Configuring Certificate-less FlexVPN for AnyConnect

Answered Question
Dec 7th, 2013
User Badges:

Hello,


My goal is to create a configuration utilizing FLexVPN and the AnyConnect client without using certificates.


In referencing these documents (

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml?referring_site=smartnavRD,

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml,

https://supportforums.cisco.com/docs/DOC-28511), I noticed each guide is referring to EAP, which requires the use of certificates. We are fine with using PSKs.


Can somebody please share an example of how to configure an ISR G2 router with FlexVPN that will support connecting with an AnyConnect client (Win 8, 7, XP iOS, Android) without the use of certificates with either local DB authentication or RADIUS?


Thank you

Correct Answer by Marcin Latosiewicz about 3 years 8 months ago

John,


The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.


I might not be 100% up to date on this one.


M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Marcin Latosiewicz Sat, 12/07/2013 - 14:27
User Badges:
  • Cisco Employee,

John,


We've had similar discussion a week back or so.


The gist of it:

IKEv2 RFC mandates, if you're using EAP you will have to use public key based mechanism to authenticate server to user.

AC will not work with PSK. (Even though one could convieve client using certs and PSK being used on headend)


M.

John McNumara Sat, 12/07/2013 - 16:19
User Badges:

Thanks for response.  Is there any way to use a self signed certificate?  

Correct Answer
Marcin Latosiewicz Sun, 12/08/2013 - 00:33
User Badges:
  • Cisco Employee,

John,


The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.


I might not be 100% up to date on this one.


M.

John McNumara Sun, 12/08/2013 - 14:35
User Badges:

Are there any guides on how to configure the certificate-portion  of the setup?

luelco1971 Fri, 10/17/2014 - 00:51
User Badges:

Hi Manumara1,

 

Did you manage to set this up? 

I'm looking into configuring flexVPN and windows build-in IKEv2 without using a CA. I'm trying to configure this by using self-signed certificates.

Mike

 

Actions

This Discussion