Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN

AnyConnect SMC - Pure IKEv2 Connection With ASA as Headend




AnyConnect, as you all know, has been a well-known SSL VPN Client (both  for ASA and IOS headends), but not anymore, thanks to IKEv2. Recent  advancements in IKEv2 technology both in ASA and IOS, have made  AnyConnect 'THE' IKEv2 Client. However, the ikev2 version of the AC client was designed to incorporate the existing advanced features of the Anyconnect SSL client, like web deployment or automatic profile updates and so forth. Because of this, the ikev2 tunnel isn't a pure IPSEC tunnel, instead it requires SSL to enable all these features, otherwise known as "client services".  In this document we will see how to configure an ASA and an AnyConnect client, which eliminates the requirement for client services and ssl completely.

AnyConnect IKEv2 with ASA as headend


  • ASA 5500 running 8.4.1 or above
  • AnyConnect License on ASA - Either AnyConnect Essentials or AnyConnect Premium Peers (Default: 2 AnyConnect Premium Peers)
  • AnyConnect 3.x

Configuration Steps

For Reference:

Connecting AnyConnect with ASA as Headend and SSL as the primary protocol



Step 1: Get a certificate (I am using Self-Signed-Certificate) or Get a third party certificate

Step 2: Load AnyConnect SMC Package on the ASA:

Step 3: Enable WebVPN on an interface and Allow AnyConnect

Step 4: Create a Group-Policy

Step 5: Configure the Connection Profile aka Tunnel-Group

Step 6: AnyConnect XML Profile Configuration:

Step 7: Add IKEv2 policies and Enable it on the desired Interface:

Step 8: Add IPSec Config and Enable it on the desired Interface:

Step 9: Users (In my case: Local Database)

Step 10: Configure AnyCOnnect Profile


Let us start with configuring the ASA from scratch. I will focus on CLI only:





! RSA Keys


crypto key generate rsa general-keys label ASA-SSC modulus 1024




! Self-Signed Certificate trustpoint


crypto ca trustpoint ASA-SSC
     enrollment self
     keypair ASA-SSC
     crl configure


crypto ca enroll ASA-SSC noconfirm


ssl trust-point ASA-SSC


! show crypto key mypubkey rsa
! show crypto ca trustpoint
! show crypto ca certificate
! show run all ssl


copy ftp://praveen:******@ flash


! Global Webvpn Config


     enable outside
     anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
     anyconnect enable
     tunnel-group-list enable


! about the profile, check the "Profile" Section below.




! Split-Tunnel Access-list


access-list split standard permit host




! Group-Policy


group-policy IKEV2 internal
group-policy IKEV2 attributes
     wins-server none
     dns-server value
     vpn-tunnel-protocol ikev2
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split
     default-domain value


! VPN Client Pool


ip local pool VPN_POOL mask



! show run tunnel-group AnyConnect


tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

     address-pool VPN_POOL

     default-group-policy IKEV2

tunnel-group AnyConnect webvpn-attributes

     group-alias AnyConnect enable

     group-url enable


! Make sure the group-url is: https://<fqdn/ip-address>/<Tunnel-Group-Name> and

! make sure it is consistent with the way the Server-Entry in the profile is defined (as below)


! show run crypto ikev2


crypto ikev2 policy 10

     encryption aes-192

     integrity sha

     group 2

     prf sha

     lifetime seconds 86400

crypto ikev2 policy 20
     encryption aee
     integrity sh
     group 2
     prf sha
     lifetime seconds 86400


crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASA-SSC


!  Note: Due to the Bug: CSCty43072, if you are using one of the affected HostScan Images:
! use the same Trustpoint for IKEv2 and SSL as i have done  above
! Bug Link :


! show run crypto dynamic-map


crypto dynamic-map DynMap 1000 set pfs group1
crypto dynamic-map DynMap 1000 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES



! show run crypto map


crypto map outside_map 1000 ipsec-isakmp dynamic DynMap
crypto map outside_map interface outside



! show run username


username pshanubh password ******
username pshanubh attributes
     vpn-group-policy IKEV2




! Refer to the attached profile (anyconnect.xml) for template. It is reusable after editing the HostName,HostAddress and UserGroup

! Load the attached xml to:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

(Or %PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile)











! Here the UserGroup must be identical to the tunnel-group with which this profile is attached.


Important Note: Notice how the Profile is loaded only on the client machines, and not on the ASA. Refer to the upcoming Client-Services and Profile update section in this artical.

For More info:





Now  that the profile (attached to this doc) exists on the PC, which dictates the client to  initiate an IPSec Session and the only way the AnyConnect client knows  how to perform IP-Security is using IKEv2, you will see the following on  the ASA:


Notice how it says IKEv2 IPSecOverNatT:


#  sh vpn-sess anyconnect

Session Type: AnyConnect

Username     : pshanubh               Index        : 9499

Assigned IP  :                Public IP    :

Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent

License      : AnyConnect Premium

Encryption   : AES256                 Hashing      : none SHA1

Bytes Tx     : 0                      Bytes Rx     : 1325

Group Policy : IKEV2                  Tunnel Group : AnyConnect

Login Time   : 07:20:33 UTC Fri Mar 23 2012

Duration     : 0h:00m:03s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none


If you want to see more detailed output,

show vpn-sessiondb detail anyconnect


and the IKEv2 Security Association:


# show crypto ikev2 sa


IKEv2 SAs:

Session-id:14, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

994834887      READY    RESPONDER

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: RSA, Auth verify: EAP

      Life/Active Time: 86400/65 sec 

Child sa: local selector -

          remote selector -

          ESP spi in/out: 0x7f8cf6fb/0x4b1ce95b

If you want to see more detailed output,

show crypto ikev2 sa detail


Can someone confirm whether this it is mandatory to import the client profile to the local machine or not? I've been through the Cisco Press VPN book and it doesn't mention this step as being neccesary. However it wasn't working until i did this :S.

Would be grateful for any information on this.



Are there plans to support the Windows 7 native client with IKEv2 and the ASA?


I am not sure if you have heard, but ASA 9.3(2) now supports Windows 7 Built-in IKEv2 client:

Feature name:

Interoperability with standards-based, third-party, IKEv2 remote access clients


Cisco Employee

Hi kalebaks86,


It is mandatory to import the AnyConnect client profile on the client machine when you've client-services disabled for IKEv2 RAVPN connection to tell the client to initiate the connection using IPSec/IKEv2. This should be done after you've selected the Primary protocol to IPSec as the default is set to SSL.

As the client-services are disabled (no SSL connection but pure IKEv2 ) in the above scenario, if you deploy the AnyConnect profile on the ASA it won't be pushed to the client as it is only done over an SSL connection and not IKEv2 connection.

Hope that makes sense.