- To deploy VPN settings to users in your organization, use VPN profiles in Configuration Manager. By deploying these settings, you minimize the end-user effort required to connect to resources on the company network. For example, you want to configure all Windows 10 devices with the settings required to connect to a file share on the internal.
- PetesASA enable Password:. PetesASA# configure terminal PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0 2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).
- Anyconnect Ipsec Configuration Tool
- Anyconnect Ipsec Configuration Guide
- Cisco Anyconnect Configuration Xml
In this post I will explain how to configure WEB VPN (or sometimes called SSL VPN) using the Anyconnect VPN client on a Cisco 870 router. However the configuration example and concept is the same for other Cisco router models as well.
Web Based VPN has three Remote Access modes:
Clientless – You connect to a web page portal from which you can have access to web based applications, File Sharing and Outlook Web Access (OWA) inside the corporate network .
Thin client – This mode allows TCP Port- Forwarding on applications, such as Telnet, SSH, SMTP POP3, Remote Desktop Connection (RDP). It uses a Java applet. This mode may be used only on TCP Based Applications.
Tunnel Mode or AnyConnect VPN client – almost same as an Easy VPN Client (IPSEC VPN client). In this mode you must have Administrator permissions on your remote access laptop/PC and any IP based Application can be used through this mode. A Java client is downloaded to the user’s PC and facilitates the security and encryption from the remote user towards the termination device (router or firewall).
Both ASA and Cisco IOS Routers support web vpn technologies. On ASA an extra license is required if you want to have more than two users for your remote access web vpn. Without purchasing any license it provides support for only two users.
Bottom line, AnyConnect is the cash cow as far as VPN is concerned and while it may be a better solution with longer lasting support in the log run, the IPsec client is free on the iPad and iPhone.
We will be using the following Network diagram in our example:
Requirements for Anyconnect VPN:
- Java runtime 1.4 or later.
- Cisco IOS 12.4(15)T7 (supports ONLY clientless Web Based VPN)
- CISCO IOS 12.4(20)T (supports all web vpn modes, both clientless and anyconnect Client VPN).
Used in Lab for this tutorial:
- Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
- ANY Connect Client: anyconnect-win-2.3.2016-k9.
- FireFox 3.6.8 and IE 8
- Windows XP SP2 and Windows Server Ultimate 32 bit
Configuration.
!Configure Certificate
crypto pki trustpoint local
enrollment selfsigned
revocation-check crl
rsakeypair my_key 1024 1024
!Generate Certificate and turn on HTTPS Service
crypto pki enroll local
ip http secure-server
!Before starting the actual configuration of Web Vpn, first we configure Gateway, on which IP address we shall terminate the Anyconnect VPN, which certificates to use, on which port we shall run the VPN and any redirections necessary ( i.e. if request comes on port 80 port, it will redirect the user to port 443). All these are configured under the webvpn mode.
! enable webvpn gateway configuration mode to configure SSL VPN Gateway. ONLY one Gateway is configured in an SSL VPN Network
webvpn gateway soho
! configure hostname for SSL VPN; in our example hostname is home
hostname home
!configure IP address and port on which SSL VPN will connect.
ip address 99.99.99.160 port 443
!Configure SSL Certificate; in our Example this Certificate is Self-signed
ssl trustpoint local
!configure Redirect. If somebody connects to TCP port 80 it will be redirected to port 443
http-redirect port 80
! Enable WebVPN Gateway
inservice
!turn on AAA and for authentication we use local database
aaa new-model
aaa authentication login webvpn local
!Create Local address pool, from which we’ll assign IP addresses to anyconnect clients.
ip local pool webvpn1 192.168.2.5 192.168.2.10
!Create loopback interface, if we want to announce this network in any dynamic protocol.
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!Create access list, which later will be used to control what the webvpn client will be allowed to access. This is not access list for Split Tunneling. Split Tunnel is created in context configuration mode.
!
ip access-list extended webvpn-acl
permit tcp 192.168.2.0 0.0.0.255 host 192.168.3.100 eq 3389
!
!After this we need to create a profile context.
! Create Webvpn context; same as profile on easy vpn
webvpn context networkstraining.com
! change default Title
title “IP Networks Training and Tutorials”
! Verify SSL Certificate.
ssl authenticate verify all
! Change default login message displayed on login page before user login.
login-message “Enter your credentials”
!Configure policy for this group with name networkstraining
policy group networkstraining
!configure banner to be displayed after successful login
banner “authentication success”
! enable tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install, the remote user can continue to use clientless mode or thin-client mode.
functions svc-enabled
! Below we configure an SSL VPN tunnel access filter which uses the ACL we have created above. Gives us the opportunity to control which type of traffic must allow or block via access list. In our example we created webvpn-acl access list, which permits access from network 192.168.2.0/24 to TCP 3389 ( Remote Desktop Protocol ) of host 192.168.3.100 and all the rest are blocked.
filter tunnel webvpn-acl
! Configure IP address pool. When client is connected via anyconnect client an IP will be assigned from this pool.
svc address-pool webvpn1
! Configures the domain for a policy group.
