IKEv2/IPSec Client to Site VPN Configuration | Cisco IOS | Cisco AnyConnect

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome back to the channel my name is rob and in today's video i'm going to show you how to configure an ike version 2 ipsec client-to-site vpn where we're going to be using anyconnect to connect to the vpn when we're done with this to test to make sure that it works this is on cisco ios not ios xe not asa uh plain old vanilla cisco ios i'm actually going to be using this cisco 2921 isr generation 2 router behind me and with that being said there are two things that i wanted to mention before i proceed with the video the first thing is local authentication doesn't work it does on cisco ios xe but again we're just using plain old vanilla cisco ios that means that we have to use certificates there is no other way and i'm going to walk you through configuring the router to be a certificate authority as well as issuing all of the certificates that you need to to make sure that this works number two is the fact that split acl doesn't work so that access control list that you would normally create to define the interesting traffic that you want to traverse the vpn tunnel that doesn't work it's not taken into consideration uh when this is configured on cisco ios so everything goes to the tunnel even uh internet traffic so if you're okay with uh those two things then uh stay tuned and i'm going to show you how to get everything configured [Music] i'm currently sitting on the console of the router that we'll be configuring so we need to give this router network connectivity and this part obviously is going to be different for you depending on how your network is set up in your ip addressing or your provider or whatever you have going on so for me this is just this router is plugged into my network and it is on the 10 0 0 0 24 subnet so i know that i can give it an ip address of 10 0 actually what am i talking about it's not on the 10 0 0 0 subnet it's on the 10 0 20 0 24 subnet knowing that i know that i can safely give it a static ip of 10 0 2200 because i know that ip address is not in use and i should be able to ping the gateway which is 10-0-21 and there is success i'm also going to stick ipna outside on here because i'm going to test this with nat when we're done once once i vpn in to test this to make sure that everything works i'm going to make sure that we have internet through the vpn tunnel as well so we have do show run gig zero zero we just have the ip address on there and then ipnet outside and we need a default route ip route quad zero quad zero 10 0 20 not one so now let me make sure i have internet so i'll just try to ping 8.8.8.8 and we have a reply now that that is out of the way we can get into the stuff that is uh pertains more to the ike version 2 configuration and that would involve making sure the time is correct we need the time to be correct because we are using certificates and the date and time has to be spot on so i will say first i'm going to give this a domain name i'm going to say that the domain is cisco.lab then i'm going to tell it that we want to use a name server and the name server will be 8.8.8.8 make sure that works do ping google.com get a reply now what i can do is is say ntp server ip one dot actually you know what if i just go to pool.ntp.org and it resolved the domain and if i say do show ntp status clock is synchronized do show clock so we have the the clock synchronized don't forget that you're using certificates the clock in the time and date has to be synchronized so far we have we've configured a hostname configured that interface for network connectivity and then we configured the domain name the name servers that way we could resolve the the network time protocol servers and then made sure that the clock was synchronized moving on and from this point forward everything i do is going to pertain 100 to the ike version 2 configuration so we want to enable the aaa new model so that way we can say uh aaa authorization network and we will name it because this is something that we're going to be referencing later in the ike version 2 policy we just want to create a name so that way we can tell it to look for this locally so we'll say aaa authorization network ike version 2 underscore group z now you can name this whatever you want uh this is just what i have here for this example then we want to say local so when we reference this later in the like version 2 policy it will know that ike v2 underscore group underscore auth z will be looking locally next we want to enable the http server by issuing the ip http server command the reason for this is because we are going to be making this router a certificate authority basically when we create a trust point to say that hey we trust this certificate authority and then we want to enroll and be issued a certificate we're going to use http so we're going to be doing this on the router itself but using an ip address on one of the interfaces which we'll just use gig00 since we've already configured that and that will be the enrollment url you'll see what i'm talking about here in a second but in order for this to work we do need to have the http server enabled and running and next we need to generate our first rsa key pair so we'll say crypto key [Music] generate rsa general keys modulus we'll go with uh 2048 bit keys if this is production you might want to go with a little bit more than that you want to make it exportable and we are going to label it the same name that we are going to name the ca so right after this i'm going to start the configuration for the certificate authority and i'm going to name that vpn ca so knowing that in advance i'm going to put a label on this as vpn underscore ca should just take a moment okay now we're going to move on to the ca configuration and this is optional you can make a directory if you go mk dir and say you wanted it to be flash and then the directory ca i'll just go ahead i'll just go ahead and do it uh just just to show you what's going on here so we can essentially designate a directory for the ca certificates and files and i'm going to oh it already