{"id":167,"date":"2015-06-22T15:16:36","date_gmt":"2015-06-22T15:16:36","guid":{"rendered":"http:\/\/www.balajibandi.com\/blog\/?p=167"},"modified":"2017-02-05T17:55:45","modified_gmt":"2017-02-05T17:55:45","slug":"cisco-asa-setting-up-anyconnect-vpn-with-ssl-and-ipsec","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=167","title":{"rendered":"Cisco ASA: Setting up anyconnect vpn with SSL and IPsec"},"content":{"rendered":"<p>http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/flexvpn\/115941-flexvpn-ikev2-config-00.html<\/p>\n<p>https:\/\/supportforums.cisco.com\/document\/98366\/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication<\/p>\n<p><b><span style=\"text-decoration: underline;\">Introduction<\/span><\/b><br \/>\nThis post demonstrates how to set up anyconnect vpn for your mobile devices. In this post I am using an android mobile phone and downloaded anyconnect ICS+. Cisco ASA software version 9.1(4), ASDM version 7.1, with anyconnect essential license and anyconnect for mobile license.<\/p>\n<p>This demonstration will configure IPsec and SSL remote access VPN, using AAA and Certificate authentication respectively.<\/p>\n<p>User\u2019s data to internal network will be tunnelled in VPN, other traffic will be through the internet.<\/p>\n<p><a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/anyconnect1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3843\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/anyconnect1.png?w=300&amp;h=126\" alt=\"ANYCONNECT1\" width=\"300\" height=\"126\" \/><\/a><\/p>\n<p><b><span style=\"text-decoration: underline;\">Services to be enabled for anyconnect vpn<\/span><\/b><br \/>\n1. Enable anyconnect on the outside interface of the Cisco ASA.<br \/>\n2. Enable crypto ikev2 for IKEv2 phase 1 on the outside interface. (<code>crypto ikev2 enable outside client-services port 443<\/code>)<br \/>\n3. Enable crypto map for IKEv2 phase 2 on the outside interface. (<code>crypto map RA_VPN_MAP interface outside<\/code>)<br \/>\n4. Enable trustpoint of the identity certificate on the outside interface.<\/p>\n<p><b><span style=\"text-decoration: underline;\">Create anyconnect profile<\/span><\/b><br \/>\nAnyconnect profile is in xml format, you can create a simple one using notepad. However you can create a complete on using ASDM anyconnect profile editor. For my case I used ASDM anyconnect profile editor.<\/p>\n<p><a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/asdm-menu-flow.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-3844\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/asdm-menu-flow.png?w=300&amp;h=185\" alt=\"ASDM anyconnect profile editor navigation flow\" width=\"300\" height=\"185\" \/><\/a><\/p>\n<p>You can start your anyconnect profile by listing the available server list you intend to create, after which you can click on apply the command <code>anyconnect profiles YOUR_PROFILE disk0:\/YOUR_PROFILE.xml<\/code> will be added for you in the webvpn section.<\/p>\n<p><b><span style=\"text-decoration: underline;\">Enable anyconnect on the outside interface<\/span><\/b><\/p>\n<div>\n<div id=\"highlighter_926846\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2 highlighted\">3<\/div>\n<div class=\"line number4 index3 alt1 highlighted\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1 highlighted\">8<\/div>\n<div class=\"line number9 index8 alt2 highlighted\">9<\/div>\n<div class=\"line number10 index9 alt1 highlighted\">10<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">conf t<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">webvpn<\/code><\/div>\n<div class=\"line number3 index2 alt2 highlighted\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">enable outside<\/code><\/div>\n<div class=\"line number4 index3 alt1 highlighted\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect-essentials<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect image disk0:\/anyconnect-linux-3.1.05187-k9.pkg 1<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect image disk0:\/anyconnect-win-3.1.05187-k9.pkg 2<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect image disk0:\/anyconnect-macosx-i386-3.1.05187-k9.pkg 3<\/code><\/div>\n<div class=\"line number8 index7 alt1 highlighted\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect profiles RA_VPN disk0:\/ra_vpn.xml<\/code><\/div>\n<div class=\"line number9 index8 alt2 highlighted\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">anyconnect enable<\/code><\/div>\n<div class=\"line number10 index9 alt1 highlighted\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">tunnel-group-list enable<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Those commands that are required are highlighted. You do not need the anyconnect image to be installed in Cisco ASA for your mobile device to connect to VPN using anyconnect ICS+.<\/p>\n<p><b><span style=\"text-decoration: underline;\">Create IKEv2 phase 1 proposal<\/span><\/b><br \/>\nIKEv2 phase 1 requires negotiation between server and client to setup phase 1 encrypted channel, the below are proposed encryption, integrity and DF group. Phase 1 is for authentication between peers.