Thank you, Micke and Flavio for your reply posts.

However, I have additional questions. This is the first time I am trying to configure Cisco AnyConnect. I don't have immediate plan to use any ASA device. I have a Cisco2921 with c2900-universalk9-mz.SPA.154-3.M3.bin and I have anyconnect 4.3.05017.zip file which I can install in windows 7 for anyconnect client.  I found out there are several ways to configure anyconnect - AnyConnect SSL VPN, AnyConnect with Cisco Zone Based Firewall using the router, AnyConnect Over IPsec with IKEv2 and certificates. I am currently just focusing on AnyConnect SSL VPN configuration in which there are several steps: Below are the steps. But at this point I just have questions on the step 1.

1. Upload AnyConnect Secure Mobility Client to our Cisco Router

   Question: Can I upload anyconnect 4,3.05017.zip to my router? or I need to unpack the files from this zip file and upload "anyconnect-win-4.3.05017-pre-deploy-k9.iso". When I unzip the zip file, I have this iso file. My understanding is that this is the windows client software that needs to be uploaded to the router. Will this version of client package work with IOS version 15.4(3)M3?

2. Generate RSA Keys

3. Declare the Trustpoint & Create Self-Signed Certificate

4.Configure WebVPN Pool IP addresses assigned to the VPN users

5.Enable and configure AAA authentication for SSL VPN & Create user accounts

6.Enable WebVPN License

7.Configure and enable WebVPN Gateway

8.Configure and enable SSL VPN Context

9.Configure default group policy, authentication list and final parameters for WebVPN

Also, if you happen to have any recommendation by which I can quickly configure AnyConnect between my Windows 7 client and Cisco 2921 router. At this point this is just a lab exercise. That's why I am not

including any FW appliance such as Cisco ASA.

Thank you for your ideas,

Romanath

The zip file and its included iso file are used if you want to install the AnyConnect client on a PC off line. This is not what you need to upload to the router. What you need on the router is the pkg file which allows the client to load to the PC using the network connection.

HTH

Rick

Thank you, Rick.

So, if I run "setup.exe" after unzipping the zip file, it will install AnyConnect client in my Windows laptop. Is that right? But do I still need to install the pkg file in the router. Do I need to download that pkg file separately from Cisco website and install it in the router?

Thank you,

Romanath

Romanath

Yes I believe that if you run setup.exe that it will install the AnyConnect client on your Windows PC. I would suggest that you download the pkg file from the Cisco web site and load it on your router. I have installed AnyConnect on many ASAs and on several IOS routers. I have never installed AnyConnect without loading the pkg file on the router/ASA. I suggest this for several reasons:

- it makes it easier to install the AnyConnect client on additional PCs.

- it makes it easier to upgrade versions when a new version of the client comes out with a feature that you want. You would just load the new version of the pkg file on the router, update the config to point at the new version, and PCs will automatically upgrade the AnyConnect version the next time that AnyCoinnect from the PC connects to your router.

- while it is possible that SSL VPN might run on the router with no pkg file, it is also possible that IOS would regard it as an invalid install and not run without a pkg file. I would rather not take that chance.

HTH

Rick

Thank you, everyone for exchange of ideas on my effort to configure annyconnect. Let me again explain my current status. I have a Cisco 2921 router where I have configured IPsec based VPN with ikev2. Also, I am using this router as Certificate Authority server. I found this configuration has created two cert files:

IOS-Self-Sig#1.cer and ifs_rtrdlite#1CA.cer under nvram: . I imported these cert files into Dell laptop Windows 7 client in which I have configured anyconnect client with a profile. In Windows 7 I have installed ifs_rtrdlite#1CA.cer in the trusted certificates folder, but I am not sure where I need to install IOS-Self-Sig#1.cer file. I consider ifs_rtrdlite#1CA.cer as the CA root certificate and IOS-Self-Sign#1.cer as the CA server certificate. Am I right? Right now I feel like  I need to able to generate a private key from Windows 7 client (aka anyconnect client) which will then be used to request and retrieve a signed certificate from the CA server in order for the IPsec VPN to be turned on. I have not done that yet. Can you please suggest what is the best way Windows 7 client can retrieve a certificate from the CA server (in my case it is the router) that will then turn on the IPsec VPN (Virtual-Template1 tunnel).

Below is my router configuration:

Building cofiguration....

Current configuration : 4587 bytes
!
!
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ifs_rtr
!
boot-start-marker
boot-end-marker
!
!
enable password dlite
!
no aaa new-model
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
cyrpto pki server DLITE
 database level complete
 database archive pem password 7 00071A1507545A545C
 issuer-name cn=ifs_rtr.dlite.com,ou=TAC,o=dlite
 grant auto rollover ca-cert
 grant auto
 eku server-auth client-auth
!
crypto pki trustpoint DLITE
 enrollment terminal
 serial-number
 subject-name cn=ifs_rtr.dlite.com,ou=TAC,o=dlite
 revocation-check none
 rsakeypair DLITE
!
!
!
crypto pki certificate map CMAP 10
 subject-name co dlite
!
crypto pki certificate chain DLITE
 certificate ca 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  3A310E30 0C060355 040A1305 646C6974 65310C30 0A060355 040B1303 54414331
  :
  :
  quit
license udi pid CISCO2921/K9 sn FJC2035A10E
!
!
!
redundancy
crypto ikev2 authorization policy AUTHORIZATION_POLICY
 pool VPN_POOL
 netmask 255.255.255.248
!
no crypto ikev2 authorization policy default
!
crypto ikev2 proposal IKE_PROPOSAL
 encryption 3des aes-cbc-128
 integrity sha1
 group 20
!
!
crypto ikev2 policy IKE_POLICY
 proposal IKE_PROPOSAL
no crypto ikev2 policy default
!
!
crypto ikev2 profile IKE_PROFILE
 match fvrf any
 match certificate CMAP
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint DLITE
 dpd 60 60 on-demand
 aaa authorization group cert list default AUTHORIZATION_POLICY
 virtual-template 1
!
no crypto ikev2 http-url cert
!
!
!
!
crypto ipsec security-association lifetime seconds 28800
!
no crypto ipsec transform-set default
crypto ipsec transform-set IFS_BAL esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set IFS_BAL
 set ikev2-profile IKE_PROFILE
!
no crypto ipsec profile default
!
!
!
interface Loopback0
 ip address 10.225.0.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Connection to the IFS Stack
 ip address 172.16.1.1 255.255.0.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Connection to the BAL Radio (WAN)
 ip address 10.225.9.99 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Virtual-Template1 type tunnel
 description IPSEC VPN interface
 ip unnumbered GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
 no ip address
!
ip local pool VPN_POOL 10.225.8.203
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.225.9.97
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 login
 transport input none
!
scheduler allocate 20000 1000
!
end