AnyConnect · VPN

IOS SSL VPN – tunnel mode

This configuration details how to setup an SSL VPN in ‘tunnel mode’ on a router running v15 IOS.
Such a configuration could be run implemented on a small to mid-size remote site utilising an ISR router.

Firstly install the AnyConnect package onto the router:

!
webvpn install svc flash:/anyconnect-linux-64-4.2.01035-k9.pkg sequence 1 
!

Confirm the package installation:

#sh webvpn install status svc  
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC Linux_64
4.2.01035
Wed Dec 23 08:03:10 EST 2015

First enable new-model AAA, create an AAA authC method ‘WEBVPN_AUTHC’ which will consult the local user database and then create a local user account with minimal privileges:

!

aaa new-model
!
aaa authentication login WEBVPN_AUTHC local
!
username seb privilege 0 secret 5 $1$/0rc$uHbejVQpJUmYXyVZewmM0.
!

Define an IP pool which will be used to allocate webVPN local tunnel endpoints from. This can share a subnet that is already used by the router (make sure there is no overlap with existing interfaces or DHCP scopes), or an entirely new private IP pool can be used. If you choose the later, ensure that it is redistributed into the dynamic routing processes that you may be running to ensure the return traffic is sent to the router; assuming it is not the default gateway for the network.

!
ip local pool WEBVPN_POOL 10.83.98.1 10.83.98.63
!

Split tunnelling is configured to ensure that only traffic destined for subnets routed at the remote network is sent down the tunnel. I am including the WEBVPN_POOL and one ‘inside’ subnet that is routed by the router as the permit statements in the WEBVPN_ACL_SPLIT access list.

!
ip access-list standard WEBVPN_ACL_SPLIT
permit 10.83.30.0 0.0.0.255
permit 10.83.98.0 0.0.0.255
!

Now enable the webVPN gateway. We can configure various elements under this section, and crucially which interface and port will be listening for incoming connections.

!
webvpn gateway WEBVPN_GATEWAY
ip interface FastEthernet0/1 port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-4044395249
inservice
!

The ‘webvpn context’ sections brings together what we have configured already and additional features.

!
webvpn context WEBVPN_CONTEXT
title "Sebs WEBVPN gateway"
aaa authentication list WEBVPN_AUTHC
gateway WEBVPN_GATEWAY
max-users 5
inservice
!

Within the context a group policy must also be configured:

!
webvpn context WEBVPN_CONTEXT
!
policy group WEBVPN_POLICY
functions svc-enabled
functions svc-required
filter tunnel WEBVPN_ACL
svc address-pool "WEBVPN_POOL" netmask 255.255.255.192
svc rekey method new-tunnel
svc split include acl WEBVPN_ACL_SPLIT
default-group-policy WEBVPN_POLICY
!

 

Full configuration below:

!
aaa new-model
!
aaa authentication login WEBVPN_AUTHC local
!
username seb privilege 0 secret 5 $1$/0rc$uHbejVQpJUmYXyVZewmM0.
!
ip local pool WEBVPN_POOL 10.83.98.1 10.83.98.63
!
!
ip access-list standard WEBVPN_ACL_SPLIT
 permit 10.83.30.0 0.0.0.255
 permit 10.83.98.0 0.0.0.255
!
!
webvpn gateway WEBVPN_GATEWAY
 ip interface FastEthernet0/1 port 443
 ssl encryption aes-sha1
 ssl trustpoint TP-self-signed-4044395249
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-linux-64-4.2.01035-k9.pkg sequence 1
 !
webvpn context WEBVPN_CONTEXT
 title "Sebs WEBVPN gateway"
 ssl encryption aes-sha1
 ssl authenticate verify all
 !
 acl "WEBVPN_ACL"
   permit ip 10.83.98.0 255.255.255.0 any
 !
 !
 policy group WEBVPN_POLICY
   functions svc-enabled
   functions svc-required
   filter tunnel WEBVPN_ACL
   svc address-pool "WEBVPN_POOL" netmask 255.255.255.192
   svc rekey method new-tunnel
   svc split include acl WEBVPN_ACL_SPLIT
 default-group-policy WEBVPN_POLICY
 aaa authentication list WEBVPN_AUTHC
 gateway WEBVPN_GATEWAY
 max-users 5
 inservice
!

 

Reference: www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-ssl-vpn.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s