exists so i must have already done this when i was testing things before and it does it was cd ca okay nothing in there so that's good so you can create a directory and then in this next step which i'm moving on to right now configuring the ca you can define that so the next step would be crypto pki server and then the name of the certificate authority i'm going to say that it is vpn ca so i knew that in advance which is why this label i also made vpn ca okay then we want to say what this is going to be used for so we'll say eku server auth client off there's a bunch of stuff you can configure under here this is if i haven't mentioned it already this is just a very bare bones configuration just to get you up and running with ike version two by the way so the uh you can configure the lifetime and which i highly recommend that you do depending on what's going on with your infrastructure and your personal preferences but i'm not going to configure all of that again just the bare minimum just to get this working now one thing that i will say to make this easy is grant auto otherwise we'll when we enroll when we go to enroll for the certificate that will essentially identify the server when we go to connect to this vpn we'll have to go look and look at the certificate request and then manually grant it if we put grant auto under the ca configuration it'll just automatically grant it when we go to enroll and like i was saying with that database url when we created the ca directory we can say database url flash ca now if you don't do this it will be the default so you don't have to do this you don't have to create a directory you don't have to direct it to another location if you don't want to it makes it a little bit cleaner this way but it's not mandatory now important thing is no shot just like an interface we want to say no shot and this will start the certificate authority it's going to ask us for a password to protect the keys and i'm just going to put a very simple password of password and it says certificate server enabled you see that right here and all should be good with the certificate authority configuration next we're going to be creating a trust point so we want to say hey we trust this ca so that way we can also enroll and get a certificate that we need for the server side identification as well as the client as well towards the end of this we'll issue another certificate that we're going to copy over to the computer that we'll be using to vpn in and that will come from this certificate authority as well so i'll start with crypto key [Music] i'm a little bit all over the place with my typing because if i remember i typically switch my keyboard out before i do these videos because the one that i normally use this this one's typically a little bit louder all right crypto key generate rsa general keys again modulus will be 2048 exportable and then the label will be what we're going to define in our trust point so we will say well you're going to see it in a second when we configure the trust point right after this we're going to say hey this is the rsa key pair that we want to use i know in advance that is going to be vpn server sir now this label doesn't have to match the trust point name because there is an option under the trust point configuration where you will define the rsa key pair i've made it the same as what the trust point name is going to be just to make it easier to understand so we have the label vpn server cert this entire configuration as i'm doing it will be listed on the website as well so if you're having a little bit of trouble following along or you would prefer to just read this or maybe even copy and paste it into your own lab router you can do that or at this point if you want to open that up it'll be in a link in the description and you can bring that up and look at what it is that i'm doing so that way you can kind of follow along and know what's coming up okay so we created the rsa key pair and next we are going to create the trust point so crypto pki trust point and i'm going to name it vpn server search now remember when we enabled the http server this is where we will use that we'll say enrollment url http and then we'll use the interface that we configured on the ip address on gig zero zero so that was ten zero twenty two hundred we'll start with uh subject name and we will say common name or cn equals uh vpn.cisco.lab now this isn't going now this in a production environment this will or should match up this isn't going to match up in this lab because when i connect to the vpn to test it out i'm not actually going to be using i don't have uh there's no dns server that will resolve this vpn.cisco.lab i'm going to be using the ip address so we're going to get a warning saying that the certificate doesn't match so just be aware of that if we had a dns record resolving this then we would be fine i'm putting this in there as the common name anyways just to give you an idea of what or how it probably should be set up so common name equals vpn.cisco.lab say the ou is it and then organization is rm tech how about that okay and then relocation check we'll just say none and here is where we define this rsa key pair we say rsa key pair and we said the label is vpn server server and that is it now we need to authenticate so we say crypto pki authenticate and the trust point is vpn server cert it's going to ask us to accept this if we want to accept it we'll say yes and then crypto pki enroll and again vpn server cert it's going to ask us for a password again to protect the keys just type in password and do we want to include include the router serial number and the subject name no we don't do we want to include the ip address no not really do we want to request the certificate yes we do since i stated that i wanted to automatically grant certificates under the certificate authority configuration you see that we were automatically granted the certificate so now if we say do show crypto pki certificates we go you see that we have the ca certificate as well as the one that we were just issued as well as their associated trust points all right let's see enough dealing with