cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1987
Views
20
Helpful
6
Replies

Configuring Certificate-less FlexVPN for AnyConnect

John McNumara
Level 1
Level 1

Hello,

My goal is to create a configuration utilizing FLexVPN and the AnyConnect client without using certificates.

In referencing these documents (

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml?referring_site=smartnavRD,

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml,

https://supportforums.cisco.com/docs/DOC-28511), I noticed each guide is referring to EAP, which requires the use of certificates. We are fine with using PSKs.

Can somebody please share an example of how to configure an ISR G2 router with FlexVPN that will support connecting with an AnyConnect client (Win 8, 7, XP iOS, Android) without the use of certificates with either local DB authentication or RADIUS?

Thank you

1 Accepted Solution

Accepted Solutions

John,

The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.

I might not be 100% up to date on this one.

M.

View solution in original post

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

John,

We've had similar discussion a week back or so.

The gist of it:

IKEv2 RFC mandates, if you're using EAP you will have to use public key based mechanism to authenticate server to user.

AC will not work with PSK. (Even though one could convieve client using certs and PSK being used on headend)

M.

Thanks for response.  Is there any way to use a self signed certificate?  

John,

The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.

I might not be 100% up to date on this one.

M.

Are there any guides on how to configure the certificate-portion  of the setup?

John,

I've only submitted one for IOS CA.

EJBCA and MS CA (2008) is what we tested in practice.

The author of

http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bee100.shtml

Used:

http://technet.microsoft.com/en-us/library/ff829847%28v=ws.10%29.aspx

M.

luelco1971
Level 1
Level 1

Hi Manumara1,

 

Did you manage to set this up? 

I'm looking into configuring flexVPN and windows build-in IKEv2 without using a CA. I'm trying to configure this by using self-signed certificates.

Mike

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: