10-20-2017 05:35 AM - edited 03-12-2019 04:38 AM
There is a Cisco ASR1001 router with FlexVPN IKEv2 remote access server configured:
aaa authentication login VPN-IKEv2 group FreeRADIUS ! crypto ikev2 profile VPN-IKEv2 match identity remote address 0.0.0.0 identity local fqdn vpn.domain.local authentication remote eap query-identity authentication local rsa-sig pki trustpoint VPN-CA aaa authentication eap VPN-IKEv2 aaa authorization user eap cached aaa accounting eap VPN-IKEv2 virtual-template 1 ! crypto ipsec transform-set VPN-IKEv2 esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile VPN-IKEv2 set transform-set VPN-IKEv2 set ikev2-profile VPN-IKEv2 ! interface Virtual-Template1 type tunnel vrf forwarding WAN ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN-IKEv2 !
FreeRADIUS configuration:
vpn_user Cleartext-Password := "vpn_password" Cisco-AVPair = "ipsec:dns-servers=x.x.x.x y.y.y.y", Framed-IP-Address = "10.10.0.10"
When user connects, all his traffic gets encrypted and sent over IPsec tunnel because of local traffic selector 0.0.0.0/0:
asr1001#show crypto ikev2 session IPv4 Crypto IKEv2 Session Session-id:58, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf Status 1 x.x.x.x/4500 y.y.y.y/44910 none/WAN READY Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: EAP Life/Active Time: 86400/7 sec Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 remote selector 10.10.0.10/0 - 10.10.0.10/65535 ESP spi in/out: 0xF48211CB/0xDA881E9B Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1
On Windows it could be fixed by clearing the check-box "Use default gateway on remote network". But there is no such check-box on GNOME/Linux and Android. And Apple devices could not connect at all.
Is it possible configure traffic selector 10.0.0.0/8 instead of 0.0.0.0/0?
10-20-2017 09:19 AM
How about you configuration a local authorisation policy to push down the routes to the client?
10-20-2017 11:51 AM
10-20-2017 12:01 PM - edited 10-20-2017 12:02 PM
Yes you can use that command. I use the commands below successfully on my router (although not exactly the same configuration as yours, I see no reason why it would not work with some tweaks).
crypto ikev2 profile IKEV2_PROFILE
aaa authorization group cert list default IKEV2_AUTHZ
crypto ikev2 authorization policy IKEV2_AUTHZ
route set remote ipv4 192.168.10.0 255.255.255.0
route set remote ipv4 192.168.11.0 255.255.255.0
10-21-2017 02:20 AM
Curiously, but I have option local instead of remote:
asr1001(config)#crypto ikev2 authorization policy VPN-IKEv2 asr1001(config-ikev2-author-policy)#route set ? access-list Specify the route access-list interface Specify the route interface local Specify route set local parameters asr1001(config-ikev2-author-policy)#
And with the following configuration I could not connect at all:
crypto ikev2 authorization policy VPN-IKEv2 route set local ipv4 10.0.0.0 255.0.0.0 crypto ikev2 profile VPN-IKEv2 ... aaa authentication eap VPN-IKEv2 aaa authorization user eap cached aaa authorization user eap list VPN-IKEv2 ...
10-21-2017 04:17 AM
You should be able to use either "route set access-list" or "route set remote" commands to push down routes to a client. What version of firmware does your ASR1K currently use? I've checked my ISR1921 and CSR1000v and the "route set remote" command is available on both.
10-21-2017 04:50 AM
IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
Cisco ASR1001, License Level: adventerprise
10-21-2017 05:05 AM
As you have the option to use an access-list have you tried that?
I notice you aren't running the latest firmware version, can you upgrade?....and see if the option for remote is now available? These commands are working on the images I use, but I am running the latest firmware version there.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: