Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
3
Replies

Client VPN using IKEv2 on ISR

nicholasacook
Level 1
Level 1

‎07-26-2022 12:07 PM

I am looking to migrate our current Client VPN connection that is using IKEv1 in Aggressive Mode over to IKEv2.  We currently have the connection going through a 4000 series ISR.  Currently we have the router configured with the normal ISAKMP based configurations and it seems that I would need to change these over to the IKEv2 based configuration, similar to what I am using for my Site-to-Site connections. 

Currently we are using pre-shared keys and trying to figure what is required to convert this connection over to IKEv2/IPSEC.  I have read from a few different sources that certificates might need to be involved for the connection and the example used the local router as the site's CA.  If we did this, we already have a Microsoft CA server that we could generate the certificates. 

Does anyone know of any documentation (I have been researching for almost 2 hours now) on the configuration on the Cisco 4000 series ISR so I can convert our client connection from IKEv1/ISAKMP to IKEv2/IPSec connections? 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

nicholasacook
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2022 10:20 AM

According to the documentation, a certificate is still required to on the router and client? 

0 Helpful

Rob Ingram
VIP
VIP

‎07-28-2022 01:24 PM - edited ‎07-28-2022 02:39 PM

@nicholasacook For remote access VPN, you have to use a trusted certificate on the hub (local authentication). For the clients (remote authentication), you can either use certificates or EAP. When using EAP you can authenticate locally or to a RADIUS server, which can then utilise AD credentials.

Yes you can use your Microsoft CA for signing the certificates used by the hub and clients. This guide shows how to create a trustpoint and enrol for a certificate from a Microsoft CA.

I don't think there is a Remote Access VPN migration guide from IKEv1 to IKEv2, so you'd need to build fresh.

Examples: https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
https://integratingit.wordpress.com/2018/06/03/configuring-flexvpn-remote-access-vpn/

 

0 Helpful
Customers Also Viewed These Support Documents