cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ASA Anyconnect IKEv2 configuration example

128836
Views
35
Helpful
28
Comments

 

Introduction

Secure VPN remote access historically has been limited to IPsec (IKEv1) and SSL.  These were supported using the "Cisco VPN client" for IPsec based VPN and Anyconnect for SSL based VPN.  Each of those products only supported their own protocol however with the introduction of Anyconnect Secure Mobility Client 3.0, the client can now use IPsec (IKEv2) or SSL for the transport of the VPN connection.

 

For SSL based configuration of Anyconnect reference http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

 

The remainder of this document will discuss the steps to configure an ASA to support Anyconnect clients using IKEv2.

 

Requirements

1)     ASA running version 8.4.1 or later

2)     Anyconnect Secure Mobility Client 3.0 or later

3)     License for Anyconnect Peer (either "AnyConnect Essentials" or "AnyConnect Permium Peers")

 

It is possible to configure the setup either through ASDM or via the CLI.  Using the former is the easiest and is listed below along with the CLI commands that are generated.

 

 

Configure via ASDM

1)     Start ASDM

2)     Wizards -> VPN Wizards -> AnyConnect Wizard

3)     Configure a name for the tunnel group - RemoteAccessIKEv2

 

2.jpg

 

4) Configure the connection protocols.  It is possible to have both SSL and IPsec connections on the same tunnel group however in this example only IPsec will be selected.

3.jpg

5) Upload Anyconnect images to the ASA for each platform that need supporting (Windows, Mac, Linux)

4.jpg

6) Configure the user database.  If using the Local database users can be added/removed here.  If using a remote authentication server configure a new "AAA Server Group" by clicking on the "New..." button.

 

5.jpg

 

7) Create a pool of addresses that will get assigned to the vpn clients.

 

6.jpg

 

8)  Define the default domain name for the virtual adapter on the client and the internal DNS servers

7.jpg

 

9) Allow the VPN traffic to be exempted from NAT when accessing the internal network.

8.jpg

 

10)  Turn off Web Launch.  This is optional and would require the client to be pre-deployed (much in the same fashion as the Cisco VPN client).

If you wish to keep Web Launch on then SSL must also be checked on step 3.

9.jpg

11)  Save and Apply the configuration

 

At this point the ASA will have these commands added:

 

 

CommandsFunction

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2 1

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint rtpvpnoutbound7

This is adding the IKEv2 Policies.

It also specifiies the certificate the ASA uses for IKEv2.

 

crypto ikev2 enable outside client-services port 443

ssl trust-point rtpvpnoutbound7 outside

 

Enabling client-services on the outside interface.

It also specifies the certificate the ASA uses for SSL.

client-services run over SSL.

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

These define the transform sets that IKEv2 can use.

crypto map out-map 65000 ipsec-isakmp dynamic out-dyn-map

crypto map out-map interface outside

crypto dynamic-map out-dyn-map 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

This configures the crypto map to use the IKEv2 transform-sets

webvpn

anyconnect image disk0:/anyconnect-linux-3.1.0059-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-3.0.4235-k9.pkg 2

anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 5

anyconnect profiles RemoteAccessIKEv2_client_profile disk0:/RemoteAccessIKEv2_client_profile.xml

anyconnect enable

This configures the ASA to allow Anyconnect connections and the valid Anyconnect images.  If Web Launch is allowed it will install

the clients on the computers on first connect.

 

In addition there is the programming of the profile that will be used by the client.

group-policy GroupPolicy_RemoteAccessIKEv2 internal

group-policy GroupPolicy_RemoteAccessIKEv2 attributes

vpn-tunnel-protocol ikev2

dns-server value 10.1.2.3

wins-server none

default-domain value example.com

webvpn

  anyconnect profiles value RemoteAccessIKEv2_client_profile type user

This configures the group-policy to allow IKEv2 connections and defines which Anyconnect profile for the user.

ip local pool vpnpool 10.7.7.135-10.7.7.140 mask 255.255.255.0

This defines a pool of addresses.

tunnel-group RemoteAccessIKEv2 type remote-access

tunnel-group RemoteAccessIKEv2 general-attributes

default-group-policy GroupPolicy_RemoteAccessIKEv2

address-pool  vpnpool

tunnel-group RemoteAccessIKEv2 webvpn-attributes

  group-alias RemoteAccessIKEv2 enable

This ties the pool of addressess to the vpn connection.

object network NETWORK_OBJ_10.7.7.128_28

  subnet 10.7.7.128 255.255.255.240

Defines an object (will be used later)

nat (inside,outside) 8 source static any any destination static NETWORK_OBJ_10.7.7.128_28 NETWORK_OBJ_10.7.7.128_28

Defines the NAT rule that exempts the vpn traffic from being NATted.

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">

  <ServerList>

    <HostEntry>

      <HostName>vpn.example.com (IPsec)</HostName>

      <HostAddress>203.0.113.10</HostAddress>

      <PrimaryProtocol>IPsec</PrimaryProtocol>

    </HostEntry>

  </ServerList>

</AnyConnectProfile>

This is the contents of the profile that gets written the ASA flash as RemoteAccessIKEv2_client_profile.xml

 

 

Testing

 

If Web Launch was configured, on the client open up a web-browser and log into the ASA.  The client will self download and install.  It will connect with TLS/DTLS first.  If you disconnect, quit the client, then restart the client there will be a drop down entry for the IKEv2 connection.  Select it and the client will initate using IKEv2.

 

If Web Launch was not configured it will be necessary to manually install the client on the computer and to copy the

RemoteAccessIKEv2_client_profile.xml into the profile directory.  Start the client and select the drop down.  The connection will be initiated using IKEv2.