certificates for now at this point except towards the end we do have to create one more for the user so this is going to be the pool of addresses that will be assigned or could be assigned to the host when you vpn in and that pool is going to reside locally on this router so i'll say ip local pool i'll call it vpn pool and i will say that this will be in the um we'll say 10 0 0 1 through 10 0 0 50. okay now we need an authorization policy and under the authorization policy is where we will define this vpn pool so crypto ike version 2 authorization policy and i will name it ike v to underscore off z policy whoops i didn't mean to do that so we'll say pool vpn pool now here is where you can do a lot of other stuff as well you can set the default domain name so set default domain to send to the client you'll probably want to configure that in production this is where you would configure split acl but like i mentioned that doesn't work on cisco ios unfortunately uh and all of this other stuff in here we are just using this to define the vpn pool or should i say the um the local pool of ip addresses to be dished out to the clients and again this is a very bare bones basic configuration so this is really all i need to do right now i do recommend that you check this out kind of play around with it and see what else uh you might be able to configure underneath this authorization policy if we issue the do show run pipe section crypto pki should i say crypto ike version two we see that this is all we have crypto like version two authorization policy v2 underscore off z underscore policy and define that pool that we configured right here okay moving forward uh we need to have a proposal this is where we say hey here's what we can do here's the crypto we can do here's the the the hashing the diffie-hellman group and all of that stuff this should exist by default but i found that it seems to not sometimes so i'm going to make sure that it does by saying crypto ike version 2 proposal default i just go over this make sure that it's configured just in case it's not and it's one less thing to worry about down the line so we'll just say encryption aes cbc 256 aes cbc say 192 integrity 512 i think it's 384 and then for the diffie-hellman group we'll say group 21 20 14 19. okay do show run pipe section crypto ike version 2 proposal default and this is what our proposal looks like in production you might get past the default proposal and end up with multiple different proposals with different configurations but for this example the default works just fine then we'll move on to say crypto ike version 2 policy default now this i believe does exist but again just to make sure we want to tell it the proposal is the default and it looks like that's the way that it was so do show run type section like version two policy and we just see that we have uh match fe uh fvrf any and then proposal default these are both default um configuration parameters okay now we need to create a certificate map the certificate map will be linked in the ikeversion2 policy or should i say the ike version 2 profile and this is where we can say hey this this is where we can say hey this is the ike version 2 profile that we want to link up with and there's a whole bunch of different stuff you can do we're using certificates so we can say here's what to look for in the certificate and that would be uh one way to classify this and to do that we'll say crypto pki certificate map and we'll call it uh cert map give it a line of 10. and the way we're going to match this certificate and we still have yet to create and export the certificate for the client but the way that we're going to classify this is we want to look for the issuer name we want to see if it contains for the common name we want to see if it was issued by rca so it should be common name equals vpn underscore ca so this is looking for so when the client sends the certificate to identify itself if it came from if it was issued by vpnca it's going to fall under our ike version 2 profile that we're going to create next where we're going to reference this certificate map okay so we'll say crypto ike version 2 profile and we'll name the profile crypto ike version 2. profile yeah and we'll name it ike v2 underscore profile nice and generic and the first thing is we'll match that certificate map so we'll say match certificate and we will put in the name of our certificate map okay authentication remote now you can do a bunch of different things here you can use any connect eep and you can identify the the string that any connect will use by default you can do a bunch of other stuff pre-share et cetera but what we are doing is we are using certificates so we say rsa hyphen sig the rsa signature and the same thing with the local authentication so authentication local rsa sig okay now pki trust point remember that trust point we uh configured i believe it was called vpn server cert we want to tell this profile that that is the trust point that we want to use so let's scroll back up and yes that is what it's called so i'll just highlight this and right click to paste it in there so we have we have a pki trust point vpn server cert now at the very beginning when we enable the aaa new model remember when we went aaa authorization network like version two group auth z local this is where we're going to define that as well as our authorization policy as well so what we do is we say triple a [Music] authorization group and then we want to say cert for certificate and then the list will be we start with that aaa group and then we reference the authorization policy so the aaa list name was there we go the aaa list name was ike version 2 group auth z paste that there not the local i accidentally uh caught that in there and then the name of the authorization policy which was this right here so we have crypto like version two authorization policy ikev2 authc policy okay and then we want to say that we want this to use a virtual template one so we're going to be using virtual templates and the virtual template template will be configured same as an interface except it'll be used as a template to create a