In order for authorization to be performed the IKEv2 Profile must be configured for authorization using the method list previously defined (FLEX_LOCAL) and the name mangler (NM_OU).Īaa authorization group cert list FLEX_LOCAL name-mangler NM_OU IKEv2 Name Mangler & Profile crypto ikev2 name-mangler NM_OU Tunnel protection ipsec profile IPSEC_PROFILE The IP address and VRF will be assigned via the AAA attribute list therefore the Virtual-Template must not be configured with an IP address.
#CISCO IKEV2 NAME MANGLER HOW TO#
IKEv2 Authorization Policies crypto ikev2 authorization policy Customer-1įor Customer-2 Authorization Policy, in order to demonstrate a different method to how to configure additional settings such as DNS Server, Default Domain, VPN Pool and Netmask these settings have been defined in the AAA Attribute list which this AuthZ Policy is referencing.Ĭrypto ikev2 authorization policy Customer-2 To demonstrate some of the attributes that can be pushed to a client connection, different settings will be applied to the individual AAA Attribute Lists to help confirm the settings are applied correctly.Īttribute type interface-config "ip mtu 1100"Īttribute type interface-config "vrf forwarding Customer-1"Īttribute type interface-config "ip unnumbered lo10"Īttribute type interface-config "ip access-group ACL_CUSTOMER-1 in"Īttribute type interface-config "ip mtu 1300"Īttribute type interface-config "vrf forwarding Customer-2"Īttribute type interface-config "ip unnumbered lo20"Īttribute type interface-config "ip access-group ACL_CUSTOMER-2 in"Īttribute type interface-config "ip verify unicast reverse-path"Īttribute type dns-servers "192.168.10.66"Īttribute type default-domain customer-2.labĪttribute type addr-pool "CUSTOMER-2_POOL" Refer to the previous posts for additional FlexVPN information:-įlexVPN Configuration VRF vrf definition Customer-1Īccess Lists ip access-list extended ACL_CUSTOMER-1ĪAA must be enabled and a method list for network authorization defined, this will be referenced in the IKEv2 Profile.Īaa authorization network FLEX_LOCAL local This configuration is an example of FlexVPN Local Authorization, the same can be achieved using a RADIUS server. The IKEv2 Policy in conjunction with the AAA attribute list will assign different attributes to the users’ sessions, for example VRF, IP Pool, Access List etc. The IKEv2 Policy name must match exactly the value defined in the OU. Using the IKEv2 Name Mangler feature, the organisation-unit (OU) value will be extracted from the certificate and assigned a Local IKEv2 Policy based on the extracted value. Mar 10 15:59:50.456: IKEv2:(SA ID = 2): Callback received for the validate proposal - FAILED.Īs soon as i turn back to a WAN access where the Spoke-Side Router has an non-NAT globally reachable address everything works fine again.In this example FlexVPN Remote Access VPN users will authenticate to the Hub router using RSA certificates. Mar 10 15:59:50.455: IKEv2:IPSec policy validate request sent for profile FLEX-BOX-1 with psh index 2. Mar 10 15:59:50.455: IKEv2:% DVTI Vi4 created for profile FLEX-BOX-1 with PSH index 2. Mar 10 15:59:50.443: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to down
Mar 10 15:59:37.692: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI Mar 10 15:59:36.976: IKEv2-ERROR:: A supplied parameter is incorrect
But as soon as the device is behind a NAT I can't get a tunnel anymore. The story works fine as long as the spoke site has a public IP address on the internet. I excluded the whole PKI/AAA/RADIUS stuff because the plain authentication is working fine. Match identity remote fqdn domain ***.comĪaa authorization user cert list default default Tunnel protection ipsec profile IPSEC-NTVPN-1Ĭrypto ikev2 authorization policy default Interface Virtual-Template800 type tunnel Set security-association lifetime seconds 7200
#CISCO IKEV2 NAME MANGLER PASSWORD#
Keyring aaa NTVPN name-mangler MANGLER-1 password ciscoĪaa authorization user psk list VPN name-mangler MANGLER-1 password ciscoĬrypto ipsec transform-set AES_128-SHA esp-aes esp-sha-hmacĬrypto ipsec transform-set AES_128-SHA_256 esp-aes esp-sha256-hmacĬrypto ipsec transform-set AES_256-SHA esp-aes 256 esp-sha-hmacĬrypto ipsec transform-set AES_256-SHA_256 esp-aes 256 esp-sha256-hmac Match identity remote email domain *****.com The authorization backend is a Freeradius. I have set up a platform (consisting of 2x ASR1001X) routers as Flexvpn DVTI hubs to terminate different remote sites (mostly ISR1000, but also older C886s) into different VRFs.
0 kommentar(er)
