11-17-2017 02:51 PM - edited 03-12-2019 04:45 AM
I have a Cisco2921 router in which I have this IOS-c2900-universalk9-mz.SPA.154-3.M3.bin. Does this have SSL_VPN in order for me to enable anyconnect VPN for my anyconnect client? When I do "show license all", the list doesn't show SSL_VPN. Does this mean I have to separately get SSL_VPN software from Cisco website and install in my router?
Thank you for any ideas!!!
11-17-2017 03:10 PM - edited 11-17-2017 03:11 PM
Hi,
You can use command show license feature to see feature licenses.
Here is some license information for Anyconnect on IOS.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc4
br, Micke
11-17-2017 03:12 PM
Hi @sroyrster
From Cisco doc:
" SSL VPN may not list in the show license feature and show license detail commands, however it is a part of the securityk9 technology package license and need not be purchased separately."
-If I helped you somehow, please, rate it as useful.-
11-21-2017 07:41 AM
Thank you, Micke and Flavio for your reply posts.
However, I have additional questions. This is the first time I am trying to configure Cisco AnyConnect. I don't have immediate plan to use any ASA device. I have a Cisco2921 with c2900-universalk9-mz.SPA.154-3.M3.bin and I have anyconnect 4.3.05017.zip file which I can install in windows 7 for anyconnect client. I found out there are several ways to configure anyconnect - AnyConnect SSL VPN, AnyConnect with Cisco Zone Based Firewall using the router, AnyConnect Over IPsec with IKEv2 and certificates. I am currently just focusing on AnyConnect SSL VPN configuration in which there are several steps: Below are the steps. But at this point I just have questions on the step 1.
1. Upload AnyConnect Secure Mobility Client to our Cisco Router
Question: Can I upload anyconnect 4,3.05017.zip to my router? or I need to unpack the files from this zip file and upload "anyconnect-win-4.3.05017-pre-deploy-k9.iso". When I unzip the zip file, I have this iso file. My understanding is that this is the windows client software that needs to be uploaded to the router. Will this version of client package work with IOS version 15.4(3)M3?
2. Generate RSA Keys
3. Declare the Trustpoint & Create Self-Signed Certificate
4.Configure WebVPN Pool IP addresses assigned to the VPN users
5.Enable and configure AAA authentication for SSL VPN & Create user accounts
6.Enable WebVPN License
7.Configure and enable WebVPN Gateway
8.Configure and enable SSL VPN Context
9.Configure default group policy, authentication list and final parameters for WebVPN
Also, if you happen to have any recommendation by which I can quickly configure AnyConnect between my Windows 7 client and Cisco 2921 router. At this point this is just a lab exercise. That's why I am not
including any FW appliance such as Cisco ASA.
Thank you for your ideas,
Romanath
11-21-2017 08:01 AM
The zip file and its included iso file are used if you want to install the AnyConnect client on a PC off line. This is not what you need to upload to the router. What you need on the router is the pkg file which allows the client to load to the PC using the network connection.
HTH
Rick
11-21-2017 08:10 AM
Thank you, Rick.
So, if I run "setup.exe" after unzipping the zip file, it will install AnyConnect client in my Windows laptop. Is that right? But do I still need to install the pkg file in the router. Do I need to download that pkg file separately from Cisco website and install it in the router?
Thank you,
Romanath
11-21-2017 02:17 PM
Romanath
Yes I believe that if you run setup.exe that it will install the AnyConnect client on your Windows PC. I would suggest that you download the pkg file from the Cisco web site and load it on your router. I have installed AnyConnect on many ASAs and on several IOS routers. I have never installed AnyConnect without loading the pkg file on the router/ASA. I suggest this for several reasons:
- it makes it easier to install the AnyConnect client on additional PCs.
