This module describes FlexVPN server features, IKEv2 commands required to configure the FlexVPN server, remote access clients, and the supported RADIUS attributes.
Note
Security threats, as well as cryptographic technologies to help protect against such threats, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the
Next Generation Encryption (NGE) white paper.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see
Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
The FlexVPN server supports peer authentication using the Extensible Authentication protocol (EAP) and acts as a pass-through authenticator relaying EAP messages between the client and the backend EAP server. The backend EAP server is typically a RADIUS server that supports EAP authentication.
Note
While a FlexVPN client authenticates the FlexVPN client using EAP, the FlexVPN server must authenticate the FlexVPN server by using certificates.
The FlexVPN server is configured to authenticate FlexVPN clients that use EAP by configuring the
authentication remote eap command in IKEv2 profile configuration mode. FlexVPN clients authenticate using EAP by skipping the AUTH payload in the IKE_AUTH request.
If the
query-identity keyword is configured, the FlexVPN server queries the EAP identity from the client; otherwise, the FlexVPN client's IKEv2 identity is used as the EAP identity. However, if the
query-identity keyword is not configured and the FlexVPN client's IKEv2 identity is an IPv4 or IPv6 address, the session is terminated because IP addresses cannot be used as the EAP identity.
The FlexVPN server starts the EAP authentication by passing the FlexVPN client's EAP identity to the EAP server; the FlexVPN server then relays EAP messages between the remote access (RA) client and the EAP server until the authentication is complete. If the authentication succeeds, the EAP server is expected to return the authenticated EAP identity to the FlexVPN server in the EAP success message.
After EAP authentication, the EAP identity used for the IKEv2 configuration is obtained from the following sources in the given order:
The EAP identity provided by the EAP server with the EAP success message.
The EAP identity queried from the client when the
query-identity keyword is configured.
The FlexVPN client IKEv2 identity used as the EAP identity.
The figure below shows IKEv2 exchange for EAP authentication without the
query-identity keyword.
Figure 1
IKEv2 Exchange Without the query-identity Keyword
The figure below shows the IKEv2 exchange for EAP authentication with the
query-identity keyword.
Figure 2
IKEv2 Exchange with the query-identity Keyword
IKEv2 Name Mangler
The IKEv2 name mangler is used to derive the username for IKEv2 authorization and obtain the AAA preshared key from the peer IKE identity.
IKEv2 Authorization
IKEv2 authorization provides a policy for an authenticated session by using the AAA. The policy can be defined locally or on the RADIUS server, and contains local and/or remote attributes. The username for authorization can either be derived from the peer identity using the
name-mangler keyword or be directly specified in the command. IKEv2 authorization is mandatory only if the peer requests an IP address via configuration mode.
IKEv2 authorization types are as follows:
User authorization--Use the
aaa authorization user command in the IKEv2 profile to enable user authorization. User authorization is based on the user-specific portion of the peer IKE identity such as fqdn-hostname. The attributes from user authorization are called user attributes.
Group authorization--Use the
aaa authorization group command in the IKEv2 profile to enable group authorization. Group authorization is based on the generic portion of the peer IKE identity such as fqdn-domain. The attributes from group authorization are called group attributes.
Implicit user authorization--Use the
aaa authorization user cached command in the IKEv2 profile to enable implicit user authorization. Implicit authorization is performed as part of EAP authentication or when obtaining the AAA preshared key. The attributes from implicit user authorization are called cached attributes.
Note
Depending on your release, the
aaa authorization user cached command may or may not be available. Explicit user authorization is performed only when implicit user authorization does not return any attributes or does not have the Framed-IP-Address attribute.
Merging and Overriding Attributes
Attributes from different sources are merged before they are used. The precedence of merging attributes is as follows:
When merging duplicate attributes, the source of the attribute has a higher precedence.
When merging user and cached attributes, user attributes have higher precedence.
When merging merged-user-attributes and group attributes, merged-user attributes have a higher precedence, by default. However, this precedence can be reversed using the
aaa author group override command.
