23-04-2021

Anyconnect Ipsec Configuration



  1. Anyconnect Ipsec Config
  2. Anyconnect Ipsec Configuration Tool
  3. Anyconnect Ipsec Configuration Client
  4. Cisco Anyconnect Vpn Configuration
  5. Cisco Anyconnect Client Configuration
  6. Cisco Anyconnect Vpn Client Setup

The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds above, but that wont scale well. So if you don’t want to ditch IPSEC VPN, then you will have to go with third party software to connect to your device. Site-to-Site IKEv2 IPSec VPN Configuration - Lab Topology. Before proceeding, make sure that all the IP Addresses of your network devices are configured correctly. Make sure that routing is configured correctly. Make sure you can reach all the devices by pinging all IP Addresses. Step 1: Configure Host name and Domain name in IPSec peer Routers. The protocols and technologies covered are IPSEC, GRE with IPSEC, Virtual Tunnel Interface (Static VTI and Dynamic VTI), DMVPN, PPTP, Anyconnect SSL VPN etc. 30-Day Money-Back Guarantee I'm so confident that you will be completely satisfied with 'Cisco VPN Configuration Guide' and the FREE ASA 5505 Tutorial that I offer you unconditional Money.

IPSec VPN is a security feature that allow you to create secure communication link (also called VPN Tunnel) between two different networks located at different sites. Cisco IOS routers can be used to setup VPN tunnel between two sites. Traffic like data, voice, video, etc. can be securely transmitted through the VPN tunnel. In this post, I will show steps to Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router. You can also setup Configure IPSec VPN With Dynamic IP in Cisco IOS Router.

Configure Site to Site IPSec VPN Tunnel in Cisco IOS Router

Anyconnect Ipsec Config

Diagram below shows our simple scenario. The two sites have static public IP address as shown in the diagram. R1 is configured with 70.54.241.1/24 and R2 is configured with 199.88.212.2/24 IP address. As of now, both routers have very basic setup like, IP addresses, NAT Overload, default route, hostnames, SSH logins, etc.

There are two phases in IPSec configuration called Phase 1 and Phase 2. Let’s start the configuration with R1. Before you start configuring the IPSec VPN, make sure both routers can reach each other. I have already verified that both routers can ping each other so let’s start the VPN configuration.

Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)

Here is the details of each commands used above,

  • crypto isakmp policy 5 – This command creates ISAKMP policy number 5. You can create multiple policies, for example 7, 8, 9 with different configuration. Routers participating in Phase 1 negotiation tries to match a ISAKMP policy matching against the list of policies one by one. If any policy is matched, the IPSec negotiation moves to Phase 2.
  • hash sha – SHA algorithm will be used.
  • authentication pre-share – Authentication method is pre-shared key.
  • group 2 – Diffie-Hellman group to be used is group 2.
  • encryption 3des – 3DES encryption algorithm will be used for Phase 1.
  • lifetime 86400 – Phase 1 lifetime is 86400 seconds.
  • crypto isakmp key cisco@123 address 199.88.212.2 – The Phase 1 password is cisco@123 and remote peer IP address is 199.88.212.2.

Anyconnect Ipsec Configuration Tool

Step 2. Configuring IPSec Phase 2 (Transform Set)

Here is the detail of command used above,

  • crypto ipsec transform-set MY-SET – Creates transform-set called MY-SET
  • esp-aes – AES encryption method and ESP IPSec protocol will be used.
  • esp-md5-hmac – MD5 hashing algorithm will be used.
  • crypto ipsec security-association lifetime seconds – This is the amount to time that the phase 2 session exists before re-negotiation.

Step 3. Configuring Extended ACL for interesting traffic.

This ACL defines the interesting traffic that needs to go through the VPN tunnel. Here, traffic originating from 192.168.1.0 network to 192.168.2.0 network will go via VPN tunnel. This ACL will be used in Step 4 in Crypto Map.

Step 4. Configure Crypto Map.

Here is the detail of command used above,

  • crypto map IPSEC-STE-TO-STE-VPN 10 ipsec-isakmp – Creates new crypto map with sequence number 10. You can create more sequence numbers with same crypto map name if you have multiple sites.
  • match address VPN-TRAFFIC – Its matches interesting traffic from ACL named VPN-TRAFFIC.
  • set peer 199.88.212.2 – This is public IP address of R2.
  • set transform-set MY-SET – This links the transform-set in this crypto map configuration.

Step 5. Apply Crypto Map to outgoing interface of R1.

Step 6. Exclude VPN traffic from NAT Overload.

Above ACL 101 will exclude interesting traffic from NAT.

Now, repeat same steps in R2.

Step 1. Configuring IPSec Phase 1 (ISAKMP Policy)

Step 2. Configuring IPSec Phase 2 (Transform Set)

Step 3. Configuring Extended ACL for interesting traffic.

