Connect with us

Hi, what are you looking for?


Cisco Anyconnect Vpn Router

Cisco Anyconnect Vpn Router


The main reason to add a router instead of using the default ADSL triple box was to set up a permanent VPN tunnel to my office and forward only selected DNS entries through it. My main problem is that only OpenConnect seems to be able to connect to Cisco IPsec servers. Cisco AnyConnect Secure Mobility Client 4.4 (Download Latest) RV34x Series (Download Latest) Configure AnyConnect VPN connection on RV34x Configure SSL VPN on RV34x Step 1. Access the web-based utility of the router and choose VPN SSL VPN. Click the On radio button to enable Cisco SSL VPN Server. Mandatory portal.

In this post, I will explain how to configure a WEB VPN (or sometimes called SSL VPN) using the Anyconnect VPN client on a Cisco 870 router. However, the example and concept of the configuration is the same for other Cisco router models as well. This web based VPN has three remote access modes. The architecture used in this document includes a single Cisco IP phone, a Cisco IOS Router as an SSL VPN gateway, and a CUCM as a voice gateway. Configuring an SSL VPN Server This section describes how to configure the Cisco IOS header to allow incoming SSL VPN connections.

I’ll update my original post above, but I (finally) managed to solve the problem and wanted to share the solution. Thanks to some internet searches, I learned some settings in Frontier/Netgear DSL modems/routers that are (as far as I know) designed to help redirect various services through the router/firewall. From there, I was able to trace it to the “ALG” setting in the port forwarding area of ​​the modem/router firmware. This is what I did:

  1. Log in to your DSL modem/router via the web interface
  2. Click “Advanced” in the top menu
  3. Click “ALG” under the section on the left that the red toolbox icon indicates
  4. Remove the check mark for IPSec and click Apply
  5. Restart your modem/router

After doing that, I was able to connect successfully using Cisco VPN Client – hope this helps the next poor soul facing this! I hope this will save you many hours over the many days of troubleshooting that took me…

EDIT: Additional note – my home DSL router/model is a Netgear 7550 model, while both employees seem to have released a Netgear D2200D (probably newer) model. The VPN seems to pass through the 7550 model without a problem, so this could be a model specific issue.

Edited on October 26, 2016 at 17:11 UTC

an introduction

This document provides a configuration sample for how to configure the IOS/IOS-XE header for remote access using the AnyConnect IKEv2 and AnyConnect-EAP authentication method with the local user database.

Basic requirements


Cisco recommends that you have knowledge of these topics:

Ingredients used

The information in this document is based on the following software and hardware versions:

  • Cisco Cloud Services Router IOS XE 16.9.2
  • AnyConnect Client Version 4.6.03049 on Windows 10

The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.

Basic information

AnyConnect-EAP, also known as Total Authentication, allows a Flex server to authenticate an AnyConnect client using Cisco’s AnyConnect-EAP method. In contrast to standards-based Extensible Authentication Protocol (EAP) methods such as EAP Public Token Card (EAP-GTC), EAP-Message Summary 5 (EAP-MD5), etc., Flex Server does not operate in EAP pass mode. All EAP connections with the client terminate on the Flex Server and the required session key used to create the AUTH payload is computed locally by the Flex Server. Flex Server must authenticate itself to the client using certificates as required by the IKEv2 RFC.

Local user authentication is now supported on Flex Server and remote authentication is optional. This is ideal for small deployments with fewer remote access users and in environments without access to an external Authentication, Authorization, and Accounting (AAA) server. However, for large scale deployments and in scenarios where user-specific attributes are required, it is still recommended to use an external AAA server for authentication and authorization. AnyConnect-EAP allows the use of Radius for remote authentication, authorization and accounting.

network diagram


Authentication and authorization of users using the local database

Noticeable: In order to authenticate users against the local database on the router, EAP must be used. However, in order to use EAP, the local authentication method must be rsa-sig, so the router needs an appropriate certificate installed on it, and it cannot be a self-signed certificate.

A configuration model that uses local user authentication, remote user and group authorization and remote accounting.

Step 1. Enable AAA, configure the Authentication, Authorization and Accounting lists and add a username to the local database:

Step 2. Configure a trust point containing the router’s certificate. PKCS12 file import is used in this example. For other options, please refer to the PKI (Public Key Infrastructure) Configuration Guide: pki.html

Step 3. Determine a local IP pool to assign addresses to AnyConnect VPN clients:

Step 4. Create an IKEv2 local license policy:

Step 5 (optional). Create your desired IKEv2 proposal and policy. If not configured, the smart default settings are used:

Step 6. Create AnyConnect Profile

Noticeable: The AnyConnect profile must be delivered to the client device. Please refer to the next section for more information.