IKEv2 Authorization Policy
An IKEv2 authorization policy defines the local authorization policy and contains local and/or remote attributes. Local attributes, such as VPN routing and forwarding (VRF) and the QOS policy, are applied locally. Remote attributes, such as routes, are pushed to the peer via the configuration mode. Use the
crypto ikev2 authorization policy command to define the local policy. The IKEv2 authorization policy is referred from the IKEv2 profile via the
aaa authorization command.
IKEv2 Configuration Mode
IKEv2 configuration mode allows IKE peers to exchange configuration information such as IP addresses and routes. The configuration information is obtained from IKEv2 authorization. Both pull and push models are supported. The pull model involves the exchange of configuration requests and replies; the push model involves the exchange of configuration sets and acknowledgements.
The following table describes the conditions when the initiator and the responder send different configuration payload types:
Table 1
Configuration Payload Types
Configuration Payload Type
Sent By...
When...
CFG_REQUEST
Initiator
The initiator is the FlexVPN client or if the
config-exchange request command is enabled in the IKEv2 profile.
CFG_REPLY
Responder
The responder receives the CFG_REQUEST.
CFG_SET
Initiator and responder
Initiator--The
config-exchange set send command is enabled in the IKEv2 profile.
Responder--The CFG_REQUEST is not received, the configuration data is available, and the
config-exchange set send command is enabled in the IKEv2 profile.
CFG_ACK
Initiator and responder
Initiator--The
config-exchange set accept command is enabled in the IKEv2 profile.
Responder--The
config-exchange set accept command is enabled in the IKEv2 profile.
Note
The commands to send configuration requests and configuration set payloads are enabled by default.
Depending on your release, the IKEv2 initiator can trigger a configuration mode when the initiator is a FlexVPN client, or any static tunnel interface initiating IKEv2 can trigger configuration mode by enabling the
config-mode command in the IKEv2 profile.
The IKEv2 FlexVPN server supports the following standard IPv4 configuration attributes:
INTERNAL_IP4_ADDRESS
INTERNAL_IP4_NETMASK
INTERNAL_IP4_DNS
INTERNAL_IP4_NBNS
INTERNAL_IP4_SUBNET
The IKEv2 FlexVPN server supports the following standard IPv6 configuration attributes:
INTERNAL_IP6_ADDRESS
INTERNAL_IP6_DNS
INTERNAL_IP6_SUBNET
Note
IPv6 configuration attributes are only supported by the Microsoft Windows IKEv2 client.
The INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes, controlled by the
route set and
aaa attribute list commands in the IKEv2 authorization policy, are not supported when you configure a static virtual tunnel interface (SVTI)-to-SVTI tunnel. In such cases, static routing or dynamic routing must be used instead of the IKEv2-based route exchange.
The IKEv2 FlexVPN server supports the following standard common configuration attribute:
APPLICATION_VERSION
Note
This attribute is only sent for Cisco Anyconnect and FlexVPN clients.
The IKEv2 FlexVPN server supports the following Cisco Unity configuration attributes:
MODECFG_BANNER
MODECFG_DEFDOMAIN
MODECFG_SPLITDNS_NAME
MODECFG_BACKUPSERVERS
MODECFG_PFS
MODECFG_INCLUDE_LOCAL_LAN
MODECFG_SMARTCARD_REMOVAL_DISCONNECT
Note
The Cisco Unity attributes are sent only for Cisco Anyconnect and FlexVPN clients.
The IKEv2 FlexVPN server supports the following Cisco FlexVPN configuration attributes:
MODECFG_CONFIG_URL
MODECFG_CONFIG_VERSION
Note
The Cisco FlexVPN attributes are sent only for Cisco FlexVPN clients.
The INTERNAL_IP4_ADDRESS attribute value is derived from the following sources in the given order:
The Framed-IP-Address attribute received in AAA user authorization.
The local IP address pool.
