Quick config: SSL VPN on Cisco IOS via CLI

Platform: CISCO2921 IOS version: 15.3(3)M5

Load the anyconnect package on the flash of the router and configure anyconnect client package (be patient, this may take a while…):

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.1.04011-k9.pkg sequence 1

SSLVPN Package SSL-VPN-Client (seq:1): installed successfully

Create a virtual template, that’s the interface the VPN clients will attach to:

interface Virtual-Template1
  ip address 172.31.255.254 255.255.255.0

Create a local pool to assign IP addresses to VPN clients:

ip local pool SSLVPN_POOL 172.31.255.1 172.31.255.100

Enable https on the router:

ip http secure-server

Get trustpoint name:

sh run | i crypto.*trustpoint

In this example we use local authentication for VPN clients:

aaa authentication login default local

Now configure webvpn. Custom names are UPPERCASE

webvpn gateway GATEWAY_NAME
 ! PUBLIC IP ADDRESS OF THE VPN GATEWAY
 ip address X.X.X.X port 443  
 http-redirect port 80
 ssl trustpoint TRUSTPOINT_NAME
 inservice
 !
webvpn context SSLVPN
 virtual-template 1
 aaa authentication list default
 gateway GATEWAY_NAME
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSLVPN_GRP
   functions svc-enabled
   functions svc-required
   svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
   !LOCAL NETWORK TO INCLUDE IN SPLIT TUNNEL
   svc split include 10.153.0.0 255.255.224.0
   default-group-policy SSLVPN_GRP

Now connect the VPN client:

statistics

routedetails

What we see on the router:

show webvpn session context all

Enjoy.

 
comments powered by Disqus