<\/p>\n<div>\n<div id=\"highlighter_970788\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">crypto ikev2 policy 1<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">encryption aes-256 aes-192 aes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">integrity sha256 sha md5<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group 5 2<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">prf sha<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">lifetime seconds 86400<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain plain\">crypto ikev2 policy 65000<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">encryption aes-256 aes-192 aes 3des des<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">integrity sha512 sha384 sha256 sha md5<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group 2<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">prf sha<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">lifetime seconds 86400<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain plain\">crypto ikev2 policy 65001<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">encryption aes 3des des<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">integrity sha md5<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group 5 2 1<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">prf sha<\/code><\/div>\n<div class=\"line number18 index17 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">lifetime seconds 86400<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Enable crypto ikev2 on the outside interface<\/span><\/b><br \/>\nThis is required so that inbound initiator can initiate phase 1 with Cisco ASA.<\/p>\n<div>\n<div id=\"highlighter_407906\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">crypto ikev2 enable outside client-services port 443<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Enable CA trustpoint<\/span><\/b><br \/>\nFor this setup I have made Cisco ASA to be a local certificate authority and issued itself a self-signed identity certificate as well as certificate for authentication. The trustpoint has to be pointed to the identity certs.<\/p>\n<div>\n<div id=\"highlighter_667099\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">!RA_VPN_TP is the name of my CA trustpoint<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">crypto ikev2 remote-access trustpoint RA_VPN_TP<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain plain\">ssl trust-point RA_VPN_TP outside<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Proposal for IKEv2 phase 2<\/span><\/b><br \/>\nPhase 2 is negotiated and setup under phase 1. The below is a list of proposal for phase 2 negotiation with inbound peers.<\/p>\n<div>\n<div id=\"highlighter_907172\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">crypto ipsec ikev2 ipsec-proposal AES<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">protocol esp encryption aes-256 aes-192 aes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">protocol esp integrity sha-1 md5<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain plain\">crypto ipsec ikev2 ipsec-proposal 3DES<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">protocol esp encryption 3des des<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">protocol esp integrity sha-1 md5<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Create crypto dynamic-map<\/span><\/b><br \/>\nThe cypto dynamic-map is to attach the phase 2 proposal, this dynamic map is in turn attached to the crypto map and the crypto map is enabled on outside interface.<\/p>\n<div>\n<div id=\"highlighter_377989\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">!Attach phase 2 proposal to the dynamic map.<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">!RA_VPN is the name of the dynamic map.<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain plain\">crypto dynamic-map RA_VPN 1 set ikev2 ipsec-proposal AES 3DES<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain plain\">!Whenever a vpn peer has successfully connected, <\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain plain\">!a static route to the connected peer is injected <\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain plain\">!as long as the peer stays connected.<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain plain\">crypto dynamic-map RA_VPN 1 set reverse-route<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain plain\">!Attach the dynamic map onto crypto map<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain plain\">crypto map RA_VPN_MAP 1 ipsec-isakmp dynamic RA_VPN<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain plain\">!Enable crypto map on the outside interface.<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"plain plain\">crypto map RA_VPN_MAP interface outside<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">IP address pool for VPN users<\/span><\/b><\/p>\n<div>\n<div id=\"highlighter_147195\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">ip local pool RA_VPN 192.168.10.33-192.168.10.62 mask 255.255.255.224<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Split tunnel ACL<\/span><\/b><br \/>\nIn group policy the default split tunnel policy is to tunnel all traffic to the vpn, however I can choose to exclude traffic to the vpn or specified the traffic I want to be sent through vpn, the interesting traffic is defined in ACL.<\/p>\n<p>In this setup if VPN user is sending data destined to the subnet or host specified in the split tunnel, the data will be sent through VPN, otherwise will be sent through public internet.<\/p>\n<div>\n<div id=\"highlighter_872616\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">access-list SPLIT_TUNNEL standard permit 192.168.20.0 255.255.255.224<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">access-list SPLIT_TUNNEL standard permit 192.168.30.0 255.255.255.240<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Group policy<\/span><\/b><br \/>\nCisco ASA has a system generated default group policy, if no group policy is specified in your tunnel-group the default will be used. The default group policy however does not include ikev2, anyconnect requires ikev2. For this setup I have created my custom group-policy for both ipsec as well as ssl vpn.<\/p>\n<div>\n<div id=\"highlighter_97283\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">!Cisco ASA default group policy. This policy only defines protocol used.