How to configure a Cisco IOS router for IKEv2 and AnyConnect with Suite-B Cryptography


IFM supplies network engineering services for $NZ200+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!

Perhaps your visiting this page because you want to use the latest (as of 2015) cryptography standards available - Suite-B. Perhaps you are interested in fully migrating to IKEv2. Or perhaps you are one of the many people using the "end of life" Cisco IPSec VPN Client, upgraded to Windows 10, and then found the support somewhat lacking. Perhaps you have come across some articles on the Internet showing solutions, but you don't have Cisco ISE, a RADIUS server or a certificate server, so they wont work for you. Or perhaps you just want to keep your Cisco technology current.

The first solution you should consider is using the Cisco SSL VPN technology. It doesn't use Suite-B cryptography, but it is much easier to setup. If you don't need super strong cryptography (and don't mind paying the licencing cost) then you should seriously consider this option (which Google can help you find the answers too).

You're still reading this article so that means you do want to use super strong cryptograpy or want to minimise additional licencing costs. This article will show you how to deploy a IKEv2 Suite-B Compliant VPN using the Cisco AnyConnect client (V3.1.12020 or newer) using nothing more than a Cisco IOS router running IOS V15.4(3)M4 or later. You need to be using a minimum of Windows 7 to make Suite-B work. This is perfect for small sites that are light on infrastructure.

If you don't currently have the Cisco AnyConnect client you will need to get a Cisco support contract (such as a SmartNet contract) to be able to download the client. If you need to upgrade the software on your router to 15.4(3)M4 then you will need the same support contract to download the new router software.

Note that AnyConnect with IKEv2 on IOS does not currently support the use of split-acls. Everything will get sent back to the router. If you want the user to have Internet access you'll need to NAT their traffic and send it back out to the Internet. Also note the use of certificates is compulsory. It is not possible to use usernames and passwords (IOS local authentication does not support EAP and AnyConnect only supports EAP for username/password authentication). You will also need a TFTP server on one machine to get certificates off the router. A great free TFTP server is tftpd32.

Basic IOS Functionality Needed

We need some basic fundamentals enabled.

aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local

ip http server

ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

Its pretty critical that your router has at least the right date. Having the right time is even better. We have't configured the time zone, but make sure the date and time are about right before continuing (relative to the timezone displayed). If NTP above isn't working in your configuration above then manually set the date and time using the "clock set ..." command.

show clock

REPEAT: DO NOT CONTINUE UNTIL THE DATE AND TIME ARE CORRECT

Certificate Server

You have to deploy certificates. There is no other way to get it going.

First define the new CA.

do mkdir flash:ca

crypto pki server ca-server
 database level names
 no database archive
 hash sha512
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 eku server-auth client-auth
 auto-rollover 365
 database url flash:ca
 exit

exit

crypto key generate rsa general modulus 4096 exportable label ca-server

do crypto pki server ca-server start

Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients. Ideally you will have a DNS entry for this, but a static IP address should also be fine. The "IP Address" below is the external public IPv4 address of the router.

crypto key generate rsa general modulus 4096 exportable label router

crypto pki trustpoint router
 enrollment url http://<ip address>:80
 ip-address <ip address>
 fqdn <DNS entry pointing to router>
 subject-name CN=<site name>,OU=user-vpn,O=<company name>
 revocation-check crl
 rsakeypair router
 auto-enroll regenerate
 hash sha512
 exit

crypto pki authenticate router
crypto pki enroll router

The certificate server should now have a pending request.

do show crypto pki server ca-server requests

Once you can see the request number you can approve it.

do crypto pki server ca-server grant <request number>

Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:

do show crypto pki certificates router

Crypto Configuration

Below I have allowed for users VPNing in to get an IP address from 192.168.255.1 to 192.168.255.254. You can modify this to use a free IP address block at your site.

