There are plenty of tutorials on setting up AnyConnect on an ASA unit, and a handful of links noting that IOS 12.4(15) and later support AnyConnect, but I can't seem to find any good documentation about how to setup AnyConnect on IOS; most tutorials assume you only want a clientless VPN on IOS. the best I've found is this document on Cisco's site, but it's not working for me in practice - see below.
This is all on a Cisco 881W:
router#show version | include Version
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(20)T1, RELEASE SOFTWARE (fc3)
ROM: System Bootstrap, Version 12.4(15r)XZ2, RELEASE SOFTWARE (fc1)
The old SSL VPN Client seems to install just fine:
router#show webvpn install status svc
SSLVPN Package SSL-VPN-Client version installed:
CISCO STC win2k+ 1.0.0
1,1,4,176
Thu 08/16/2007 12:37:00.43
However, when I install the AnyConnect client, after authenticating it hangs for a while during the self-update process, and stops with an error that the "AnyConnect package unavailable or corrupted."
When I try to install the AnyConnect package on the router, I'm told that it's an invalid archive:
router(config)#webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg
SSLVPN Package SSL-VPN-Client (seq:2): installed Error: Invalid Archive
Does anyone have a good sample on how to get the 2.x AnyConnect clients working with a Cisco device running IOS?
I have a TAC case open to see if any good documentation exists for this, but I did get a basic installation up and running using SDM 2.5. Unfortunately SDM will NOT recognize that Anyconnect is installed even though it is. You will need to install the Anyconnect packages manually and then setup the rest in SDM.
First...install Anyconnect packages. I use the Window and Mac packages. TFTP them onto the router and install them using: (from conf t)
webvpn install svc flash:/windows_package_name.pkg sequence 1
webvpn install svc flash:/mac_package_name.pkg sequence 2
It will install and your config will have lines like this:
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install svc flash:/webvpn/svc_2.pkg sequence 2
Now you can go into SDM and run the wizard....
Hope this helps!
-Andy
Updating: I got a reply on my TAC case....here are the URLs Cisco sent me:
Here is the IOS SSL VPN Data Sheet that explains what features are available
www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html
Here is the IOS SSL VPN CLI Configuration Guide:
www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html
Here are several IOS SSL VPN Configuration Examples & TechNotes:
www.cisco.com/en/US/products/ps6657/prod_configuration_examples_list.html
It turns out the
Error: Invalid Archive
part was the key thing. The archives were corrupt. I'd been using TFTPD32 as a basic TFTP server to transfer the AnyConnect package files to the router; somewhere along the line they got corrupted.I discovered this by running
verify flash:filename
and by also trying to upgrade the IOS release; before reloading the system it automatically does a verify on the new IOS image, and sure enough the image was corrupt, too.I switched to using an FTP server to copy my images (
copy ftp://x.x.x.x/filename.pkg flash:/webvpn/filename.pkg
) and thewebvpn install svc
command started working.you are not using the correct image.
Search for this images: sslclient-win-1.1.4.179.pkg sslclient-win-1.1.4.176-anyconnect.pkg anyconnect-linux-2.4.0202-k9.tar.gz csd_3.4.2048.pkg
I had this problem as well. It was because I did not have enough space on the flash ram on my router (877) to upload the Anyconnect Client. You need to have at least twice the size of the client available as it uploads it and then moves it to the webvpn folder. I ended up upgrading the flash ram and then it worked first time.