The DHCP server.
The DHCP server, if configured, allocates addresses only if the local IP address pool is not configured. However, if an error occurs when allocating IP addresses from the local pool, the next address source DHCP server is not used for allocating the addresses.
The value for INTERNAL_IP4_NETMASK attribute is derived as follows:
If the IP address is obtained from the DHCP server, the netmask is also obtained from the DHCP server.
If the IP address is obtained from either the Framed-IP-Address attribute in AAA user authorization or the local IP address pool, the netmask is derived from the IPv4 netmask attribute received in the user or group authorization. If the netmask is not available, the INTERNAL_IP4_NETMASK attribute is not included in the configuration reply. If the netmask is available, the INTERNAL_IP4_NETMASK attribute is included only if the INTERNAL_IP4_ADDRESS attribute is included in the configuration reply.
An IPv4 address is allocated and included in the reply only if the client requests an address. If the client requests multiple IPv4 addresses, only one IPv4 address is sent in the reply. If available, the remaining attributes are included in the reply even though the client does not request them. If the client requests an IPv4 address and the FlexVPN server is unable to assign an address, an INTERNAL_ADDRESS_FAILURE message is returned to the client.
IKEv2 Multi-SA
The IKEv2 Multi-SA feature allows an IKEv2 Dynamic Virtual Tunnel Interface (DVTI) session on the IKEv2 responder to support multiple IPsec Security Associations (SA). The maximum number of IPsec SAs per DVTI session is either obtained from AAA authorization or configured on the IPsec profile. The value from AAA has a higher priority. Any change to the
max-flow-limit argument in the IPsec profile is not applied to the current session but is applied to subsequent sessions. The IKEv2 Multi-SA feature makes the configuration of the IKEv2 profile in the IPsec profile optional. This optional configuration allows IPsec DVTI sessions using the same virtual template to have different IKEv2 profiles, thus saving the number of virtual template configurations.
Note
The IKEv2 Multi-SA feature allows multiple IPsec SAs that have non-any-any proxies. However, when the IPsec SA proxies are any-any, a single IPsec SA is allowed.
For more information, see the "Multi-SA Support for Dynamic Virtual Tunnel Interfaces for IKEv2" module.
Supported RADIUS Attributes
The following tables list the RADIUS attributes supported by the IKEv2 FlexVPN server:
The Scope field defines the direction of the attribute and the usage on the FlexVPN server or client.
Inbound--FlexVPN server to RADIUS
Outbound--RADIUS to the FlexVPN server
Local--Used locally by the FlexVPN server
Remote--Pushed to the client by the FlexVPN server
The "Local configuration" field specifies the IKEv2 authorization policy command that is used to configure the attribute locally on the FlexVPN server.
Cisco AV Pair is a Cisco Vendor Specific Attribute (VSA) with vendor-id 9 and vendor-type 1. The VSAs are encapsulated in the Radius IETF attribute 26 Vendor-Specific. The Cisco AV pair is specified as a string of format "protocol:attribute=value".
