Cisco/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt

R1(config)#int loopback 1
R1(config-if)#ip add 1.1.1.1 255.255.255.0

R1(config)#ip http server 

R1(config)#crypto pki server R1CA
R1(cs-server)#issuer-name cn="R1CA"
R1(cs-server)#grant auto
R1(cs-server)#no shutdown

R1(config)#ip domain name CONTOSO.COM
R1(config)#crypto pki trustpoint R1CLIENT
R1(ca-trustpoint)#enrollment url http://192.168.1.1
R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM
R1(config)#crypto pki authenticate R1CLIENT
R1(config)#crypto pki enroll R1CLIENT


R1(config)#aaa new-model

R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local 

R1(config)#username test password mojehaslo

R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-author-policy)#pool VPN_POOL
R1(config-ikev2-author-policy)#def-domain CONTOSO.COM
R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
R1(config-ikev2-author-policy)#dns 1.1.1.1
R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10

	
R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL 
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity sha256
R1(config-ikev2-proposal)#group 14
	
R1(config)#crypto ikev2 policy default
R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL

R1(config)#crypto ikev2 profile IKEV2_PROFILE
R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
R1(config-ikev2-profile)#authentication local rsa-sig
R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-profile)#virtual-template 1

R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac      
R1(cfg-crypto-trans)#mode tunnel

R1(config)#crypto ipsec profile IKEV2_PROFILE
R1(ipsec-profile)#set transform-set TRANSFORM_SET
R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE

R1(config)#interface Virtual-Template1 type tunnel
R1(config-if)#ip unnumbered Loopback0
R1(config-if)#ip mtu 1400
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE
. 2022-03-29 08:28:36 +02:00			`R1(config)#int loopback 1`
			`R1(config-if)#ip add 1.1.1.1 255.255.255.0`

. 2022-03-28 19:53:08 +02:00			`R1(config)#ip http server`

			`R1(config)#crypto pki server R1CA`
			`R1(cs-server)#issuer-name cn="R1CA"`
			`R1(cs-server)#grant auto`
			`R1(cs-server)#no shutdown`

. 2022-03-29 08:28:36 +02:00			`R1(config)#ip domain name CONTOSO.COM`
. 2022-03-28 19:53:08 +02:00			`R1(config)#crypto pki trustpoint R1CLIENT`
			`R1(ca-trustpoint)#enrollment url http://192.168.1.1`
			`R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM`
			`R1(config)#crypto pki authenticate R1CLIENT`
			`R1(config)#crypto pki enroll R1CLIENT`


			`R1(config)#aaa new-model`

			`R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local`
			`R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local`

			`R1(config)#username test password mojehaslo`

			`R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY`
			`R1(config-ikev2-author-policy)#pool VPN_POOL`
			`R1(config-ikev2-author-policy)#def-domain CONTOSO.COM`
			`R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255`
			`R1(config-ikev2-author-policy)#dns 1.1.1.1`
			`R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10`


			`R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL`
			`R1(config-ikev2-proposal)#encryption aes-cbc-256`
			`R1(config-ikev2-proposal)#integrity sha256`
			`R1(config-ikev2-proposal)#group 14`

			`R1(config)#crypto ikev2 policy default`
			`R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL`

			`R1(config)#crypto ikev2 profile IKEV2_PROFILE`
			`R1(config-ikev2-profile)#match identity remote key-id $AnyConnectClient$`
			`R1(config-ikev2-profile)#authentication local rsa-sig`
			`R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate`
			`R1(config-ikev2-profile)#pki trustpoint R1-CLIENT`
			`R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN`
			`R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY`
			`R1(config-ikev2-profile)#virtual-template 1`

			`R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac`
			`R1(cfg-crypto-trans)#mode tunnel`

			`R1(config)#crypto ipsec profile IKEV2_PROFILE`
			`R1(ipsec-profile)#set transform-set TRANSFORM_SET`
			`R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE`

			`R1(config)#interface Virtual-Template1 type tunnel`
			`R1(config-if)#ip unnumbered Loopback0`
			`R1(config-if)#ip mtu 1400`
			`R1(config-if)#tunnel mode ipsec ipv4`
			`R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE`