12-07-2013 01:35 PM - edited 02-21-2020 07:22 PM
Hello,
My goal is to create a configuration utilizing FLexVPN and the AnyConnect client without using certificates.
In referencing these documents (
http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml,
https://supportforums.cisco.com/docs/DOC-28511), I noticed each guide is referring to EAP, which requires the use of certificates. We are fine with using PSKs.
Can somebody please share an example of how to configure an ISR G2 router with FlexVPN that will support connecting with an AnyConnect client (Win 8, 7, XP iOS, Android) without the use of certificates with either local DB authentication or RADIUS?
Thank you
Solved! Go to Solution.
12-08-2013 12:33 AM
John,
The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.
I might not be 100% up to date on this one.
M.
12-07-2013 02:27 PM
John,
We've had similar discussion a week back or so.
The gist of it:
IKEv2 RFC mandates, if you're using EAP you will have to use public key based mechanism to authenticate server to user.
AC will not work with PSK. (Even though one could convieve client using certs and PSK being used on headend)
M.
12-07-2013 04:19 PM
Thanks for response. Is there any way to use a self signed certificate?
12-08-2013 12:33 AM
John,
The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.
I might not be 100% up to date on this one.
M.
12-08-2013 02:35 PM
Are there any guides on how to configure the certificate-portion of the setup?
12-09-2013 12:59 AM
John,
I've only submitted one for IOS CA.
EJBCA and MS CA (2008) is what we tested in practice.
The author of
http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bee100.shtml
Used:
http://technet.microsoft.com/en-us/library/ff829847%28v=ws.10%29.aspx
M.
10-17-2014 12:51 AM
Hi Manumara1,
Did you manage to set this up?
I'm looking into configuring flexVPN and windows build-in IKEv2 without using a CA. I'm trying to configure this by using self-signed certificates.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: