
Client Related Configuration
This section needs to be repeated for each user you want to be able to VPN in.
We are going to generate the entire certificate on the IOS CA server for the client, and then export it as a chain (including the CA certificate) so we can import it in one step on the client.
Replace user@example.com with the email address of the person you are giving access to. It doesn't have to be an email address actually, but that is my preference.
crypto pki trustpoint user@example.com
enrollment url http://<ip address>:80
serial-number none
fqdn none
ip-address none
subject-name CN=user@example.com
revocation-check none
rsakeypair user@example.com
auto-enroll
hash sha512
We'll now install the CA certificate into new trustpoint for the user and request the certificate.
crypto pki enroll user@example.com
The certificate server should now have a pending request.
Once you can see the request number you can approve it.
Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:
Now we need to export the new certificate as a chain (including the CA certificate) to your TFTP server. Replace 1.1.1.1 with the IP address of your TFTP server. The password is used to encrypt the key and is needed when you import it on the client. The password is not used after that. I have now discovered another way of doing this and that is to export the certificate to a USB memory key. The first line below demonstrates the export to a TFTP server, and the second to a USB memory key plugged into the first USB slot on the router.
crypto pki export user@example.com pkcs12 usbflash0:/user.pfx password <password>
Now copy this file to the end users machine. Double click on the user.pfx file. Enter the password and let the wizard automatically select the certificate store to put the certificates into. Allow it to import extended attributes, and allow it to mark the private key as exportable.
Now we have to delete the user key off the router! Sounds bizarre I know, but the user can not VPN while it still exists on the router.
Cisco Anyconnect Secure Mobility Client
no crypto pki trustpoint user@example.com
Cisco Anyconnect Iphone
Now install the AnyConnect client on the users computer, if it is not installed already. Then we need to create an XML profile for your router. Copy and paste the below profile into notepad. Replace 'Company' with a nice name for the VPN entry as it appears in AnyConnect. I'm not sure if this field supports spaces, so I would avoid using spaces. Change vpn.example.com to the external DNS entry pointing to your router. It is likely to work if you put the routers outside public IPv4 address instead but I have not tested this.
<AnyConnectProfile xmlns='http://schemas.xmlsoap.org/encoding/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd'>
<ServerList>
<HostEntry>
<HostName>Company</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Cisco Anyconnect Free Download
Now save this file to %ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile and call it something like 'Company.xml' where Company is a short name for your company. If AnyConnect is already running you need to quit it and start it running again so that it reads the profile directory. With any luck your new profile will appear in the drop down box and you can click on 'Connect' to connect to your router. You should then be able to ping internal hosts by their IP address.