Configure the client profile using the AnyConnect Profile Editor as shown in the image:

Click “Add” to create an entry for the VPN gateway. Make sure that “IPsec” is selected as the “Primary Protocol”. Uncheck the “ASA Gateway” option.

Save the profile by going to FIle -> Save As. XML equivalent for a profile:

Noticeable: AnyConnect uses ‘* $AnyConnectClient $*’ as the default IKE identity for the key ID type. However, this identity can be changed manually in the AnyConnect profile to match your deployment needs.

Noticeable: To upload the XML profile to the router, IOS-XE 16.9.1 or later is required. If an older version of the IOS-XE software is used, the ability to download the profile to the client must be disabled. Please refer to the “Disable AnyConnect Download” section for more information.

Load the generated XML profile to the router’s flash memory and specify the profile:

Noticeable: The file name used for the AnyConnect XML profile must be acvpn.xml.

Step 7. Create an IKEv2 profile for the AnyConnect-EAP method for client authentication.

Noticeable: Configure the remote authentication method before the CLI accepts the local authentication method, but it will not take effect on versions that do not have a fix for the CSCvb29701 optimization request, if the remote authentication method is eap. For these versions, when configuring eap as a remote authentication method, be sure to configure the local authentication method as rsa-sig first. This problem is not seen with any other form of remote authentication method.

Noticeable: In code versions affected by CSCvb24236, once remote authentication is configured before local authentication, it is no longer possible to configure the remote authentication method on this machine. Please upgrade to a version that contains a fix for this code.

Step 8. Disable HTTP-URL-based certificate lookup and HTTP server on the router:

Noticeable: pointing toThis document is to confirm whether your router supports NGE encryption algorithms (eg the example above contains NGE algorithms). Otherwise, the installation of IPSec SA on the device will fail at the last stage of negotiation.

Configure Cisco Anyconnect Vpn

Step 9. Determine the encryption and hashing algorithms used to protect data

Step 10. Create an IPSec Profile:

Step 11. Configure the loopback interface with some dummy IP address. Virtual-Access interfaces will borrow an IP address from it.

Step 12. Create a default template (associate the template in an IKEv2 profile)

Set up Cisco Anyconnect Vpn

Cisco Anyconnect Vpn Setup Asdm

Steap 13 (optional). By default, all traffic from the client will be sent through the tunnel. You can configure split tunneling, which allows only selected traffic to pass through the tunnel.

Step 14 (Optional). If all traffic is required to pass through the tunnel, you can configure NAT to allow Internet connectivity for remote clients.

Disable the ability to download AnyConnect (optional).

This step is only necessary if you are using an IOS-XE software version earlier than 16.9.1. Prior to IOS-XE 16.9.1, the ability to load an XML profile on the router was not available. The AnyConnect client attempts to download an XML profile after successful login by default. If the profile is not available, the connection fails. Alternatively, it is possible to disable the ability to download the AnyConnect profile on the client itself. To do this, the following file can be modified:

The “BypassDownloader” option should be set to “true”, for example:

After modification, the AnyConnect client needs to be restarted.

AnyConnect XML Profile Delivery

With the new installation of AnyConnect (with no XML profiles added), the user can manually enter the FQDN of the VPN gateway in the address bar of the AnyConnect client. This results in an SSL connection to the gateway. The AnyConnect client will not attempt to create a VPN tunnel using IKEv2 / IPsec protocols by default. This is the reason why installing an XML profile on the client is mandatory to create an IKEv2/IPsec tunnel using IOS-XE VPN Gateway.

The profile is used when selected from the AnyConnect address bar drop-down list. The name that will appear is the same as the one specified in Display Name in the AnyConnect profile editor. In this example, the user must specify the following:

The XML profile can be manually placed in the following directory:

The AnyConnect client needs to be restarted for the configuration to be visible in the GUI. It is not enough to close the AnyConnect window. The process can be restarted by right-clicking the AnyConnect icon in the Windows tray and selecting the “Exit” option:

communication flow

IKEv2 and EAP exchange


Use this section to ensure that your configuration is working correctly.


Add Cisco Anyconnect Vpn

This section provides information that you can use to troubleshoot configuration errors.

Set up Cisco Anyconnect Vpn

  1. Debug IKEv2 for compilation from address:
  2. Debug AAA for local and/or remote attribute assignments:
  3. DART from the AnyConnect client.

Don’t forget to share this post with friends !

Discover  9 Easy Ways to Hide Your IP Address in 2021 (some are free)
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...


Avira Free Antivirus Review for Mac / Windows and Android are the most common targets for malware programmers, but that doesn’t mean macOS is...


Is free antivirus enough for my computer? 👨‍💻 At first glance, a free antivirus may seem like a tempting option. After all, why should...


Avira Free Security Review Avira Free Security continues to provide free effective malware protection, but it does not currently stand out among its competitors....