Cisco Anyconnect Sstp



Cisco AnyCconnect is SSL VPN. There is also client-less WebVPN where you browse to an internal site on the ASA, authenticate just like you're using AnyConnect, but then you access internal servers via that web portal. The advantage is that your entire connction isn't tunneled - it's only whatever you access through the web portal. I found information that the Cisco Anyconnect client (available on the Apple Store) should support SSTP on iOS. (Update.) I tried the different VPN clients for Android (on Android 5 and 9) and Cisco AnyConnect on iOS 12.4 here in my lab and I didn’t succeed at all. Therefore, I concluded that those two platforms are not supported.

Are a Cisco shop. Already possess the necessary licensing and equipment. Have little/no technical debt with the Cisco product. Have a domain so you can push the client/settings with GPO. You should stick to Cisco. Microsoft's Always-on VPN is an SSTP-based sslvpn. IOS users can connect via SSTP using Cisco AnyConnect. You can find a good tutorial for it here.

IFM supplies network engineering services for $NZ180+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!

SSTP (Secure Socket Tunneling Protocol) is a VPN solution that came with Windows build in solution for VPN. It is similar to Open VPN but instead of an open solution, it is used on mainly Windows. So, it is not a widely prefered VPN protocol.

Perhaps your visiting this page because you want to use the latest (as of 2015) cryptography standards available - Suite-B. Perhaps you are interested in fully migrating to IKEv2. Or perhaps you are one of the many people using the 'end of life' Cisco IPSec VPN Client, upgraded to Windows 10, and then found the support somewhat lacking. Perhaps you have come across some articles on the Internet showing solutions, but you don't have Cisco ISE, a RADIUS server or a certificate server, so they wont work for you. Or perhaps you just want to keep your Cisco technology current.

The first solution you should consider is using the Cisco SSL VPN technology. It doesn't use Suite-B cryptography, but it is much easier to setup. If you don't need super strong cryptography (and don't mind paying the licencing cost) then you should seriously consider this option (which Google can help you find the answers too).

You're still reading this article so that means you do want to use super strong cryptograpy or want to minimise additional licencing costs. This article will show you how to deploy a IKEv2 Suite-B Compliant VPN using the Cisco AnyConnect client (V3.1.12020 or newer) using nothing more than a Cisco IOS router running IOS V15.4(3)M4 or later. You need to be using a minimum of Windows 7 to make Suite-B work. This is perfect for small sites that are light on infrastructure.

Cisco Anyconnect Sstp

If you don't currently have the Cisco AnyConnect client you will need to get a Cisco support contract (such as a SmartNet contract) to be able to download the client. If you need to upgrade the software on your router to 15.4(3)M4 then you will need the same support contract to download the new router software.

Note that AnyConnect with IKEv2 on IOS does not currently support the use of split-acls. Everything will get sent back to the router. If you want the user to have Internet access you'll need to NAT their traffic and send it back out to the Internet. Also note the use of certificates is compulsory. It is not possible to use usernames and passwords (IOS local authentication does not support EAP and AnyConnect only supports EAP for username/password authentication). You will also need a TFTP server on one machine to get certificates off the router. A great free TFTP server is tftpd32.

Basic IOS Functionality Needed

Cisco

We need some basic fundamentals enabled.

aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network grouplist local
ip http server
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

Its pretty critical that your router has at least the right date. Having the right time is even better. We have't configured the time zone, but make sure the date and time are about right before continuing (relative to the timezone displayed). If NTP above isn't working in your configuration above then manually set the date and time using the 'clock set ...' command.

REPEAT: DO NOT CONTINUE UNTIL THE DATE AND TIME ARE CORRECT

Certificate Server

You have to deploy certificates. There is no other way to get it going.

First define the new CA.

do mkdir flash:ca
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit
exit
crypto key generate rsa general modulus 4096 exportable label ca-server
do crypto pki server ca-server start

Now we have a CA operating, we need to generate a certificate for our router to identify itself to clients.Ideally you will have a DNS entry for this, but a static IP address should also be fine. The 'IP Address'below is the external public IPv4 address of the router.

crypto key generate rsa general modulus 4096 exportable label router
crypto pki trustpoint router
enrollment url http://<ip address>:80
ip-address <ip address>
fqdn <DNS entry pointing to router>
subject-name CN=<site name>,OU=user-vpn,O=<company name>
revocation-check crl
rsakeypair router
auto-enroll regenerate
hash sha512
exit
crypto pki authenticate router
crypto pki enroll router

The certificate server should now have a pending request.