Example:
cisco-avpair = "ipsec:ipv6-addr-pool=v6-pool"
Table 2
Inbound and Bidirectional IETF RADIUS Attributes
Attribute
Scope
User-Name
Inbound and outbound (bidirectional)
User-Password
Inbound
Calling-Station-Id
Inbound
Service-Type
Inbound
EAP-Message
Bidirectional
Message-Authenticator
Bidirectional
Table 3
Outbound IETF and Cisco AV Pair RADIUS Attributes
Attribute
Type
Scope
Local configuration
Tunnel-Type
IETF
Local
N/A
Tunnel-Medium-Type
IETF
Local
N/A
Tunnel-Password
IETF
Local
N/A
ipsec:ikev2-password-local
Cisco AV Pair
Local
N/A
ipsec:ikev2-password-remote
Cisco AV Pair
Local
N/A
Framed-Pool
Cisco AV Pair
Local
pool
ipsec:group-dhcp-server
Cisco AV Pair
Local
dhcp server
ipsec:dhcp-giaddr
Cisco AV Pair
Local
dhcp giaddr
ipsec:dhcp-timeout
Cisco AV Pair
Local
dhcp timeout
ipsec:ipv6-addr-pool
Cisco AV Pair
Local
ipv6 pool
ipsec:route-set=interface
Cisco AV Pair
Local
route set interface
ipsec:route-set=prefix
Cisco AV Pair
Local
N/A
ipsec:route-accept
Cisco AV Pair
Local
route accept any
ip:interface-config
Cisco AV Pair
Local
aaa attribute list
ipsec:ipsec-flow-limit
Cisco AV Pair
Local
ipsec flow-limit
Framed-IP-Address
IETF
Remote
N/A
Framed-IP-Netmask
IETF
Remote
netmask
ipsec:dns-servers
Cisco AV Pair
Remote
DNS
ipsec:wins-servers
Cisco AV Pair
Remote
wins
ipsec:route-set=access-list
Cisco AV Pair
Remote
route set access-list
ipsec:addrv6
Cisco AV Pair
Remote
n/a
ipsec:prefix-len
Cisco AV Pair
Remote
n/a
ipsec:ipv6-dns-servers-addr
Cisco AV Pair
Remote
ipv6 dns
ipsec:route-set=access-list ipv6
Cisco AV Pair
Remote
route set access-list ipv6
ipsec:banner
Cisco AV Pair
Remote
banner
ipsec:default-domain
Cisco AV Pair
Remote
def-domain
ipsec:split-dns
Cisco AV Pair
Remote
split-dns
ipsec:ipsec-backup-gateway
Cisco AV Pair
Remote
backup-gateway
ipsec:pfs
Cisco AV Pair
Remote
pfs
ipsec:include-local-lan
Cisco AV Pair
Remote
include-local-lan
ipsec:smartcard-removal-disconnect
Cisco AV Pair
Remote
smartcard-removal-disconnect
ipsec:configuration-url
Cisco AV Pair
Remote
configuration url
ipsec:configuration-version
Cisco AV Pair
Remote
configuration version
Effective with Cisco IOS Release 15.2(2)T, the following changes were made:
The Cisco AV Pair
ipsec:route-set=access-list replaced
ipsec:inacl.
The Cisco AV pair
ipsec:route-set=access-list ipv6 replaced
ipsec:ipv6-subnet-acl.
The Cisco AV pair
ipsec:route-set=interface replaced
ipsec:route-set-interface.
The Cisco AV pair
ipsec:route-accept=any replaced
ipsec:route-accept=accept acl:any.
The Cisco AV pair
ipsec:route-accept=none replaced
ipsec:route-accept=deny.
The Cisco AV pair
ipsec:route-set=prefixprefix/length was introduced.
Supported Remote Access Clients
The FlexVPN server interoperates with the Microsoft Windows7 IKEv2 client, Cisco IKEv2 AnyConnect client, and Cisco FlexVPN client.
The Microsoft Windows 7 IKEv2 client sends an IP address as the Internet Key Exchange (IKE) identity that prevents the Cisco IKEv2 FlexVPN server from segregating remote users based on the IKE identity. To allow the Windows 7 IKEv2 client to send the email address (user@domain) as the IKE identity, apply the hotfix documented in KB975488 (http://support.microsoft.com/kb/975488) on Microsoft Windows 7 and specify the email address string in either the Username field when prompted or the CommonName field in the certificate depending on the authentication method.
For certificate-based authentication, the FlexVPN server and Microsoft Windows 7 client certificates must have an Extended Key Usage (EKU) field as follows:
For the client certificate, EKU field = client authentication certificate.
For the server certificate, EKU field = server authentication certificate
The certificates can be obtained from the Microsoft Certificate Server or the IOS CA server.
