Mar 18

Anyconnect installation/Router configuration

Tuto regarding software installation and router configuration.


There is 2 kind of install :

  • From a WebVPN portal : connected users can download an .exe file that can be installed on their computers. Nice idea but facing lots of issues (security bugs and so on ).
  • A pre-deployed kit can be installed on users computer, this is what we are going to do

For this lab I am using windows client 4.1 (can be found on the Internet). My router is a CISCO 1841 IOS 15.1

Why using the software instead of Portal Web ?

  • AES crypto instead of rc4
  • After connection, you feel like on your own LAN
  • Multiplatform software that can be easily installed on Android devices for free.
  • Use of SSL meaning less firewall issues

but :

  • The software needs to be installed
  • Router crypto card (for my stuff) doesn’t work with AES protocol and so kill my processor !



Let’s start :

Until the end of process :

A network connection is created :


Notre routeur

A policy group is created inside the Webvpn gateway. For a complete topic review, please click here.
webvpn gateway Acces
 hostname Home
 ip interface FastEthernet0/1 port 443
 ssl encryption rc4-md5
ssl trustpoint HomePKI
logging enable
webvpn context Home
 aaa authentication list Distant
gateway Acces
 max-users 5
ssl encryption aes-sha1
ssl authenticate verify all

 policy group Anyconnect
  functions svc-enabled
svc address-pool « SSL »
svc split dns »
svc split include
svc wins-server primary
svc dtls
  • AES is used in the context to encrypt data
  • A split is configured in order to be able to surf on the Internet and send the protected traffic.
  • DTLS activated, Wins server configured (for Windows shared drive)
IP addresses pool
The network connection from Anyconect needs an IP @ and it gets it from this pool.
Easy to configure,  ip local pool @ip start @ip end. In the exemple the pool is named SSL
A virtual interface
A Loopback with an IP address from the pool for routing reason.
interface Loopback100
description SSL
ip address
 no ip redirects
no ip unreachables
no ip proxy-arp

The client


First of all, you need to install the router certificate on your client. Without this step, the software is not able to check your gateway identity
Here some options available from the soft :
Please check « Block connections to untrusted servers » for security reason. If you face certificate problem, uncheck it for testing purpose.
After logging :
We are well connected with IP from our pool.
Compression is possible with ASA but not with routers.
Meaning that traffic to is secured, the rest is treated as usual.

Lien Permanent pour cet article :

Laisser un commentaire

Your email address will not be published.