svc default-domain “http://networks-trainingwp.8rkhfrrwpy-e9249nqvk6kr.p.runcloud.link”
! To install Cisco any connect client on User’s PC. When this feature is not turned on, when user is disconnected then Cisco anyconnect client will be automatically uninstalled.
svc keep-client-installed
!In case of successful authorization it will show us URL below
svc homepage “http://networks-trainingwp.8rkhfrrwpy-e9249nqvk6kr.p.runcloud.link”
!Configures the tunnel key to be refreshed by initiating a new tunnel connection
svc rekey method new-tunnel
! Below is the split tunnel configuration which specifies the destination network to permit access within the tunnel when the user connects via Cisco anyconnect client. If we don’t indicate this parameter, then there will be Full Tunnel, meaning that all traffic will pass through the Cisco web VPN Server
svc split include 192.168.3.0 255.255.255.0
!Default group
default-group-policy one
!The name of authentication group. We’ve already created AAA group named webvpn and here this group will be used
aaa authentication list webvpn
! Bind this context to Gateway created above
gateway soho
! Activate created context.
inservice
Anyconnect Ipsec Configuration Tool
After the above we need to install anyconnect client to the flash memory of the router. The version of anyconnect client must support the operating system of the users that will be using the anyconnect service.
webvpn#copy tftp://192.168.3.100/anyconnect-win-2.3.2016-k9.pkg flash
webvpn(config)#webvpn install svc flash:anyconnect-win-2.3.2016-k9.pkg
After this we check if anyconnect cliet installation was successful in our configuration.
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
Related Posts
Important
Netgate is offering COVID-19 aid for pfSense software users, learn more.
This page describes how to configure IPsec to connect pfSense® routerand a Cisco IOS router with IPsec capabilities.
Example Network¶
This diagram shows the specifics of the network where this VPN is beingconfigured. For the sake of this documentation, both hosts were onprivate subnets, but functionally equivalent to two hosts across theInternet.
Configuring the router¶
First, configure the phase 1 settings with a crypto isakmp policy. Thefollowing sets it for 3DES, SHA and group 2 to match the pfSenseconfiguration shown later.
Next, configure the pre-shared key. The key in this example is ABCDEFG,but be sure to use something random and secure for any productiondeployments. 10.0.66.22 is the WAN IP of the pfSense system beingused.
Next configure the transform set for phase 2. This uses ESP, 3DESand SHA. The transform set is named 3DES-SHA, which is how it willbe referred to later.
Now configure an access list that will match the local and remotesubnets on the pfSense router. This is configured as access-list 100,which will be used in the next step. Remember this uses wildcard masks,so a /24 network (255.255.255.0 mask) is represented as 0.0.0.255.
Now configure the crypto map for this VPN:
Lastly, under the interface configuration for the interface where theVPN will terminate (the one with the public IP), assign the crypto map:
The configuration is then finished on the Cisco side.
Configuring pfSense Software¶
This screenshot shows the pfSense configuration matching the above Ciscoconfiguration.
In the above example, the pfSense IPsec tunnel should be set as follows:
Phase 1:
Remote Gateway: 10.0.64.175Authentication Method: Pre-Shared KeyNegotiation Mode: MainMy Identifier: My IP AddressPre-Shared Key: ABCDEFGEncryption Algorithm: 3DESHash Algorithm: SHA1DH Key Group: 2Lifetime: 28800NAT Traversal: Disable
It may also be advisable to set Proposal Checking to Obey to avoidsome issues with building a tunnel when the other side initiates.
Phase 2:
Mode: Tunnel IPv4Local Network: LAN SubnetRemote Network: 172.26.5.0/24Protocol: ESPEncryption Algorithm: 3DES (others may also be checked, but besure to leave 3DES checked)Hash Algorithm: SHA1PFS Key Group: 2Lifetime: 3600
Testing the connection¶
To test the connection, from the pfSense router, do the following:
Navigate to Diagnostics > Ping
Enter an IP address on the remote network
Choose the LAN interface
Click Ping.
The initial negotiation may make all three of the first pings timeout,so try it a second time as well. If configured as depicted above, oncethe tunnel connects, the following will be seen:
Troubleshooting¶
If the connection doesn’t come up, there is a mismatch somewhere in theconfiguration. Depending on specifics, more useful information may beobtained from pfSense router or the Cisco router. Checking logs on bothends is recommended. For pfSense software, browse toStatus > System Logs on the IPsec tab. For Cisco, rundebug crypto isakmp and term mon (if not connected via serialconsole) to make the debug messages appear in a session. The outputcan be verbose, but will usually tell specifically what was mismatched.
“No NAT” List on Cisco IOS¶
Anyconnect Ipsec Configuration Guide
It may also be necessary to tell Cisco IOS not to NAT the traffic thatis destined for the IPsec tunnel. There are several ways to accomplishthis, depending on how the router has NAT configured. If the followingexample does not help, there are several examples that turn up in aGoogle search for “cisco ios nonat ipsec”:
Cisco Anyconnect Configuration Xml
This will direct the router to prevent NAT if the traffic is going fromthe subnet behind the Cisco router to the subnet behind the pfSenserouter, but allow it in all other cases.