<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">group-policy DfltGrpPolicy attributes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>the group policy for SSL VPN.<\/p>\n<div>\n<div id=\"highlighter_104359\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">group-policy RA_POLICY internal<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">group-policy RA_POLICY attributes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">wins-server none<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">dns-server value 192.168.30.2<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!protocol required for ssl vpn<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">vpn-tunnel-protocol ssl-client ssl-clientless<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Traffic destined to the network specified in the ACL will be through VPN.<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">split-tunnel-policy tunnelspecified<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">split-tunnel-network-list value SPLIT_TUNNEL<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">default-domain none<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!VPN IP address pool<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">address-pools value RA_VPN<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">webvpn<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"plain spaces\">\u00a0\u00a0<\/code><code class=\"plain plain\">!Anyconnect profile created by ASDM anyconnect profile editor.<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"plain spaces\">\u00a0\u00a0<\/code><code class=\"plain plain\">anyconnect profiles value RA_VPN type user<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>The group policy for IPsec VPN.<\/p>\n<div>\n<div id=\"highlighter_544868\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">group-policy RA_IPSEC_POLICY internal<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">group-policy RA_IPSEC_POLICY attributes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">dns-server value 192.168.30.2<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!anyconnect ipsec only requires ikev2, you do not need to follow this.<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Data destined to the address in ACL will be sent via VPN.<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">split-tunnel-policy tunnelspecified<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">split-tunnel-network-list value SPLIT_TUNNEL<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">default-domain value yourdomain.net<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!VPN IP address pool<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">address-pools value RA_VPN<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">webvpn<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"plain spaces\">\u00a0\u00a0<\/code><code class=\"plain plain\">anyconnect profiles value RA_VPN type user<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Configure AD as authentication server<\/span><\/b><br \/>\nIn this setup AD is used as the authentication server for IPsec VPN.<\/p>\n<div>\n<div id=\"highlighter_869654\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<div class=\"line number18 index17 alt1\">18<\/div>\n<div class=\"line number19 index18 alt2\">19<\/div>\n<div class=\"line number20 index19 alt1\">20<\/div>\n<div class=\"line number21 index20 alt2\">21<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">!Define the aaa-server protocol first, in this setup is ldap.<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">aaa-server LDAP protocol ldap<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain plain\">!Define the ip address of AD.<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain plain\">aaa-server LDAP (inside) host 192.168.30.2<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Define the domain name, in this setup the AD domain is testlab.local.<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">ldap-base-dn dc=testlab,dc=local<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Active directory listing will be the entire forest.<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">ldap-scope subtree<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!sAMAccountName is the default attribute for Microsoft Active Directory.<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">ldap-naming-attribute sAMAccountName<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">ldap-login-password *****<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Define the AD user account, in this setup I used the administrator user.<\/code><\/div>\n<div class=\"line number18 index17 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!If you are unsure the attribute of your user, in your MS AD server issue <\/code><\/div>\n<div class=\"line number19 index18 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!this command: dsquery user -samid Administrator<\/code><\/div>\n<div class=\"line number20 index19 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">ldap-login-dn CN=Administrator,CN=Users,DC=testlab,DC=local<\/code><\/div>\n<div class=\"line number21 index20 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">server-type microsoft<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Tunnel group<\/span><\/b><br \/>\nThe group policy will be attached to the tunnel group, if no group policy is defined, the default group policy will be used.<\/p>\n<p>Tunnel group for ssl vpn.<\/p>\n<div>\n<div id=\"highlighter_834191\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">tunnel-group RA_VPN_TUN type remote-access<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">tunnel-group RA_VPN_TUN general-attributes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">address-pool RA_VPN<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Define the group policy, if none is defined the default group policy is used.