virtual access interface anytime a user vpn's in just to give you a brief overview of what we just configured i'll issue the do show run pipe section crypto ike version 2 profile command here is our ike version 2 profile we match the certificate map where in the certificate map we want to look out for certificates that were issued by um vpn ca and then for both local and remote authentication we want to use the rsa signature the trust point is vpn server cert and then where we define the aaa list in the authorization policy and then our virtual template all right and that is all there is to do there now we need to create an ipsec profile where we just define the ike version 2 profile essentially crypto ipsec profile and we will call it ipsec profile set ike version 2 profile ike v2 profile that's that there and now what i'm going to do is create a loopback the reason for the loopback is because on the virtual template we're going to use ip unnumbered we want to borrow an ip address i could probably do ip on numbered and then gig00 i think it's more common to use a back but for that loopback i will just give it an arbitrary ip address of 172 16 1.1 with a slash 32 mask and then on to the virtual template configuration so we'll say interface virtual template and we need to say virtual template 1 and then type is going to be tunnel now if anybody is familiar with gre tunnels and ipsec and then under the tunnel interface for gre using the tunnel protection command this is pretty much the same thing but first we want to say ip unnumbered and say we want to borrow that ip from loot pack loopback zero i'm going to set the mtu to 1400 for the additional overhead the those addition those additional uh layers of transport layers those additional headers that will be uh tacked on when data traverses the tunnel and with that being said i'm going to uh clamp the maximum segment size as well so i'll say ip tcp adjust mss and i'll say 1360 which is 40 bytes less than the what we set the mtu the tunnel mode is going to be ipsec ipv4 now remember this virtual template is just a template everything we put in here is going to be applied to the virtual access interface when we vpn in okay so last but not least we want to say tunnel protection ipsec profile and then ipsec profile where we define the ipsec profile which called on the ikeversion2 profile and we see that isocamp is turned on all right so we're done with uh ike version two config the bare bones bare minimum that we have to do to make this work except that we need to now have a certificate for the user so our test user that we're going to use to vpn into this needs a certificate so we need to essentially do what we did at the beginning with the vpn server cert but i'm going to make another trust point called vpn user cert and first i need to make sure that it's exportable and that the the keys are 2048 bits so i'll say crypto key generate rsa general keys modulus 2048 exportable now you need to make sure that this has is is set as exportable because if you don't you're going to you're going to wonder why you can't export the certificate either to a usb or tftp or whatever you're using you need to make sure you define that it's exportable and then we'll say the label is vpn user cert wait for that to generate the rsa keys and we'll move into the trust point configuration for this user certificate so pki trust point [Music] we're going to call the trustpoint vpn user cert as well enrollment url http 100 2200 just like for vpn server cert subject name we'll say that common name is vpn user serve relocation check none and rsa key pair we need to make sure that this matches up and again the label you put on this doesn't need to match the name of the trust point we could have could have put anything right here and then you can define it under the rs or using the rsa key pair command okay and then again just like before crypto pki authenticate vpn user cert crypto pki enroll vpn user assert give it a simple password of password do we want to include include the router serial number nope ip address nope do we want to request the certificate yes we should automatically be granted the certificate and we were and now is where we need to export the certificate so you can do this a couple of different ways i can actually tftp it because this router i'm doing this configuration on is connected to my network also connected to my network is a tftp server you might be in a position do you want to use a usb drive or something like that but either way the command will be the gist of it is exactly the same it just depends on what what um protocol you're using to transfer or what kind of physical media you're using so i'll go ahead and show you the command is crypto pki export and we want to export the vpn user cert and we want to tell it that we want to use a pkcs12 and here is where if you're using usb you could say um usb i believe usb is in there unless usb doesn't pop am i just not seeing it usb may not pop up unless the drive isn't so does this router have a usb yeah it has two of them okay um it may not pop up unless the usb drive is inserted but i'm certain you can use usb and if that was the case you would tell it usb and then you know over it was usb 0. i think you get the general idea i'm going to be using tftp since that's most convenient so i'll say crypto pki export vpn user cert pkcs 12 tftp and my tftp server is 10.020.10. and the name will be vpn user cert dot pfx now this is going to export the entire chain so you're going to get the ca certificate as well as this vpn user cert certificate as well and so you don't you don't have to worry about doing the uh exporting the ca certificate separately so that way the certificate from this router is automatically trusted this is going to do it all in one we need a password and we need another we need a passphrase so we'll go password password uh the host is correct we put that in there previously 100 2010 that is my tftp server and the destination file name vpn user cert.pfx uh should work okay i was getting a little nervous there for a second uh let me make sure that that transferred over so let me go to my tftp directory uh ignore everything else in here but uh here it is vpn user search all right we're still not done with this router yet very important you have to zero eyes and get rid of the trust point you have to get get rid of any little part of this this certificate that we just created for this user so otherwise it won't connect if we issue do show crypto pki certificates we're going to see that now we have three certificates it is uh right here this very top one is the vpn user cert we want to zero z i can't zero eyes the key by issuing the command crypto key zero eyes [Music] what am i doing crypto key zero eyes okay there we go uh rsa and then vpn user cert yes and no crypto pki [Music] trust point vpn user cert yep we want to do this we are sure then we'll also issue the command no crypto ike version 2 http url cert as well as turning off the http server since we don't need it anymore and no ip http uh secure server either [Music] and then when we disabled the uh http server i mean unless you use unless you http and use http to access the router anyways uh otherwise probably disable it from a security standpoint but when we do that it automatically disables the certificate authority server because it's relying on http http server to be running so that way it can issue certificates now we are complete actually uh no i have to go back and finish the nat configuration so far we just configured the ip nat outside on gig zero zero i'll come back to this in a second first i want to i want to get this set up on the computer i want to connect to the vpn to test it to make sure that it works once you're on your computer that you're going to use to connect to the vpn and use cisco anyconnect on you want to download anyconnect now um i don't know if i can post the download because i don't want to i don't want to piss off cisco i don't know if that's a thing where they're going to be upset with that i'm not going to post the download link i believe you need a cisco contract to download it however if you can't find it anywhere you really need to have it because you're trying to get this working send me an email and i'll see if i can help you out how's that is that fair enough my email will be in a link in the description of this video by the way i have already downloaded anyconnect i have already installed anyconnect i told myself uh before i made this video that i was going to wipe it out so i could do everything from a uh from what it would look like from uh complete scratch but i didn't so the installation is straightforward you double click it and you go through and you install it there's really nothing advanced about the installation of course this is giving me a bunch of options because it's already installed so it wants to know if i want to remove it repair it or modify it so we'll just pretend like it's not installed and i went next next next and then now okay any connect is installed so we're all good there see all good installed there are a few things that we need to tweak actually one of them is the fact that i need to get rid of this computer's already set up for uh vpninting into my company so i'm just going to uh i'm going to get rid of that certificate really quick that exit that already exists i think that if i don't then it is going to be a conflict with the certificate that i'm going to add for this lab and i think it's under local computer personal certificates yeah so i'll get rid of the certificate i'll install it again later to make sure i can still vpn into my work stuff all right i just want it to be nice and clean okay so we installed any connect there's a couple tweaks we need to do but first i want to make sure that we get that certificate installed remember the one that we created vpn user assert and then we exported it via tftp and i brought it up now on my uh tftp server all you do is double click it in windows i've had a problem with putting it under the current user it gives me an error something along the lines of this certificate is not meant for this purpose for identification or something like that all i know is that putting it under local machines seems to have solved that problem and that's what i'm going to do everything else is going to figure out automatically and i'll go ahead and just say that sure okay we'll we'll mark the private key exportable and then we need to put in the password that we set when we exported this and then we'll automatically select uh the certificate store based on the type of certificate all right it's imported let me bring up my certificate console here and just show you really quick what happened so it automatically stuck the certificate under certificates for the local computer under the personal certificate store and here's our certificate um what am i looking for there we go so we have the private key and we see subject vpn.cisco.lab and like i mentioned when i was exporting this that it is the certificate chain if we go under trusted root certification authorities we will see that we should have vpn there we go vpn underscore c8 and now we need to open up our file explorer and go to our c drive or wherever you install your programs and go to program data so we have c drive program data go to the cisco directory go to cisco anyconnect secure mobility client and the first file we want to modify is any connect local policy now you're probably noticing that in my folder i have these two files that's because i've already modified them for my work vpn in that way if i have another computer that i need to install this then i can just drag these over really quick but what you want to do is go to any connect local policy and click edit look for bypass downloader and set it to true it should be false by default go in there and get rid of that input true now once you do that most likely you're going to click save and then it's not going to have permissions to write that in that directory the best way to do it is to copy it out so i'll just copy it from here to my desktop and edit it i'm going to put in true save it and then copy it back and then it's going to prompt me to elevate the permissions to administrator and then it should go alright