Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring Certificate-less FlexVPN for AnyConnect

Hello,

My goal is to create a configuration utilizing FLexVPN and the AnyConnect client without using certificates.

In referencing these documents (

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml?referring_site=smartnavRD,

http://www.cisco.com/en/US/products/ps12922/products_tech_note09186a0080bde100.shtml,

https://supportforums.cisco.com/docs/DOC-28511), I noticed each guide is referring to EAP, which requires the use of certificates. We are fine with using PSKs.

Can somebody please share an example of how to configure an ISR G2 router with FlexVPN that will support connecting with an AnyConnect client (Win 8, 7, XP iOS, Android) without the use of certificates with either local DB authentication or RADIUS?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Configuring Certificate-less FlexVPN for AnyConnect

John,

The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.

I might not be 100% up to date on this one.

M.

6 REPLIES
Cisco Employee

Configuring Certificate-less FlexVPN for AnyConnect

John,

We've had similar discussion a week back or so.

The gist of it:

IKEv2 RFC mandates, if you're using EAP you will have to use public key based mechanism to authenticate server to user.

AC will not work with PSK. (Even though one could convieve client using certs and PSK being used on headend)

M.

New Member

Configuring Certificate-less FlexVPN for AnyConnect

Thanks for response.  Is there any way to use a self signed certificate?  

Cisco Employee

Configuring Certificate-less FlexVPN for AnyConnect

John,

The problem is getting a EKU/KU on the certificate. If you can craft if and make sure it's trusted by all the clients, indeed it's _theoretically_ possible for self-signed to work.

I might not be 100% up to date on this one.

M.

New Member

Configuring Certificate-less FlexVPN for AnyConnect

Are there any guides on how to configure the certificate-portion  of the setup?

Cisco Employee

Configuring Certificate-less FlexVPN for AnyConnect

John,

I've only submitted one for IOS CA.

EJBCA and MS CA (2008) is what we tested in practice.

The author of

http://www.cisco.com/en/US/products/ps12922/products_configuration_example09186a0080bee100.shtml

Used:

http://technet.microsoft.com/en-us/library/ff829847%28v=ws.10%29.aspx

M.

New Member

Hi Manumara1, Did you manage

Hi Manumara1,

 

Did you manage to set this up? 

I'm looking into configuring flexVPN and windows build-in IKEv2 without using a CA. I'm trying to configure this by using self-signed certificates.

Mike

 

864
Views
20
Helpful
6
Replies
CreatePlease to create content