Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco AnyConnect VPN

Posted on 2012-08-17
7
Medium Priority
?
1,097 Views
Last Modified: 2014-08-15
Hello Fellas,

I have a cisco 1941, with the K9 Licenses,  I have a DMVPN running on the router (HUB), but i want to configure a vpn so that my remote users can connect to this router and have access to our network, I dont want to use sslvpn, since i dont have the license for the feature, but how do i configure the anyconnect?

I have CCP installed and I ran the wizard, i enable AAA to use local auth only, since I need to do testing before I configure the Radius, when i ran the wizard i pick Easy VPN Server, becuase my understanding is the VPN Remote is not for connection with the user client application, does anyone have like an step by step manual? I found this on cisco website

http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/25/software/user/guide/EZVPNS.html

and looks right to me, I havent understand yet about the VTI, but  i have use the internal and the external and i havent get any luck, everytime that i tried to connect with the client i got:

() Certificate Error - Loading the certifacate that is on the device ( I am ok with this right now, but i would like to fix it after the vpn is working)
() I got, not valid certificate for authentication
() connection attemp has failed

I am using Cisco anyconect security mobility client version 3.1.00495

thanks!
0
Comment
Question by:Tanus Sacin
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 38307239
Hi,

Please provide us:
sh ver
sh run
0
 

Author Comment

by:Tanus Sacin
ID: 38307937
here is:


Este1941#sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 15-Nov-10 21:08 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

Este1941 uptime is 14 weeks, 6 days, 19 hours, 21 minutes
System returned to ROM by power-on
System image file is "flash:c1900-universalk9-mz.SPA.151-3.T.bin"
Last reload type: Normal Reload

Technology Package License Information for Module:'c1900'

----------------------------------------------------------------
Technology    Technology-package          Technology-package
              Current       Type          Next reboot
-----------------------------------------------------------------
ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
data          None          None          None

Configuration register is 0x2102



Este1941#sh run
Building configuration...

Current configuration : 5114 bytes
!
! Last configuration change at 00:42:08 UTC Sat Aug 18 2012 by mgadmin
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Este1941
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2825008328
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2825008328
 revocation-check none
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2825008328
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383235 30303833 3238301E 170D3132 30353035 31393233
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38323530
  30383332 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C2E2 7528943C ED821D83 611605A9 B6DFE0ED 06A2C362 CEFC3835 DE99DFEA
  B25BFB2F 4B699A2D 017A0AFB F748439C AB0475F1 AE62B9A4 51E5BC08 18767291
  D20753E1 2359EE97 164252B1 CF6751C8 2E6F4C06 9DF20298 693677A4 38CA9C55
  B433761C E384CB98 D065E469 995F3545 9D59820C E6A5200D 5F4FF4E2 78838702
  D8010203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 148ADF0D 456A0FD8 42465D4C 47B2DC0E 0AA8FF0A 25301D06
  03551D0E 04160414 8ADF0D45 6A0FD842 465D4C47 B2DC0E0A A8FF0A25 300D0609
  2A864886 F70D0101 04050003 81810054 88F6DA6F AD9FF901 04DF7912 118858DB
  9AAAEFF2 28A43B46 B853B42F 62C25AB7 A14CC963 98DB3793 7F53C178 863D2FA7
  A1A3D5FD FA70AD3D B6EE8AC2 222EF9B9 70B148D9 2E436698 C6894500 0AB561C3
  9CF07597 70FD3386 59B49A0E 6C8EB025 2722DCA9 AE339312 2B5AA9DE B5505D4E
  7915139C 560B6E1D 3AAEC62D 6F266D
        quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1941/K9 sn FTX143802JB
!
!
username XXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group VPN-Test
 key XXXXXXXX
 dns 172.19.21.20
 domain XXXXXXXXX
 pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN-Test
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
!
crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Tunnel0
 bandwidth 1000
 ip address 4.4.4.53 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXXXX
 ip nhrp map multicast 69.7.XX.XX
 ip nhrp map 4.4.4.1 69.7.XX.XX
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 4.4.4.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface GigabitEthernet0/0
 description Interna
 ip address 172.19.12.7 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Externa$ES_LAN$
 ip address XXXXXXXXXXXXXXXXXXXX
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile2
!
!
router eigrp 101
 network 4.4.4.0 0.0.0.255
 network 172.19.12.0 0.0.0.255
!
ip local pool SDM_POOL_2 172.19.12.230 172.19.12.235
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXX
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 password 7 141A1108051729242C2726
line aux 0
line vty 0 4
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
end

Este1941#
0
 
LVL 6

Accepted Solution

by:
SebastianAbbinanti earned 2000 total points
ID: 38309739
This Cisco Anyconnect Client is used for SSL VPN (thin client). You want to use the Cisco IPSec VPN client and create an IPSec VPN for remote access. This client is available for both x86 and x64 Windows platforms. Additionally, it is built into Mac OSX 10.5 and above as well as the Apple's iOS for iPads, iPhones and the like.

For more information on the Cisco IPSec Client, or to download it, follow the Link http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html

Best of Luck!
0
 

Author Comment

by:Tanus Sacin
ID: 38310393
ok, thanks! do you have a white paper or link on how to confgiure the IPSec VPN? is the same for the easy vpn using CCP? I am just looking for a remote vpn access, doesnt need to be SSL, but i am having problems with the configuration.
0
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38310400
There are several configuration scenarios. Try this site.

Best of Luck!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question