For EAP authentication, the Microsoft Windows 7 IKEv2 client expects an EAP identity request before any other EAP requests. Ensure that you configure the
query-identity keyword in the IKEv2 profile on the IKEv2 FlexVPN server to send an EAP identity request to the client.
Cisco IKEv2 AnyConnect Client
For certificate-based authentication, the FlexVPN server and the AnyConnect client certificates must have an Extended Key Usage (EKU) field as follows:
For the client certificate, EKU field = client authentication certificate
For the server certificate, EKU field = server authentication certificate
If the FlexVPN server authenticates to AnyConnect client using certificates, a SubjectAltName extension is required in the FlexVPN server certificate that contains the server's IP address or fully qualified domain name (FQDN). Additionally, HTTP certified URLs must be disabled on the FlexVPN server using the
no crypto ikev2 http-url cert command.
The following example displays the XML tags specific to EAP-MD5 authentication of IKEv2 sessions in the AnyConnect client profile:
Configuring the IKEv2 Profile for the FlexVPN Server
This task describes the IKEv2 profile commands required for configuring the FlexVPN server in addition to the basic IKEv2 profile commands. Refer to the "Configuring IKEv2 Profile (Basic)" task in the
Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN Site-to-Site feature module for information about configuring the basic IKEv2 profile.
Perform this task to configure the IKEv2 profile for the FlexVPN Server:
aaa authorization user cert listaaa-listname {aaa-username |
name-manglermangler-name}
Example:
Device(config-ikev2-profile)# aaa authorization user eap cached
Example:
Device(config-ikev2-profile)# aaa authorization user cert list list1 name-mangler mangler1
Specifies the AAA method list and username for user authorization.
user--Specifies user authorization.
cert--Specifies that the peers must be authenticated using certificates.
eap--Specifies that the peers must be authenticated using EAP.
psk--Specifies that the peers must be authenticated using preshared keys.
cached--Specifies that the attributes received during EAP authentication or obtained from the AAA preshared key must be cached.
aaa-listname--AAA method list name.
aaa-username--Specifies the username that must be used in the AAA authorization request.
name-mangler--Specifies the name mangler that derives the AAA authorization username from the peer identity.
mangler-name--Name mangler to be used.
Note
For
psk and
eap authentication methods, specifying the
aaa-username argument or the
name-mangler keyword is optional and if not specified, the peer identity is used as the username.
For
psk and
eap authentication methods, you can simultaneously configure two variants for user authorization with the
cached and
list keyword respectively.
Specifying the
aaa-username argument or the
name-mangler keyword is mandatory for
cert authentication, as the peer identity of type distinguished name (DN) cannot be used.
Note
Prior to Cisco IOS release 15.2(2)T, the keywords
list and
cached were not available, the keywords
psk,
eap or
cert were optional, and specifying the
aaa-username argument and the
name-mangler keyword was mandatory.
aaa authorization group [override]
cert listaaa-listname {aaa-username |
name-manglermangler-name}
Example:
Device(config-ikev2-profile)# aaa authorization group override psk list list1
Example:
Device(config-ikev2-profile)# aaa authorization group cert list list1 name-mangler mangler1
Specifies the AAA method list and username for group authorization.
group--Specifies group authorization.
override--(Optional) Specifies that attributes from group authorization should take precedence while merging attributes. By default, user attributes take precedence.
cert--Specifies that peers must be authenticated using certificates.
eap--Specifies that peers must be authenticated using EAP.
psk--Specifies that peers must be authenticated using preshared keys.
aaa-listname--AAA method list name.
aaa-username--Username that must be used in the AAA authorization request.
name-mangler--Specifies the name mangler that derives the AAA authorization username from the peer identity.
mangler-name--Name mangler to be used.
Note
For
psk and
eap authentication methods, specifying the
aaa-username argument or the
name-mangler keyword is optional and if not specified, the peer identity is used as the username.
For
psk and
eap authentication methods, you can simultaneously configure two variants for user authorization with the
cached and
list keyword respectively.
