3.3 Troubleshoot FlexVPN 3.4 Troubleshoot AnyConnect IKEv2 on ASA and routers 3.5 Troubleshoot SSL VPN and Clientless SSLVPN on ASA 30% 4.0 Secure Communications Architectures 4.1 Describe functional components of GETVPN, FlexVPN, DMVPN, and IPsec for site-to-site VPN solutions. AnyConnect icon in the Windows tray and selecting 'Quit' option: Communication flow IKEv2 and EAP exchange. Title: FlexVPN: AnyConnect IKEv2 Remote Access with Local User Database Created Date. Jan 02, 2019 AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticate the AnyConnect client using the Cisco proprietary AnyConnect-EAP method. FlexVPN is Cisco’s solution to simplify VPN deployments and covers all VPN types. For example: Site-to-site; Hub and spoke (including spoke-to-spoke traffic). Remote access; The only VPN type that FlexVPN doesn’t cover is GETVPN. FlexVPN uses IKEv2 for all VPN types. IKEv2 is the successor of IKEv1 and has some interesting features.
| Date | Title | Topic | 
|---|---|---|
| 2018-03-19 | SEC0266 - FlexVPN Redundancy with Dual Hub Single Cloud (Part 4) | |
| 2018-03-19 | SEC0266 - FlexVPN Redundancy with Dual Hub Single Cloud (Part 3) | |
| 2018-03-19 | SEC0266 - FlexVPN Redundancy with Dual Hub Single Cloud (Part 2) | |
| 2018-03-19 | SEC0266 - FlexVPN Redundancy with Dual Hub Single Cloud (Part 1) | |
| 2018-03-11 | SEC0265 - FlexVPN Redundancy with Dual Hub Dual Cloud (Part 3) | |
| 2018-03-11 | SEC0265 - FlexVPN Redundancy with Dual Hub Dual Cloud (Part 2) | |
| 2018-03-11 | SEC0265 - FlexVPN Redundancy with Dual Hub Dual Cloud (Part 1) | |
| 2018-03-06 | SEC0264 - FlexVPN with FVRF and IVRF (Part 3) | |
| 2018-03-06 | SEC0264 - FlexVPN with FVRF and IVRF (Part 2) | |
| 2018-03-06 | SEC0264 - FlexVPN with FVRF and IVRF (Part 1) | |
| 2018-02-26 | SEC0263 - FlexVPN Server with Local and External Authorization (Part 3) | |
| 2018-02-26 | SEC0263 - FlexVPN Server with Local and External Authorization (Part 2) | |
| 2018-02-26 | SEC0263 - FlexVPN Server with Local and External Authorization (Part 1) | |
| 2018-02-26 | SEC0262 - FlexVPN Server with Windows IKEv2 Client (Part 2) | |
| 2018-02-26 | SEC0262 - FlexVPN Server with Windows IKEv2 Client (Part 1) | |
| 2018-02-19 | SEC0261 - FlexVPN Server with AnyConnect Client (Part 3) | |
| 2018-02-19 | SEC0261 - FlexVPN Server with AnyConnect Client (Part 2) | |
| 2018-02-19 | SEC0261 - FlexVPN Server with AnyConnect Client (Part 1) | |
| 2018-02-11 | SEC0260 - FlexVPN Server with Router Client (Part 4) | |
| 2018-02-11 | SEC0260 - FlexVPN Server with Router Client (Part 3) | |
| 2018-02-11 | SEC0260 - FlexVPN Server with Router Client (Part 2) | |
| 2018-02-11 | SEC0260 - FlexVPN Server with Router Client (Part 1) | |
| 2018-02-04 | SEC0259 - FlexVPN L2L with Spoke-to-Spoke (Part 2) | |
| 2018-02-04 | SEC0259 - FlexVPN L2L with Spoke-to-Spoke (Part 1) | |
| 2018-02-04 | SEC0258 - FlexVPN L2L with dVTI and External PSK (Part 2) | |
| 2018-02-04 | SEC0258 - FlexVPN L2L with dVTI and External PSK (Part 1) | |
| 2018-01-29 | SEC0257 - FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 3) | |
| 2018-01-29 | SEC0257 - FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 2) | |
| 2018-01-29 | SEC0257 - FlexVPN L2L with Dynamic Virtual Tunnel Interface (DVTI) (Part 1) | |
| 2018-01-21 | SEC0256 - FlexVPN L2L with Next Generation Encryption (Part 2) | 
In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.
This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:
FlexVPN Hub-and-Spoke
https://integratingit.wordpress.com/2016/07/10/configuring-cisco-flexvpn-hub-and-spoke/
FlexVPN with Certificate authentication
https://integratingit.wordpress.com/2017/08/26/configuring-cisco-flexvpn-with-certificate-authentication/

