IKEV2 with anyconnect secure mobility client 3.1
Hello guys!
Lately I configure a VPN implementation using IKEv2. the goal is to establish a VPN connection between the router and a remote client that is "anyconnect"
Unfortunately it doesn't work and i don't know really where is the problem [:(] if there is someone can help me i'll be gratefull.
this is my config:
crypto pki truspoint flexvpn-CA
enrollment selfsigned
serial-number
ip addres 10.10.10.2
subject-name cn=flex-hub.jarsfe.test.ma
revocation-check none
crypto pki certificate map CMAP 10
ip local pool AC 10.10.10.5 10.10.10.45
crypto ikev2 authorization policy AC
pool AC
crypto ikev2 proposal pro
encryption 3des aes-cbc-128
integrity sha1
group 5 2
crypto ikev2 policy POL
match fvrf any
proposal PRO
crypto ikev2 profile PRO
match certificate CMAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint flexvpn-CA
aaa authorization group cert list default AC
virtual-template 1
no crypto ikev2 http-url cert
crypto ipsec transform-set TRA esp-3des esp-sha512-hmac
crypto ipsec profile PRO
set transform-set TRA
set ikev2-profile PRO
interface virtual-template1 type tunnel
ip unnumbered f0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PRO
Comments
You should have posted this in the Security forum. There are cuple of errors and typos you have: you define the proposal with small "pro" and apply it under the policy with capitals "PRO", you did not enroll the router with itself, thus the router does not have a certificate to be used for the IKEv2 session. You should also make use of the default proposal and policy, or if you want to use your own, first disable the default ones. Also, you don't have AAA enabled, but you apply the list under the IKEv2 profile.
Follow this document and you shouldd be good, except of course client authentication, which in your case is certificates, or whatever you want:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html
thanks for your help