Specifying the
aaa-username argument or the
name-mangler keyword is mandatory for
cert authentication, as the peer identity of type distinguished name (DN) cannot be used.
Note
Prior to Cisco IOS release 15.2(2)T, the keywords
list and
cached were not available, the keywords
psk,
eap or
cert were optional, and specifying the
aaa-username argument and the
name-mangler keyword was mandatory.
Step 8
config-exchange {request |
set {accept |
send}}
Example:
Device(config-ikev2-profile)# config-exchange set accept
request--Enables the configuration exchange request.
set--Enables the configuration exchange request set options.
accept--Accepts the configuration exchange request set.
send--Enables sending of the configuration exchange set.
Note
The request and set options are enabled by default.
Step 9
end
Example:
Device(config-ikev2-profile)# end
Exits IKEv2 profile configuration mode and returns to privileged EXEC mode.
Configuring the IKEv2 Name Mangler
Perform this task to specify the IKEv2 name mangler, which is used to derive a name for authorization requests and obtain AAA preshared keys. The name is derived from specified portions of different forms of remote IKE identities or the EAP identity. The name mangler specified here is referred to in the IKEv2 profile.
Allows you to specify up to ten backup server names. This parameter is pushed to the client via the nonstandard Cisco Unity configuration attribute. This parameter specifies the backup servers that the client can use.
Step 6
banner banner-text
Example:
Device(config-ikev2-author-policy)# banner This is IKEv2
Specifies the banner. This parameter is sent to the client via the nonstandard Cisco Unity configuration attribute.
Specifies the configuration URL. This parameter is sent to the client via the nonstandard Cisco FlexVPN configuration attribute. The client can use this URL to download the configuration.
Step 8
configuration versionversion
Example:
Device(config-ikev2-author-policy)# configuration version 2.4
Specifies the configuration version. This parameter is sent to the client via the nonstandard Cisco FlexVPN configuration attribute. This parameter is sent with the configuration URL to specify the version that the client can download.
Specifies the default domain. This parameter is sent to the client via the nonstandard Cisco Unity configuration attribute. This parameter specifies the default domain that the client can use.
Step 10
dhcp {giaddrip-address |
server {ip-address |
hostname} |
timeoutseconds}
Specifies the netmask of the subnet from which the IP address is assigned to the client.
mask--Subnet mask address.
Step 15
pfs
Example:
Device(config-ikev2-author-policy)# pfs
Enables Password Forward Secrecy (PFS). This parameter is sent to the client via the nonstandard Cisco Unity configuration attribute. This parameter specifies whether the client should use PFS.
Step 16
[ipv6]
poolname
Example:
Device(config-ikev2-author-policy)# pool abc
Defines a local IP address pool for assigning IP addresses to the remote access client.
ipv6--(Optional) Specifies an IPv6 address pool. To specify an IPv4 address, execute the command without this keyword..
name--Name of the local IP address pool.
Note
The local IP address pool must already be defined using the
ip local pool command.
Device(config-ikev2-author-policy)# route set interface
Specifies the route set parameters to the peer via configuration mode and allows running routing protocols such as Border Gateway Protocol (BGP) over VPN.
interface--Specifies the route interface.
access-list--Specifies the route access list.
access-list-name--Access list name.
access-list-number--Standard access list number.
expanded-access-list-number--Expanded access list number.
ipv6--Specifies an IPv6 access list.
Step 18
route accept any [tagvalue] [distancevalue]
Example:
Device(config-ikev2-author-policy)# route accept any tag 10
Filter the routes received from the peer and specify the tag and metric values to install these routes.
any--Accepts all routes received from the peer.
tagvalue--(Optional) Specifies the tag ID for the static routes added by IKEv2. The range is from 1 to 497777.
distancevalue--(Optional) Specifies the distance for the static routes added by IKEv2. The range is from 1 to 255.
Enables smartcard removal disconnect. This parameter is sent to the client via the nonstandard Cisco Unity configuration attribute. This parameter specifies that the client should terminate the session when the smart card is removed.