<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">default-group-policy RA_POLICY<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain plain\">tunnel-group RA_VPN_TUN webvpn-attributes<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!Use certificate to authenticate, in ASDM this certificate is installed in CA Certificate.<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">authentication certificate<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!VPN server address, and the user group, in this setup RA1 is the user group.<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group-url <a href=\"https:\/\/domain.yourdomain.net\/RA1\">https:\/\/domain.yourdomain.net\/RA1<\/a> enable<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Tunnel group for ipsec vpn.<\/p>\n<div>\n<div id=\"highlighter_554043\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<div class=\"line number17 index16 alt2\">17<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"plain plain\">tunnel-group RA_IPSEC type remote-access<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"plain plain\">tunnel-group RA_IPSEC general-attributes<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!VPN ip address pool<\/code><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">address-pool RA_VPN<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"plain spaces\">\u00a0<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!AD is the authentication server in this setup.<\/code><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">authentication-server-group LDAP<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">default-group-policy RA_IPSEC_POLICY<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><code class=\"plain plain\">tunnel-group RA_IPSEC webvpn-attributes<\/code><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!If authentication method is not defined, authentication aaa is used, <\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!show run will not show &amp;amp;quot;authentication aaa&amp;amp;quot;<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">authentication aaa<\/code><\/div>\n<div class=\"line number14 index13 alt1\"><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">!group-alias that will appear on anyconnect client after connected.<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group-alias RA_IPSEC enable<\/code><\/div>\n<div class=\"line number17 index16 alt2\"><code class=\"plain spaces\">\u00a0<\/code><code class=\"plain plain\">group-url <a href=\"https:\/\/domain.yourdomain.net\/\">https:\/\/domain.yourdomain.net<\/a> enable<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><b><span style=\"text-decoration: underline;\">Result<\/span><\/b><br \/>\nThis is the result after you have enable group-alias in tunnel-group<br \/>\n<a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/screenshot_2014-11-18-20-52-021.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3854\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/screenshot_2014-11-18-20-52-021.png?w=168&amp;h=300\" alt=\"Screenshot_2014-11-18-20-52-02[1]\" width=\"168\" height=\"300\" \/><\/a><\/p>\n<p>The anyconnect client downloads the anyconnect profile and update the server list in the client. If your anyconnect client could not see the updated server list, check your anyconnect profile or check if the group-policy has assigned a correct anyconnect profile or not.<br \/>\n<a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/server-list.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3855\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/server-list.png?w=168&amp;h=300\" alt=\"server-list\" width=\"168\" height=\"300\" \/><\/a><\/p>\n<p><b>IPsec<\/b><br \/>\nTunneling Mode shows split include means traffic destined for subnet in ACL will be sent through VPN.<br \/>\n<a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ipsec1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3856\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ipsec1.png?w=168&amp;h=300\" alt=\"ipsec1\" width=\"168\" height=\"300\" \/><\/a><\/p>\n<p>Protocol and cipher used for the IPsec VPN. Secured routes show the subnet defined in the split tunnel ACL.<br \/>\n<a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ipsec2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3857\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ipsec2.png?w=168&amp;h=300\" alt=\"ipsec2\" width=\"168\" height=\"300\" \/><\/a><\/p>\n<p><b>SSL vpn<\/b><br \/>\nAlthough it is known as SSL vpn, the protocol supported is TLSv1.<br \/>\n<a href=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ssl1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-3858\" src=\"https:\/\/cyruslab.files.wordpress.com\/2014\/11\/ssl1.png?w=168&amp;h=300\" alt=\"ssl1\" width=\"168\" height=\"300\" \/><\/a><\/p>\n<div class=\"wpcnt\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/flexvpn\/115941-flexvpn-ikev2-config-00.html https:\/\/supportforums.cisco.com\/document\/98366\/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication Introduction This post demonstrates how to set up anyconnect vpn for your mobile devices. In this post I am using an android mobile phone and downloaded anyconnect ICS+. Cisco ASA software version 9.1(4), ASDM version 7.1, with anyconnect essential license and anyconnect for mobile license. This demonstration will configure IPsec and SSL remote [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=167"}],"version-history":[{"count":3,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":170,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/167\/revisions\/170"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}