Once you can see the request number you can approve it.

do crypto pki server ca-server grant <request number>

Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:

Crypto Configuration

Cisco anyconnect secure mobility client free

Below I have allowed for users VPNing in to get an IP address from 192.168.255.1 to 192.168.255.254. You can modify this to use a free IP address block at your site.

ip local pool vpnusers 192.168.255.1 192.168.255.254
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
crypto ikev2 policy default
match fvrf any
proposal default
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
crypto ikev2 profile staff
match certificate staff-certificate-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint router
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 1
no crypto ikev2 http-url cert
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff

Replace GigabitEthernet0/0 below with whatever is your outside interface which has a public IPv4 address on it. If you are using the zone based firewall then make the below Virtual-Template belong to the 'inside' zone. If you want the user to have Internet access while VPN'ed in then make this the inside NAT interface.

interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff

Take a break, you have now completed the main config on the router, and its time to move onto configuration relating to the client.

Sstp

Client Related Configuration

This section needs to be repeated for each user you want to be able to VPN in.

Install Cisco Anyconnect

We are going to generate the entire certificate on the IOS CA server for the client, and then export it as a chain (including the CA certificate) so we can import it in one step on the client.

Replace user@example.com with the email address of the person you are giving access to. It doesn't have to be an email address actually, but that is my preference.

crypto key generate rsa general modulus 4096 exportable label user@example.com
crypto pki trustpoint user@example.com
enrollment url http://<ip address>:80
serial-number none
fqdn none
ip-address none
subject-name CN=user@example.com
revocation-check none
rsakeypair user@example.com
auto-enroll
hash sha512

We'll now install the CA certificate into new trustpoint for the user and request the certificate.

crypto pki authenticate user@example.com
crypto pki enroll user@example.com

The certificate server should now have a pending request.

Once you can see the request number you can approve it.

do crypto pki server ca-server grant <request number>

Now wait a minute or so. You should see a message come up on the console or the log saying the certificate has been retrieved from the CA and installed. You can check that the certificate is installed with:

Now we need to export the new certificate as a chain (including the CA certificate) to your TFTP server. Replace 1.1.1.1 with the IP address of your TFTP server. The password is used to encrypt the key and is needed when you import it on the client. The password is not used after that. I have now discovered another way of doing this and that is to export the certificate to a USB memory key. The first line below demonstrates the export to a TFTP server, and the second to a USB memory key plugged into the first USB slot on the router.

crypto pki export user@example.com pkcs12 tftp://1.1.1.1/user.pfx password <password>
crypto pki export user@example.com pkcs12 usbflash0:/user.pfx password <password>
Install cisco anyconnect vpn

Now copy this file to the end users machine. Double click on the user.pfx file. Enter the password and let the wizard automatically select the certificate store to put the certificates into. Allow it to import extended attributes, and allow it to mark the private key as exportable.

Now we have to delete the user key off the router! Sounds bizarre I know, but the user can not VPN while it still exists on the router.

crypto key zeroize rsa user@example.com
no crypto pki trustpoint user@example.com

Now install the AnyConnect client on the users computer, if it is not installed already. Then we need to create an XML profile for your router. Copy and paste the below profile into notepad. Replace 'Company' with a nice name for the VPN entry as it appears in AnyConnect. I'm not sure if this field supports spaces, so I would avoid using spaces. Change vpn.example.com to the external DNS entry pointing to your router. It is likely to work if you put the routers outside public IPv4 address instead but I have not tested this.

Cisco Anyconnect Sstp

<?xml version='1.0' encoding='UTF-8'?>
<AnyConnectProfile xmlns='http://schemas.xmlsoap.org/encoding/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd'>
<ServerList>
<HostEntry>
<HostName>Company</HostName>
<HostAddress>vpn.example.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

Cisco Anyconnect Sstp Ios

Now save this file to %ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile and call it something like 'Company.xml' where Company is a short name for your company. If AnyConnect is already running you need to quit it and start it running again so that it reads the profile directory. With any luck your new profile will appear in the drop down box and you can click on 'Connect' to connect to your router. You should then be able to ping internal hosts by their IP address.