cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

AnyConnect SMC - Pure IKEv2 Connection With ASA as Headend

9133
Views
5
Helpful
4
Comments

 

Introduction

AnyConnect, as you all know, has been a well-known SSL VPN Client (both  for ASA and IOS headends), but not anymore, thanks to IKEv2. Recent  advancements in IKEv2 technology both in ASA and IOS, have made  AnyConnect 'THE' IKEv2 Client. However, the ikev2 version of the AC client was designed to incorporate the existing advanced features of the Anyconnect SSL client, like web deployment or automatic profile updates and so forth. Because of this, the ikev2 tunnel isn't a pure IPSEC tunnel, instead it requires SSL to enable all these features, otherwise known as "client services".  In this document we will see how to configure an ASA and an AnyConnect client, which eliminates the requirement for client services and ssl completely.

AnyConnect IKEv2 with ASA as headend

Requirements

  • ASA 5500 running 8.4.1 or above
  • AnyConnect License on ASA - Either AnyConnect Essentials or AnyConnect Premium Peers (Default: 2 AnyConnect Premium Peers)
  • AnyConnect 3.x

Configuration Steps

For Reference:

Connecting AnyConnect with ASA as Headend and SSL as the primary protocol

 

Overview

Step 1: Get a certificate (I am using Self-Signed-Certificate) or Get a third party certificate

Step 2: Load AnyConnect SMC Package on the ASA:

Step 3: Enable WebVPN on an interface and Allow AnyConnect

Step 4: Create a Group-Policy

Step 5: Configure the Connection Profile aka Tunnel-Group

Step 6: AnyConnect XML Profile Configuration:

Step 7: Add IKEv2 policies and Enable it on the desired Interface:

Step 8: Add IPSec Config and Enable it on the desired Interface:

Step 9: Users (In my case: Local Database)

Step 10: Configure AnyCOnnect Profile

 

Let us start with configuring the ASA from scratch. I will focus on CLI only:

 

Configuration

 

 

! RSA Keys

 

crypto key generate rsa general-keys label ASA-SSC modulus 1024

 

 

 

! Self-Signed Certificate trustpoint

 

crypto ca trustpoint ASA-SSC
     enrollment self
     fqdn bsns-asa5585-40-2.cisco.com
     subject-name cn=bsns-asa5585-40-2.cisco.com
     keypair ASA-SSC
     crl configure

 


crypto ca enroll ASA-SSC noconfirm

 


ssl trust-point ASA-SSC

 


! show crypto key mypubkey rsa
! show crypto ca trustpoint
! show crypto ca certificate
! show run all ssl

 


copy ftp://praveen:******@10.1.1.1/anyconnect-win-3.0.5080-k9.pkg flash

 


! Global Webvpn Config

 

webvpn
     enable outside
     anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
     anyconnect enable
     tunnel-group-list enable

 

! about the profile, check the "Profile" Section below.

 

 

 

! Split-Tunnel Access-list

 

access-list split standard permit host 10.1.1.1

 

 

 

! Group-Policy

 

group-policy IKEV2 internal
group-policy IKEV2 attributes
     wins-server none
     dns-server value 10.1.1.1
     vpn-tunnel-protocol ikev2
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split
     default-domain value cisco.com

 


! VPN Client Pool

 

ip local pool VPN_POOL 10.2.2.1-10.2.2.50 mask 255.255.255.0

 

 

! show run tunnel-group AnyConnect

 

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

     address-pool VPN_POOL

     default-group-policy IKEV2

tunnel-group AnyConnect webvpn-attributes

     group-alias AnyConnect enable

     group-url https://bsns-asa5585-40-2.cisco.com/AnyConnect enable

 

! Make sure the group-url is: https://<fqdn/ip-address>/<Tunnel-Group-Name> and

! make sure it is consistent with the way the Server-Entry in the profile is defined (as below)

 

! show run crypto ikev2

 

crypto ikev2 policy 10

     encryption aes-192

     integrity sha

     group 2

     prf sha

     lifetime seconds 86400


crypto ikev2 policy 20
     encryption aee
     integrity sh
     group 2
     prf sha
     lifetime seconds 86400

 


crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASA-SSC

 


!  Note: Due to the Bug: CSCty43072, if you are using one of the affected HostScan Images:
! use the same Trustpoint for IKEv2 and SSL as i have done  above
! Bug Link : http://goo.gl/Rkp3n

 


! show run crypto dynamic-map

 

crypto dynamic-map DynMap 1000 set pfs group1
crypto dynamic-map DynMap 1000 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

 

 

! show run crypto map

 

crypto map outside_map 1000 ipsec-isakmp dynamic DynMap
crypto map outside_map interface outside

 

 

! show run username

 

username pshanubh password ******
username pshanubh attributes
     vpn-group-policy IKEV2

 

 

Profile

! Refer to the attached profile (anyconnect.xml) for template. It is reusable after editing the HostName,HostAddress and UserGroup

! Load the attached xml to:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

(Or %PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile)

 

<ServerList>

          <HostEntry>

                <HostName>ASA-5585</HostName>

                <HostAddress>bsns-asa5585-40-2.cisco.com</HostAddress>

                <UserGroup>AnyConnect</UserGroup>

          <PrimaryProtocol>IPsec</PrimaryProtocol>

          </HostEntry>

    </ServerList>

 

! Here the UserGroup must be identical to the tunnel-group with which this profile is attached.

 

Important Note: Notice how the Profile is loaded only on the client machines, and not on the ASA. Refer to the upcoming Client-Services and Profile update section in this artical.

For More info:

https://supportforums.cisco.com/docs/DOC-23465

 

 

Verification

 

Now  that the profile (attached to this doc) exists on the PC, which dictates the client to  initiate an IPSec Session and the only way the AnyConnect client knows  how to perform IP-Security is using IKEv2, you will see the following on  the ASA:

 

Notice how it says IKEv2 IPSecOverNatT:

 

#  sh vpn-sess anyconnect

Session Type: AnyConnect

Username     : pshanubh               Index        : 9499

Assigned IP  : 2.2.2.1                Public IP    : 144.254.7.183

Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent

License      : AnyConnect Premium

Encryption   : AES256                 Hashing      : none SHA1

Bytes Tx     : 0                      Bytes Rx     : 1325

Group Policy : IKEV2                  Tunnel Group : AnyConnect

Login Time   : 07:20:33 UTC Fri Mar 23 2012

Duration     : 0h:00m:03s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

 

If you want to see more detailed output,

show vpn-sessiondb detail anyconnect

 

and the IKEv2 Security Association:

 

# show crypto ikev2 sa

 

IKEv2 SAs:

Session-id:14, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

994834887     10.48.67.233/4500   144.254.7.183/55624      READY    RESPONDER

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: RSA, Auth verify: EAP

      Life/Active Time: 86400/65 sec 

Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535

          remote selector 2.2.2.1/0 - 2.2.2.1/65535

          ESP spi in/out: 0x7f8cf6fb/0x4b1ce95b

If you want to see more detailed output,

show crypto ikev2 sa detail
Comments
Beginner

Hi,

Can someone confirm whether this it is mandatory to import the client profile to the local machine or not? I've been through the Cisco Press VPN book and it doesn't mention this step as being neccesary. However it wasn't working until i did this :S.

Would be grateful for any information on this.

Thanks

Enthusiast

Are there plans to support the Windows 7 native client with IKEv2 and the ASA?

Roberto,

I am not sure if you have heard, but ASA 9.3(2) now supports Windows 7 Built-in IKEv2 client:

http://goo.gl/UZllWZ

Feature name:

Interoperability with standards-based, third-party, IKEv2 remote access clients

 

Cisco Employee

Hi kalebaks86,

 

It is mandatory to import the AnyConnect client profile on the client machine when you've client-services disabled for IKEv2 RAVPN connection to tell the client to initiate the connection using IPSec/IKEv2. This should be done after you've selected the Primary protocol to IPSec as the default is set to SSL.

As the client-services are disabled (no SSL connection but pure IKEv2 ) in the above scenario, if you deploy the AnyConnect profile on the ASA it won't be pushed to the client as it is only done over an SSL connection and not IKEv2 connection.

Hope that makes sense.