- it makes it easier to upgrade versions when a new version of the client comes out with a feature that you want. You would just load the new version of the pkg file on the router, update the config to point at the new version, and PCs will automatically upgrade the AnyConnect version the next time that AnyCoinnect from the PC connects to your router.
- while it is possible that SSL VPN might run on the router with no pkg file, it is also possible that IOS would regard it as an invalid install and not run without a pkg file. I would rather not take that chance.
HTH
Rick
12-13-2017 07:33 AM
Thank you, everyone for exchange of ideas on my effort to configure annyconnect. Let me again explain my current status. I have a Cisco 2921 router where I have configured IPsec based VPN with ikev2. Also, I am using this router as Certificate Authority server. I found this configuration has created two cert files:
IOS-Self-Sig#1.cer and ifs_rtrdlite#1CA.cer under nvram: . I imported these cert files into Dell laptop Windows 7 client in which I have configured anyconnect client with a profile. In Windows 7 I have installed ifs_rtrdlite#1CA.cer in the trusted certificates folder, but I am not sure where I need to install IOS-Self-Sig#1.cer file. I consider ifs_rtrdlite#1CA.cer as the CA root certificate and IOS-Self-Sign#1.cer as the CA server certificate. Am I right? Right now I feel like I need to able to generate a private key from Windows 7 client (aka anyconnect client) which will then be used to request and retrieve a signed certificate from the CA server in order for the IPsec VPN to be turned on. I have not done that yet. Can you please suggest what is the best way Windows 7 client can retrieve a certificate from the CA server (in my case it is the router) that will then turn on the IPsec VPN (Virtual-Template1 tunnel).
Below is my router configuration:
Building cofiguration....
Current configuration : 4587 bytes
!
!
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ifs_rtr
!
boot-start-marker
boot-end-marker
!
!
enable password dlite
!
no aaa new-model
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
cyrpto pki server DLITE
database level complete
database archive pem password 7 00071A1507545A545C
issuer-name cn=ifs_rtr.dlite.com,ou=TAC,o=dlite
grant auto rollover ca-cert
grant auto
eku server-auth client-auth
!
crypto pki trustpoint DLITE
enrollment terminal
serial-number
subject-name cn=ifs_rtr.dlite.com,ou=TAC,o=dlite
revocation-check none
rsakeypair DLITE
!
!
!
crypto pki certificate map CMAP 10
subject-name co dlite
!
crypto pki certificate chain DLITE
certificate ca 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
3A310E30 0C060355 040A1305 646C6974 65310C30 0A060355 040B1303 54414331
:
:
quit
license udi pid CISCO2921/K9 sn FJC2035A10E
!
!
!
redundancy
crypto ikev2 authorization policy AUTHORIZATION_POLICY
pool VPN_POOL
netmask 255.255.255.248
!
no crypto ikev2 authorization policy default
!
crypto ikev2 proposal IKE_PROPOSAL
encryption 3des aes-cbc-128
integrity sha1
group 20
!
!
crypto ikev2 policy IKE_POLICY
proposal IKE_PROPOSAL
no crypto ikev2 policy default
!
!
crypto ikev2 profile IKE_PROFILE
match fvrf any
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint DLITE
dpd 60 60 on-demand
aaa authorization group cert list default AUTHORIZATION_POLICY
virtual-template 1
!
no crypto ikev2 http-url cert
!
!
!
!
crypto ipsec security-association lifetime seconds 28800
!
no crypto ipsec transform-set default
crypto ipsec transform-set IFS_BAL esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IFS_BAL
set ikev2-profile IKE_PROFILE
!
no crypto ipsec profile default
!
!
!
interface Loopback0
ip address 10.225.0.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Connection to the IFS Stack
ip address 172.16.1.1 255.255.0.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Connection to the BAL Radio (WAN)
ip address 10.225.9.99 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Virtual-Template1 type tunnel
description IPSEC VPN interface
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
no ip address
!
ip local pool VPN_POOL 10.225.8.203
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.225.9.97
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: