To configure An圜onnect VPN client use the Cisco An圜onnect VPN Profile Editor to create a configuration file. Windows/An圜onnect Client Configuration An圜onnect Profile In order for authorization to be performed the IKEv2 Profile must be configured for authorization using the method list previously defined (FLEX_LOCAL) and the name mangler (NM_OU).Īaa authorization group cert list FLEX_LOCAL name-mangler NM_OU IKEv2 Name Mangler & Profile crypto ikev2 name-mangler NM_OU Tunnel protection ipsec profile IPSEC_PROFILE
The IP address and VRF will be assigned via the AAA attribute list therefore the Virtual-Template must not be configured with an IP address.
IKEV2 NAME MANGLER HOW TO
IKEv2 Authorization Policies crypto ikev2 authorization policy Customer-1įor Customer-2 Authorization Policy, in order to demonstrate a different method to how to configure additional settings such as DNS Server, Default Domain, VPN Pool and Netmask these settings have been defined in the AAA Attribute list which this AuthZ Policy is referencing.Ĭrypto ikev2 authorization policy Customer-2 To demonstrate some of the attributes that can be pushed to a client connection, different settings will be applied to the individual AAA Attribute Lists to help confirm the settings are applied correctly.Īttribute type interface-config "ip mtu 1100"Īttribute type interface-config "vrf forwarding Customer-1"Īttribute type interface-config "ip unnumbered lo10"Īttribute type interface-config "ip access-group ACL_CUSTOMER-1 in"Īttribute type interface-config "ip mtu 1300"Īttribute type interface-config "vrf forwarding Customer-2"Īttribute type interface-config "ip unnumbered lo20"Īttribute type interface-config "ip access-group ACL_CUSTOMER-2 in"Īttribute type interface-config "ip verify unicast reverse-path"Īttribute type dns-servers "192.168.10.66"Īttribute type default-domain customer-2.labĪttribute type addr-pool "CUSTOMER-2_POOL" Refer to the previous posts for additional FlexVPN information:-įlexVPN Configuration VRF vrf definition Customer-1Īccess Lists ip access-list extended ACL_CUSTOMER-1ĪAA must be enabled and a method list for network authorization defined, this will be referenced in the IKEv2 Profile.Īaa authorization network FLEX_LOCAL local This configuration is an example of FlexVPN Local Authorization, the same can be achieved using a RADIUS server.
The IKEv2 Policy in conjunction with the AAA attribute list will assign different attributes to the users’ sessions, for example VRF, IP Pool, Access List etc. The IKEv2 Policy name must match exactly the value defined in the OU. Using the IKEv2 Name Mangler feature, the organisation-unit (OU) value will be extracted from the certificate and assigned a Local IKEv2 Policy based on the extracted value. In this example FlexVPN Remote Access VPN users will authenticate to the Hub router using RSA certificates.
0 kommentar(er)