Allows you to specify up to ten split domain names. This parameter is sent to the client via the nonstandard Cisco Unity configuration attribute. This parameter specifies the domain names that the client should use for private networks.
Example: Configuring the FlexVPN Server to Authenticate Peers Using EAP
This example shows how to configure the FlexVPN server to authenticate peers using EAP.
aaa new-model
!
aaa group server radius eap-server
server 192.168.2.1
!
aaa authentication login eap-list group eap-server
!
crypto pki trustpoint trustpoint1
enrollment url http://192.168.3.1:80
revocation-check crl
!
crypto ikev2 profile ikev2-profile1
match identity remote address 0.0.0.0
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint trustpoint1
aaa authentication eap eap-list
virtual-template 1
!
crypto ipsec transform-set transform1 esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile1
set transform-set trans transform1
set ikev2-profile ikev2-profile1
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile1
!
radius-server host 192.168.2.1 key key1
!
Example: Configuring the FlexVPN Server for Group Authorization (External AAA)
The following example shows how to configure the FlexVPN server for group authentication through an external AAA, which would be the RADIUS or TACACS server.
aaa new-model
!
aaa group server radius cisco-acs
server 192.168.2.2
!
aaa authorization network group-author-list group cisco-acs
!
crypto pki trustpoint trustpoint1
enrollment url http://192.168.3.1:80
revocation-check crl
!
crypto pki certificate map certmap1 1
subject-name co cisco
!
crypto ikev2 name-mangler group-author-mangler
dn domain
!
crypto ikev2 profile ikev2-profile1
match certificate certmap1
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint trustpoint1
aaa authorization group cert list group-author-list name-mangler group-author-mangler
virtual-template 1
!
crypto ipsec transform-set transform1 esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile1
set transform-set trans transform1
set ikev2-profile ikev2-profile1
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile1
!
radius-server host 192.168.2.2 key key2
!
Example: Configuring the FlexVPN Server for Group Authorization (Local AAA)
The following example shows how to configure the FlexVPN server for group authorization through the local AAA using the IKEv2 authorization policy. The authorization policy specifies standard IPv4 and IPv6 attributes, and Cisco Unity, and FlexVPN attributes to be sent to the client through configuration mode. The authorization policy also specifies per user attributes through
aaa attribute list command for local use.
aaa new-model
!
aaa authorization network local-group-author-list local
!
!
aaa attribute list attr-list1
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
!
crypto pki trustpoint trustpoint1
enrollment url http://192.168.3.1:80
revocation-check crl
!
crypto pki certificate map certmap1 1
subject-name co cisco
!
crypto ikev2 authorization policy author-policy1
pool pool1
dhcp server 192.168.4.1
dhcp timeout 10
dhcp giaddr 192.168.1.1
dns 10.1.1.1 10.1.1.2
subnet-acl acl1
wins 192.168.1.2 192.168.1.3
netmask 255.0.0.0
banner ^C flexvpn server ^C
configuration url http://www.abc.com
configuration version 10
def-domain abc.com
split-dns dns1
split-dns dns2
split-dns dns3
backup-gateway gw1
backup-gateway gw2
backup-gateway gw3
smartcard-removal-disconnect
include-local-lan
pfs
aaa attribute list attr-list1
!
crypto ikev2 profile ikev2-profile1
match certificate certmap1
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint trustpoint1
aaa authorization group cert list local-group-author-list author-policy1
virtual-template 1
!
crypto ipsec transform-set transform1 esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile1
set transform-set trans transform1
set ikev2-profile ikev2-profile1
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile1
!
ip local pool pool11 192.168.2.10 192.168.2.100
!
ip access-list extended acl-1
permit ip 192.168.3.10 192.168.4.100 any
permit ip 192.168.10.1 192.168.10.100 any
!