Step 4. Configure Crypto Map.

Step 5. Apply Crypto Map to outgoing interface

Step 6. Exclude VPN traffic from NAT Overload.

Verification and testing.

To test the VPN connection let’s ping from R1 to PC2.

As you can see, the ping from R1 to PC2 is successful. Don’t forget to ping from inside IP address while testing the VPN tunnel from the router. You can also ping from PC1 to PC2.

To verify the IPSec Phase 1 connection, type show crypto isakmp sa as shown below.

To verify IPSec Phase 2 connection, type show crypto ipsec sa as shown below.

Anyconnect

Anyconnect Ipsec Configuration Client

You can also view active IPSec sessions using show crypto session command as shown below.

In this way you can configure Site to Site IPSec VPN tunnel in Cisco IOS Router.

You may also like -

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.
  • Why Backup your Microsoft Office 365 - November 27, 2020
  • RDP Connection Freezes in Windows 10 - August 17, 2020
  • Upgrade Windows 10 Home to Pro - August 11, 2020

Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

This page describes how to configure IPsec to connect pfSense® routerand a Cisco IOS router with IPsec capabilities.

Example Network¶

This diagram shows the specifics of the network where this VPN is beingconfigured. For the sake of this documentation, both hosts were onprivate subnets, but functionally equivalent to two hosts across theInternet.

Configuring the router¶

First, configure the phase 1 settings with a crypto isakmp policy. Thefollowing sets it for 3DES, SHA and group 2 to match the pfSenseconfiguration shown later.

Next, configure the pre-shared key. The key in this example is ABCDEFG,but be sure to use something random and secure for any productiondeployments. Usb loader wad wii. 10.0.66.22 is the WAN IP of the pfSense system beingused.

Next configure the transform set for phase 2. This uses ESP, 3DESand SHA. The transform set is named 3DES-SHA, which is how it willbe referred to later.

Now configure an access list that will match the local and remotesubnets on the pfSense router. This is configured as access-list 100,which will be used in the next step. Remember this uses wildcard masks,so a /24 network (255.255.255.0 mask) is represented as 0.0.0.255.

Now configure the crypto map for this VPN:

Lastly, under the interface configuration for the interface where theVPN will terminate (the one with the public IP), assign the crypto map:

The configuration is then finished on the Cisco side.

Configuring pfSense Software¶

This screenshot shows the pfSense configuration matching the above Ciscoconfiguration.

In the above example, the pfSense IPsec tunnel should be set as follows:

Phase 1:

Remote Gateway: 10.0.64.175Authentication Method: Pre-Shared KeyNegotiation Mode: MainMy Identifier: My IP AddressPre-Shared Key: ABCDEFGEncryption Algorithm: 3DESHash Algorithm: SHA1DH Key Group: 2Lifetime: 28800NAT Traversal: Disable

It may also be advisable to set Proposal Checking to Obey to avoidsome issues with building a tunnel when the other side initiates.

Phase 2:

Cisco Anyconnect Vpn Configuration

Mode: Tunnel IPv4Local Network: LAN SubnetRemote Network: 172.26.5.0/24Protocol: ESPEncryption Algorithm: 3DES (others may also be checked, but besure to leave 3DES checked)Hash Algorithm: SHA1PFS Key Group: 2Lifetime: 3600

Anyconnect

Testing the connection¶

To test the connection, from the pfSense router, do the following:

  • Navigate to Diagnostics > Ping

  • Enter an IP address on the remote network

  • Choose the LAN interface

  • Click Ping.

The initial negotiation may make all three of the first pings timeout,so try it a second time as well. If configured as depicted above, oncethe tunnel connects, the following will be seen: Recover my files v4 9.4.

Troubleshooting¶

If the connection doesn’t come up, there is a mismatch somewhere in theconfiguration. Depending on specifics, more useful information may beobtained from pfSense router or the Cisco router. Checking logs on bothends is recommended. For pfSense software, browse toStatus > System Logs on the IPsec tab. For Cisco, rundebug crypto isakmp and term mon (if not connected via serialconsole) to make the debug messages appear in a session. The outputcan be verbose, but will usually tell specifically what was mismatched.

“No NAT” List on Cisco IOS¶

Cisco Anyconnect Client Configuration

It may also be necessary to tell Cisco IOS not to NAT the traffic thatis destined for the IPsec tunnel. There are several ways to accomplishthis, depending on how the router has NAT configured. If the followingexample does not help, there are several examples that turn up in aGoogle search for “cisco ios nonat ipsec”:

Cisco Anyconnect Vpn Client Setup

This will direct the router to prevent NAT if the traffic is going fromthe subnet behind the Cisco router to the subnet behind the pfSenserouter, but allow it in all other cases.