The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.
The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.
Requesting a certificate on Cisco IOS router using SCEP or manual enrolment
Configuring FlexVPN VTI and Hub-and-Spoke on Cisco routers
Configure FlexVPN for Certificate authentication
All certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA
Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA
Continue reading Configuring Cisco FlexVPN with Certificate authentication
This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.
RADIUS Server Configuration
For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.
Step 1 – Define Network Device
Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.
Continue reading Configuring Cisco IOS SSL-VPN with RADIUS
When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.
This blog post describes the steps to modify the configuration of ASA/ISE/AD and assumes the Cisco ASA is already properly configured and users can successfully authenticate using the AnyConnect VPN client and receive an IP address from the IP Address Pool. Cisco ISE is defined as the RADIUS Server with Active Directory defined as the External Identity Source.
Continue reading Cisco ASA AnyConnect VPN with Static Client IP Address
This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.
As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.
This post covers the following:
Front Door VRF
Dual DMVPN Hub configuration
DMVPN Spoke configuration
DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
- DMVPN Phase 3
The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.
The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.
Continue reading Configuring DMVPN Phase 3 Dual Hub
This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.
The following lab scenario was setup in GNS3 using the following images:
- Cisco ASAv version 9.5(2)
- Cisco IOS version 15.2(4)
A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.
Continue reading Configuring IKEv2 Site-to-Site VPN on Cisco ASA
In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.
Continue reading Configuring Cisco FlexVPN Hub-and-Spoke
As mentioned in the previous blog post when configuring FlexVPN configuration can be minimized by using the Smart Defaults, they comprises of default configurations for IKEv2 Proposal, IKEv2 Policy, IPSec Profile and Transform Set. This post provides a simple configuration example when using Smart Defaults and when using custom configurations.
Configuration Example – FlexVPN SVTI with Smart Defaults
This simple lab configuration is to setup a SVTI Site-to-Site VPN between 2 Cisco IOS routers.
Continue reading Configuring Cisco FlexVPN SVTI