Example: Configuring the FlexVPN Server for User Authorization
The following example shows how to configure the FlexVPN server for user authentication.
aaa new-model
!
aaa group server radius cisco-acs
server 192.168.2.2
!
aaa authorization network user-author-list group cisco-acs
!
crypto pki trustpoint trustpoint1
enrollment url http:// 192.168.3.1:80
revocation-check crl
!
crypto pki certificate map certmap1 1
subject-name co cisco
!
crypto ikev2 name-mangler user-author-mangler
dn common-name
!
crypto ikev2 profile ikev2-profile1
match certificate certmap1
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint trustpoint1
aaa authorization user cert list user-author-list name-mangler user-author-mangler
virtual-template 1
!
crypto ipsec transform-set transform1 esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile1
set transform-set trans transform1
set ikev2-profile ikev2-profile1
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile1
!
radius-server host 192.168.2.2 key key2
!
Example: Configuring the FlexVPN Server for IPv6 Session with IPv6 Configuration Attributes
The following example shows how to configure the FlexVPN server for an IPv6 dynamic Virtual Tunnel Interfaces (dVTI) session. The example uses local AAA group authorization using the IKEv2 authorization policy. The IPv6 configuration attributes are configured under the IKEv2 authorization policy.
aaa new-model
!
aaa authorization network local-group-author-list local
!
crypto pki trustpoint trustpoint1
enrollment url http://192.168.3.1:80
revocation-check crl
!
crypto pki certificate map certmap1 1
subject-name co cisco
!
crypto ikev2 authorization policy author-policy1
ipv6 pool v6-pool
ipv6 dns 2001:DB8:1::11 2001:DB8:1::12
ipv6 subnet-acl v6-acl
!
crypto ikev2 profile ikev2-profile1
match certificate certmap1
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint trustpoint1
aaa authorization group cert list local-group-author-list author-policy1
virtual-template 1
!
crypto ipsec transform-set transform1 esp-aes esp-sha-hmac
!
crypto ipsec profile ipsec-profile1
set transform-set trans transform1
set ikev2-profile ikev2-profile1
!
interface Ethernet0/0
ipv6 address 2001:DB8:1::1/32
!
interface Virtual-Template1 type tunnel
ipv6 unnumbered Ethernet0/0
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipsec-profile1
!
ipv6 local pool v6-pool 2001:DB8:1::10/32 48
!
ipv6 access-list v6-acl
permit ipv6 host 2001:DB8:1::20 any
permit ipv6 host 2001:DB8:1::30 any
!
Additional References for Configuring the FlexVPN Server
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for Configuring FlexVPN Server
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 4
Feature Information for Configuring FlexVPN Server
Feature Name
Releases
Feature Information
IKEv2 headend support for remote access clients
15.2(1)T
This feature provides IKEv2 support for Anyconnect 3.0, the FlexVPN hardware client, and IKEv2 Multi-SA support for VTI.
In Cisco IOS Release 15.2(1)T, this feature was introduced.
The following sections provide information about this feature:
The following commands were introduced or modified:
aaa attribute list, backup-gateway, banner, config-mode set, configuration url, configuration version, def-domain, dhcp, dns, include-local-lan, max flow limit, pfs, pool, route accept, route set interface, smartcard-removal-disconnect, split-dns, subnet-acl.
IKEv2 Remote Access Headend
15.1(3)T
The IKEv2 remote access headend feature implements RFC 5685 in IKEv2.
In Cisco IOS Release 15.1(3)T, this feature was introduced.
The following sections provide information about this feature:
The following commands were introduced or modified:
aaa accounting (IKEv2 profile), aaa authentication (IKEv2 profile), aaa authorization (IKEv2 profile), authentication (IKEv2 profile), crypto ikev2 client configuration group, crypto ikev2 fragmentation, crypto ikev2 name mangler, dhcp, dn, dns, eap, email, fqdn, keyring, netmask, pool, show crypto ikev2 profile, show crypto ikev2 sa, subnet-acl, wins.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.