once that's done click on profile and this will most likely not be there by default it's there because again like i said i already had any connect installed and i will actually um so you have a template for this i will put um i'll put one in the download so you can download it you can download it and then copy it over anyways we'll pretend that uh we'll pretend like this one isn't here actually we'll delete it i'm going to pretend like we just downloaded it from the rmtechcentral.com website and we downloaded it to our desktop so we right click this and we want to change uh just two things first and this is set up for again my work vpn but we want to change this to the address now again we're going to get a certificate warning like i already mentioned because we're not using that vpn.cisco.lab domain name which is in the certificate we're going to use the ip address so here i'll put 10 0 20 200 which is the address on the router's gig zero zero interface for host name and this is what's going to pop up in the uh the anyconnect list of hosts i'm going to change this to cisco lab router last thing off method during ike negotiation this is normally anyconnect eap by default you don't want it to be any connect eep by default if you're using this method so it will be ike rsa let's save this file and move it on over all right let's go ahead and open up anyconnect now since this was set up before the name the last name i had in there for my personal vpn is going to still exist but we see that we have the cisco lab router in there as well and i didn't realize it was going to uh attempt a connection as soon as i clicked it uh it's probably going to fail right off the bat because we are going to uh have an issue with the certificate like i mentioned before this is only popping up because it can't verify the server because it's looking for vpn.cisco.lab we have 10 0 2200 in here so we need to change a setting to not block connections from untrusted servers once we do that now if everything's fine and the certificate matches up and everything like that you won't have to do this but we do have to do this in this case it'll probably still pop up and warn us about the certificate but after we choose to allow it everything should be good and here we go we're gonna say see yeah see right here it says certificate does not match the server name like i keep mentioning and we will connect anyway and there we go we should be able to ping that loop back go show run interface hello zero that loopback we created 172 16 1.1 that should give us confirmation that we do indeed have a connection and we do let me go back to the router really quick and one thing that i should have mentioned under the authorization policy so if i issued show run pipe section um crypto ike version 2 off where we define the vpn pool we probably want to give it a dns server and we can back when i was mentioning that we can configure a bunch of other things under here and i just configured the vpn pool uh configuring dns is most likely something that you want to do so we'll just say dns and we're not going to be um actually you know what i can say yeah why not i'll just use my my internal dns server since this is pipe back through my internal network so i'll say 10 0 20 13. next time we connect we'll be assigned this as our dns server and then let me complete the nat configuration so i can make sure that we actually have internet working it won't reach out to the internet because we don't have nat configured so let's complete the nat configuration first i'm going to disconnect from the vpn so that way i actually have access to that virtual template interface otherwise it locks me out of it so i go interface virtual template one ipnet inside and then let me create my nat access control list i'll say ip access list extended nat permit ip and i will say 10 0 0 0 i believe that is the ip pool and since this is one through 50 i could try to summarize that but i'll just say it's a slash 24 for now so i'll say uh wild card mask will be zero zero zero two five five to any that's going to say any um any host with an address in this network will be permitted to be translated the command to complete it would be ipnet inside source list nat interface gig zero zero overload let's connect to the vpn once more and see if we get our dns server and see if we have internet access since we configured network address translation and there's a certificate warning again we're going to connect anyway and we are connected let me go back to my command prompt and issue a ipconfig slash all just want to make sure that we got that dns server and there we go so we have the ip address of 1003 the dns server 1020 and now that we configured nat for our vpn traffic we should have full reachability out to the internet and we do now let's just verify that it's going through the tunnel and i will use the trace route command and we'll just we're just mainly looking for the first hop which will be that loopback because as soon as the traffic gets over to this router it's de-encapsulated and an icmp um time to live exceeded uh message is sent back it will be sourced from that loopback since the virtual template is borrowing an ip address from the loopback so we know that the first top is that supposedly the loopback address we know that the traffic is going through the tunnel and there you go that is how you configure a bare bones ike version 2 vpn on a cisco ios router so i hope that you enjoyed this video i really hope that you learned something the video ran a little bit longer than i intended but that's what happens with these things sometimes anyways if you have any questions feel free to reach out leave a comment in the comment section below or you can email me directly send an email to rob rmtechcentral.com anyways thanks once again for watching this video and i'll see you in the next one

Info

Channel: Robert Mayer

Views: 333

Rating: undefined out of 5

Keywords: Cisco, AnyConnect, IKEv2, IPSec, Cisco IOS, IKEv2 on Cisco IOS, Client to Site IPSec VPN, Configure IKEv2 Cisco

Id: TXw53OJSrKU

Channel Id: undefined

Length: 57min 55sec (3475 seconds)

Published: Sat Oct 16 2021