ip local pool vpnusers 192.168.255.1 192.168.255.254

crypto ikev2 authorization policy ap-staff
 pool vpnusers
 route set interface

crypto ikev2 proposal default
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 14

crypto ikev2 policy default
 match fvrf any
 proposal default

crypto pki certificate map staff-certificate-map 10
 issuer-name co cn = ca-server

crypto ikev2 profile staff
 match certificate staff-certificate-map
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint router
 dpd 60 2 on-demand
 aaa authorization group cert list grouplist ap-staff
 virtual-template 1

no crypto ikev2 http-url cert

crypto ipsec transform-set tr-gsm256 esp-gcm 256
 mode tunnel

crypto ipsec profile staff
 set transform-set tr-gsm256
 set pfs group21
 set ikev2-profile staff

Replace GigabitEthernet0/0 below with whatever is your outside interface which has a public IPv4 address on it. If you are using the zone based firewall then make the below Virtual-Template belong to the "inside" zone. If you want the user to have Internet access while VPN'ed in then make this the inside NAT interface.

interface Virtual-Template1 type tunnel
 description Cisco AnyConnect IKEv2
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile staff

Take a break, you have now completed the main config on the router, and its time to move onto configuration relating to the client.

Client Related Configuration

This section needs to be repeated for each user you want to be able to VPN in.

We are going to generate the entire certificate on the IOS CA server for the client, and then export it as a chain (including the CA certificate) so we can import it in one step on the client.

Replace user@example.com with the email address of the person you are giving access to. It doesn't have to be an email address actually, but that is my preference.

crypto key generate rsa general modulus 4096 exportable label user@example.com

crypto pki trustpoint user@example.com
 enrollment url http://<ip address>:80
 serial-number none
 fqdn none
 ip-address none
 subject-name CN=user@example.com
 revocation-check none
 rsakeypair user@example.com
 auto-enroll
 hash sha512

We'll now install the CA certificate into new trustpoint for the user and request the certificate.

crypto pki authenticate user@example.com
crypto pki enroll user@example.com

The certificate server should now have a pending request.

do show crypto pki server ca-server requests

Once you can see the request number you can approve it.

do crypto pki server ca-server grant <request number>

Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:

do show crypto pki certificates user@example.com

Now we need to export the new certificate as a chain (including the CA certificate) to your TFTP server. Replace 1.1.1.1 with the IP address of your TFTP server. The password is used to encrypt the key and is needed when you import it on the client. The password is not used after that. I have now discovered another way of doing this and that is to export the certificate to a USB memory key. The first line below demonstrates the export to a TFTP server, and the second to a USB memory key plugged into the first USB slot on the router.

crypto pki export user@example.com pkcs12 tftp://1.1.1.1/user.pfx password <password>
crypto pki export user@example.com pkcs12 usbflash0:/user.pfx password <password>

Now copy this file to the end users machine. Double click on the user.pfx file. Enter the password and let the wizard automatically select the certificate store to put the certificates into. Allow it to import extended attributes, and allow it to mark the private key as exportable.

Now we have to delete the user key off the router! Sounds bizarre I know, but the user can not VPN while it still exists on the router.

crypto key zeroize rsa user@example.com
no crypto pki trustpoint user@example.com

Now install the AnyConnect client on the users computer, if it is not installed already. Then we need to create an XML profile for your router. Copy and paste the below profile into notepad. Replace "Company" with a nice name for the VPN entry as it appears in AnyConnect. I'm not sure if this field supports spaces, so I would avoid using spaces. Change vpn.example.com to the external DNS entry pointing to your router. It is likely to work if you put the routers outside public IPv4 address instead but I have not tested this.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">

 <ServerList>
  <HostEntry>
   <HostName>Company</HostName>
   <HostAddress>vpn.example.com</HostAddress>
   <PrimaryProtocol>IPsec
   <StandardAuthenticationOnly>true
    <AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
   </StandardAuthenticationOnly>
   </PrimaryProtocol>
  </HostEntry>
 </ServerList>

</AnyConnectProfile>

Now save this file to %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ and call it something like "Company.xml" where Company is a short name for your company. If AnyConnect is already running you need to quit it and start it running again so that it reads the profile directory. With any luck your new profile will appear in the drop down box and you can click on "Connect" to connect to your router. You should then be able to ping internal hosts by their IP address.