10-20-2017 05:35 AM - edited 03-12-2019 04:38 AM
There is a Cisco ASR1001 router with FlexVPN IKEv2 remote access server configured:
aaa authentication login VPN-IKEv2 group FreeRADIUS ! crypto ikev2 profile VPN-IKEv2 match identity remote address 0.0.0.0 identity local fqdn vpn.domain.local authentication remote eap query-identity authentication local rsa-sig pki trustpoint VPN-CA aaa authentication eap VPN-IKEv2 aaa authorization user eap cached aaa accounting eap VPN-IKEv2 virtual-template 1 ! crypto ipsec transform-set VPN-IKEv2 esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile VPN-IKEv2 set transform-set VPN-IKEv2 set ikev2-profile VPN-IKEv2 ! interface Virtual-Template1 type tunnel vrf forwarding WAN ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN-IKEv2 !
FreeRADIUS configuration:
vpn_user Cleartext-Password := "vpn_password" Cisco-AVPair = "ipsec:dns-servers=x.x.x.x y.y.y.y", Framed-IP-Address = "10.10.0.10"
When user connects, all his traffic gets encrypted and sent over IPsec tunnel because of local traffic selector 0.0.0.0/0:
asr1001#show crypto ikev2 session IPv4 Crypto IKEv2 Session Session-id:58, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote fvrf/ivrf Status 1 x.x.x.x/4500 y.y.y.y/44910 none/WAN READY Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: EAP Life/Active Time: 86400/7 sec Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535 remote selector 10.10.0.10/0 - 10.10.0.10/65535 ESP spi in/out: 0xF48211CB/0xDA881E9B Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1
On Windows it could be fixed by clearing the check-box "Use default gateway on remote network". But there is no such check-box on GNOME/Linux and Android. And Apple devices could not connect at all.
Is it possible configure traffic selector 10.0.0.0/8 instead of 0.0.0.0/0?
10-20-2017 09:19 AM
How about you configuration a local authorisation policy to push down the routes to the client?
10-20-2017 11:51 AM
10-20-2017 12:01 PM - edited 10-20-2017 12:02 PM
Yes you can use that command. I use the commands below successfully on my router (although not exactly the same configuration as yours, I see no reason why it would not work with some tweaks).
crypto ikev2 profile IKEV2_PROFILE
aaa authorization group cert list default IKEV2_AUTHZ
crypto ikev2 authorization policy IKEV2_AUTHZ
route set remote ipv4 192.168.10.0 255.255.255.0
route set remote ipv4 192.168.11.0 255.255.255.0
10-21-2017 02:20 AM
Curiously, but I have option local instead of remote:
asr1001(config)#crypto ikev2 authorization policy VPN-IKEv2 asr1001(config-ikev2-author-policy)#route set ? access-list Specify the route access-list interface Specify the route interface local Specify route set local parameters asr1001(config-ikev2-author-policy)#
And with the following configuration I could not connect at all:
crypto ikev2 authorization policy VPN-IKEv2 route set local ipv4 10.0.0.0 255.0.0.0 crypto ikev2 profile VPN-IKEv2 ... aaa authentication eap VPN-IKEv2 aaa authorization user eap cached aaa authorization user eap list VPN-IKEv2 ...
10-21-2017 04:17 AM
You should be able to use either "route set access-list" or "route set remote" commands to push down routes to a client. What version of firmware does your ASR1K currently use? I've checked my ISR1921 and CSR1000v and the "route set remote" command is available on both.
10-21-2017 04:50 AM
IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
Cisco ASR1001, License Level: adventerprise
10-21-2017 05:05 AM
As you have the option to use an access-list have you tried that?
I notice you aren't running the latest firmware version, can you upgrade?....and see if the option for remote is now available? These commands are working on the images I use, but I am running the latest firmware version there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide