This is the best video ever on IKV2 over the hole internet .I searched for this everywhere to no luck -and suddenly i found you You are a great teacher . your explanations are clear simple and concise ,with no rush to finish the recording as some people do over the internet and RU-vid . Thanks a lot for sharing your knowledge I am now subscribe and will follow you from now on .
Hi Robert. Great guide! Easy to follow up! One question: is it possible to get SSLVPN functionality on this existing configuration (or IPSEC VPN tunnel configuration from your other video)? If so, could you point where to dig? There are many videos/guides in youtube about configuring certain type of VPN, but no videos about configuration of combination of VPN technologies. I.e. SSLVPN + IPSec tonnel, etc...
Unfortunately I don't have a link for that kind of guide, but I also read recently that the NSA recommends only using IKEv2 for remote access VPNs as TLS RA VPNs have been found to have some vulnerabilities.
Would like to see this plain and simple : Upgrade from L2TP/IPSEC PSK to IKEV2 / IPSEC PSK (Pre Shared Key) , No certificates , No software needed (AnyConnect). Just the VPN , and connect with stock Android or Windows.
Hi Robert, thank you so much! this is exactly what I needed and it's working perfectly on a windows machine, It didn't work on MacOS and iPhone though . Any suggestion ?
Great video , love it. Very good educational material. But are you sure that local authentication doesn't work , and split tunnel ? I also have ikev2 configured on ios 15.X + Anyconnect client and both local auth is working and routes for split tunnel specified in access list. In addition I configured authentication with Radius server for domain users. Everything is working fine.
Thank you for your comment! What specific version of IOS 15.x are you running? I tried multiple versions and I was only able to get local authentication working on IOS-XE (not sure about split tunnel). I don't have any doubts that Radius works, however authentication using that local user database on the router itself would not work no matter what I tried. Could you possibly share a working config along with the IOS version? I would really appreciate it!
@@RMTechCentral Sorry for my late answer. This case is very interesting because I tried to reproduce this local auth issue and I was very surprised after I setup ikev2 ( FlexVPN ) on ISR 2951 with ios 15.5-3.M9 and after that the newest one 15.7-3.M8 and local auth indeed doesn't work , you were right , but...... I have ISR 3945 on production env. and with the same config local aythentication works fine. Question is why ? I don't know at the moment but I will investigate it in comming days. I have some ideas but I cannot confirm it at the moment. First idea is that I have also configure webvpn ( SSL VPN ) on production router but it is disabled now because it supports only TLS 1.0 on ISR routers, so it had to be changed to Flexvpn, so maybe there is some relation between login on SSL Portal on the router ( local auth ) to download AnyConnect client app and after that trying to login via IPSec ( ikev2) and local auth starts to work also, I don't know , it`s crazy I know. The second idea is that 2900 series IOS has a bug which is not present on 3900 series routers. Unfortunately on ISR 2951 I have only 256MB of flash and I can't install webvpn to proof my theory, but I will purchase larger flash card and I will check it.
I`ve tried to setup local auth on ISR 2951, I`ve been trying all day but without success. With the same config on 3945 everything is working. I think it`s a bug in IOS. Unfortunately i don't have second 3900 router so I cannot confirm this.
Hi, Thank you so much. Question: is it possible instead of ip local pool VPNPOOL do static ip to hots/clients??? For example Host1 static ip - 10.0.0.1, Host2 static ip - 10.0.0.2 and etc... (Video 19:35)
Hi, I'm gonna config IKEv2/IPSec Client to Site VPN Configuration with pre shared key (PSK) not with certificate. How can I do it? Thanks for your training
I’ve been quite busy lately. Anyway, I’m not sure how to do this on an ISR off the top of my head, but if this is something you still need help with I can lab something up as soon as I’m able to, and get back to you with a config.
@@RMTechCentral Hi, I'm still waiting for your reply. Finally did you configure IKEv2/IPSec Client to Site VPN on router 2921 with PSK instead of Certificate? I need it that. Thanks a lot
@@RMTechCentral With Android dropping support for L2TP , you would get instant world fame for being the first one to show how to do IKEV2/PSK with native clients.
Will this work with the native clients built-in Windows/Android/Apple? I can't/don't/won't use ANY client apps that will disappear or be unusable in the near future. Like that AnyConnect junk. Isn't there a way to use PSK (Pre-Shared-Key) instead of certificates. That overcomplicates things massively. IKEV2/PSK is the industry standard mostly.
Hello Robert. Due to the change of the owner, If the password is changed like “username admin secret newpassword”, then this will not affect the certificates for VPN connection via anyconnect? just go under the new password of the current user and everything should work further as before? regards to you and your work
Dear Robert! Thank you so much for your effort. Great work for me a managed to set configuration on my isr c1100. I've few question. When I already connected with anyconnect client, at my laptop doesn't work internet how to fix this? How to make multiple user connection to VPN network because right now at my config another user doing discount to already connected user. THX.
Hi Roman. Glad to hear you got the internet connection issue figured out. As far as connecting multiple users... are you creating individual certificates for each user or using the same one? I had this issue as well at first; it turned out that using the same cert would disconnect the current session. Individual certs seem to be the way to go. Give that a try and let me know how it goes. Also, thanks so much for your feedback!
Hi Robert! I've another issue. Some laptops cannot connect with error 'The ipsec vpn connection was terminated due to an authentication failure or timeout' m.b. you know what is going on? I've removed certificates, reinstalled Anyconnect, reinstalled OS and nothing. Other laptop at same office connecting well. I tried to use this certificate at my own laptop and connection was fine. And same situation at other office. Please help. Thank you.
Hello, I liked your video, I did the steps as you mentioned, but it doesn't work for me, I can't connect to my Cisco 880, I would like to leave this equipment as a VPN Server for my LAN, I've spent a lot of time on it, but I can't see it problem, I would like you to help me, I have the Router inside my LAN, I think I can test locally if it works or not by trying to connect directly from my Laptop to the Router but I can't even connect. It only returns problems, there is something do i need it?? I did the procedure as you describe it in the video without any problem, I appreciate a hint to see if I can start that equipment to connect from outside to my local network
Hello, sometimes this stuff can be a little bit tricky to get working, but I am glad to help you the best I can... To start, what is the error message that AnyConnect gives when it fails to connect? Also do you have any sort of stateful packet inspection device upstream of this router, such as a firewall? Sometimes it boils down to a misconfiguration on the router itself but could be AnyConnect settings as well. Also, if you would like to share your config, I could look over it to see if everything looks right. If you want to send the config file or a copy and paste of it, my email is rmayer0428@gmail.com.