FlexVPN Certificate Enrolment (SCEP or Manual)
https://integratingit.wordpress.com/2017/08/26/cisco-ios-certificate-enrollment-via-scep/
AAA
PKI Trustpoint
The router is configured with a Trustpoint which is subsequently authenticated and enrolled with a certificate issued by the Corp PKI CA, this is the same CA that issues certificates to the client users and computers.
This trustpoint is referenced in the IKEv2 Profile. Enrollment is performed by SCEP, but could be manually enrolled.

Flexvpn Anyconnect Free
IKEv2 Profile
Identity will be match on a remote key-id *$AnyConnectClient$* this value is sent by AnyConnect and is the default value, this value can be manually specified in AnyConnect in which case the value in the IKEv2 Profile would need to match.
When using EAP Local authentication is always rsa-sig that is the router will be authenticated using a certificate, which the client computer must trust.
In this scenario we will use anyconnect-eap as the remote authentication method. The value aggregate which will authenticate and prompt for username/password, by appending cert-request will validate the client user certificate for double authentication. If no certificate or it is invalid, authentication will fail.
AAA authentication and accounting will reference the RADIUS method list called FLEX

Implicit User Authorization will use the cached attributes received from RADIUS during authentication

The pki trustpoint is configured to reference the match the previously defined trustpoint
VPN IP Address Pool
Routing
A static route for the VPN IP Address Pool will be defined on the Hub router and will be distributed by the Routing Protocol of choice.
IPSec Transform Set and Profile
A standard IPSec Transform set will need to be defined and referenced in an IPSec Profile
Virtual-Template
A standard Virtual-Template will need to be defined specifying a source Loopback interface, tunnel source, tunnel mode and tunnel protection.
Once the Virtual-Template has been created this will need to be referenced in the IKEv2 Profile
Network Devices and Groups
The FlexVPN Hub(s) must be defined in ISE as a NAD (Network Access Device), in order for ISE to authentication, authorize connections/session from the Hub.
- Navigate to Administration > Network Device Groups
- Create a new group called FlexVPN_Router, nest this under All Device Types
- Navigate to Administration > Network Devices
- Create a new Network Device
- Add descriptive name for the Hub Router
- Add IP address
- Select Device Type as FlexVPN_Router
- Tick RADIUS Authentication Settings
- Specify the Shared Secret as specified in the AAA configuration on the Hub
- Click Save when complete
Authorization Profiles
The Authorization Profiles will be used to provide the VPN configuration to the client once they are authorized. For example the attributes such as IP VPN Pool, DNS Servers, Netmask, Default Domain can be dynamically sent to the client.
- Navigate to Policy > Policy Elements > Authorization > Authorization Profiles
- Create new Authorization Profiles as per the table below
| Authorization Profile Name | Attribute Details | 
| FlexVPN_Client | Access Type = ACCESS_ACCEPT cisco-av-pair = ipsec:route-accept=any cisco-av-pair = ipsec:route-set=interface cisco-av-pair = ipsec:addr-pool=VPN_POOL cisco-av-pair = ipsec:dns-servers=192.168.10.5 cisco-av-pair = ipsec:netmask=255.255.255.0 | 
| Helpdesk_Users | Access Type = ACCESS_ACCEPT cisco-av-pair = ipsec:default-domain=remotelab.local | 
NOTE – the Authorization Profile Helpdesk_Users is not necessarily needed as the attributes could be included in the other rules, but rather it helps to show that multiple Authorization Profiles can be sent to a client and applied successfully.
Policy Sets
- Navigate to Policy > Policy Set
- Define a new Policy Set with a descriptive name e.g. FlexVPN
- Specify the Conditions: DEVICE:Device Type EQUALS All Device Types#FlexVPN_Router
- Specify the Conditions: DEVICE:Device Type EQUALS All Device Types#FlexVPN_Router
- Use an AD Join Point
- Create a Authorization rule for Helpdesk Users
- Define the Condition: LAB_AD:ExternalGroups EQUALS lab.local/Company/Helpdesk User
- Define the Profiles: FlexVPN_Client AND Helpdesk_Users
- Create a Authorization rule for Domain Users
- Define the Condition: LAB_AD:ExternalGroups EQUALS lab.local/Company/Domain Users
- Define the Profiles: FlexVPN_Client
An AnyConnect profile must be created in order to select the use of IPSec and the Authentication Method. The AnyConnect Profile can be named anything, but must be in XML format.
- Install the Cisco AnyConnect Profile Editor, select at least the VPN Profile Editor and DART
- Open the VPN Profile Editor
- Navigate to the Server List tab
- Click Add
- Enter an appropriate Display Name e.g AnyConnect EAP
- Enter the FQDN of the FlexVPN Hub
- Select Primary Protocol as IPSec
- Untick the box ASA Gateway
- Select Auth Method During IKE Negotiation as EAP-AnyConnect
- Click OK when complete
- Click File > Save as…
-  Save the file using an appropriate name to the location:- C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
 
Flexvpn Anyconnect Ikev2
The IOS routers do not support XML profile downloads and AnyConnect package upgrades. The AnyConnect will try to download the latest XML profile from the FlexVPN Hub router and the connection will fail. This can be disabled:
Flexvpn Anyconnect Mac
- Locate the AnyConnectLocalPolicy.xml file in- C:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
 
- C:ProgramDataCiscoCisco AnyConnect Secure Mobility Client
- Change BypassDownloader value to True
- Save the file
- Restart the AnyConnect Client
- Open the Cisco AnyConnect Secure Mobility Client, you should now see the VPN connection with the display name specified in the Profile
For testing we will use 2 separate AD accounts, user1 will be a member of LABHelpdesk Users group and user2 will only be a member of LABDomain Users. The Windows computer used for testing will have a User Certificate and the Root CA Certificate installed, this Root CA is the same CA that issued the certificate to the FlexVPN Hub. Therefore the certificates should be trusted for authentication.
- On the FlexVPN Hub enable debugging – debug radius authentication
- From the client computer login as user1
From the output you can determine the default IKE Key ID (isakmp-phase1-id) was used, the username logging in and the radius av-pair sent in authorization. Notice the default-domain remotelab.local was sent, this was because user1 is a member of the correct AD group and we specified that the default domain should be different, as specified in a Authorization Profile.
Flexvpn Anyconnect Login
From the ipconfig /all configuration on the client workstation, we can confirm that the VPN session has received the DNS suffix remotelab.local. You can also determine that the client received the correct DNS Server and received an IP address from the VPN_POOL.
- Logoff user1 and login as user2
Notice in the debug for user2 login that the RADIUS server did not send a default-domain av-pair for this session.
This can be confirmed using ipconfig /all on the windows client, notice no DNS Suffix compared to user1. This is because user2 is only a member of LABDomain Users AD group and the Authorization Profile does not specify a default domain for users of that group.
Checking the ISE Logs you can see that when user2 logged in, that user matched the Authorization rule FlexVPN >> Domain Users and only the FlexVPN_Client Authorization Profile was configured, unlike user1 which matched the FlexVPN >> Helpdesk Users rule and received the FlexVPN_Client and Helpdesk_Users Authorization Profile attributes.
- On the FlexVPN Hub router, use the command show crypto ikev2 sa detail
From the output you can determine the source public IP address, local id (FlexVPN Hub router cn), remote id (default AnyConnect IKE identity), Remote EAP id (username) and assigned host IP address (from the IP pool VPN_POOL). You can also determine the encryption, hashing, DH group and authentication methods used.
FlexVPN Aggregate Authentication