 

The packages to download are :

 

OSPackage

Windows

anyconnect-win-X.Y.ZZZZ-pre-deploy-k9.iso

Mac OS X

anyconnect-macosx-i386-X.Y.ZZZZ-k9.dmg

Linux

anyconnect-predeploy-linux-X.Y.ZZZZ-k9.tar.gz or

anyconnect-predeploy-linux-64-X.Y.ZZZZ-k9.tar.gz

 

 

The profile locations are:

 

OSLocation

Windows XP

%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Windows Vista/7

%PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Mac OS X

/opt/cisco/anyconnect/profile/

Linux

/opt/cisco/anyconnect/profile/

 

 

Caveats and Implemention notes

 

Certificates:

 

  • Although RFC 4809 states the Extended Key Usage (or the lack of) extension within the client and server certificate should not prevent successful IKE establishment the ASA has a set of requirements:

 

          1) All client certificates must have the EKU extension with the value of "client authentication".

          2) The ASA certificate must have the EKU extension with the value of "server authentication"

 

The ASA is deviating from the RFC in a more conservative manner.  It was chosen to be stricter, because if EKU were ignored, then it would be possible to build a IKE connection using a certificate granted soley for the use of "email signing" (or any other usage).  This effectively defeats the security controls added in PKI.

 

  • Currently if client-services is used the certificate for SSL and IKEv2 must reference the same trustpoint.  This is documented in CSCty43072 and will be fixed in AnyConnect version 3.1.
Comments
Beginner

Hi Jay,

 

Although this post is quite old, I hope that wil get some input from you.

As you know that Cisco IPSec Client VPN is already EOL. We have Cisco IPSec Client VPN (RA VPN) configured (many groups/profiles) on our firewall and now looking to have smooth migration option to use with AnyConnect Secure Mobility Client.

1. Is there a way that AnyConnect client can use the same IPsec profile (group-name, pre-shared key etc), if so where will that be configured on AnyConnect Client..?. can AnyConnect profile (XML) file will use for this..?

2. Can AnyConnect also use all IPsec Client VPN features such as vpn-filter, split tunnel, client access rule, simultenous login, client IP via DHCP etc.?

3. Is there any migration tool to use (convert) IPSec RA VPN to AnyConnect..?

Appreciate if you can give us some advise on this as currently there are many IPSec RA VPN groups with different configuration settings and we need to have all of them same and still use AnyConnect client as IPSec Client is already on EOL.  http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html  

Thanks in advance.

 

 

 

 

Cisco Employee

1) Anyconnect (using IKEv2 or SSLVPN) doesn't use a pre-shared-key to authenticate the user.  A certificate will be used to authenticate the ASA and either/both user+pass and certificate is used to authenticate the user.  The XML profile is needed just to make the Anyconnect client use IKEv2 rather than the default of SSL when connecting to the ASA.

You can still use the same tunnel-groups and group-policies.  Just make sure "vpn-tunnel-protocol" in the group-policy allows the method you are trying to connect with.

2) Yup - configuration of those attributes are retained and supported with Anyconnect

3) Via the command line, there is a command that will do most of the work for you "migrate remote-access ikev2"

Beginner

Hi Jay,

Many thanks for your response.. just one more question..

Is the certificate is must for authentication, or can we use only username/password.?

I see there are few caveats when using certificate.

Thanks..

Cisco Employee

For SSLVPN and IKEv2 (remote-access) the headend (ASA) must use a certificate.

The user can use:

a) Just a certificate

b) Just a user/pass

c) Both a certificate and user/pass (2 factor authentication)

 

Hope that helps

Community Member

I have anyconnect working before, i can login and see the display but i can't browse the internet , i try to fix it, in that process , my anyconnect stop working, each time i try to reload the image i get this message " error unable to load anyconnect image-extraction failed "  any suggest please .

Beginner

What needs to be changed in order to authenticate using Smart Cards?

Cisco Employee

Christine,

Hopefully this document should help you identify the missing pieces.

http://www.cisco.com/image/gif/paws/107237/CAC-Anyconnect.pdf

-Jay

Beginner

Thank you for your response.  This helps immensely.

Beginner

Jay, in a recent thread you provided a link to a CAC and AnyConnect VPN document. http://www.cisco.com/image/gif/paws/107237/CAC-Anyconnect.pdf 

This actually refers to the Cisco VPN client. Do you have a document that specifically is used for CAC and AnyConnect? Preferably 9.x and up. The DOD has mandated two factored authentication via NIST policy that is becoming the rule. Thanks!

Cisco Employee
Beginner

Hi, Jay

 

Thank you for your great post.

I can connect with AnyConnect IKEv2 when I follow preocedures.

 

There is no UserGroup in your sample profile, but is it not any problem IKEv2 works?

 

I have read the note in the link below but I am thinking the UserGroup is only used with  a Group-url setting in a configuration.

 

Or when I use IKEv2, should I always set UserGroup in a profile regardless of which tunnel-group selections use?

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html

 

  • The UserGroup must match the name of the tunnelgroup to which the IKEv2 connection falls. If they do not match, the connection often fails and the debugs indicate a Diffie-Hellman (DH) group mismatch or a similar false negative.

Best regards,

Enthusiast

This Does not seem correct configuration.

you should go to wizards then select from the list Remote access IKEv2 then you will get the image below

 

IKEv2.PNG

Beginner

Hi,

 

does anyone know the OSL profile location of WIN 10? Because of special requirements, I had to configure IKEv2 manually.

Many thx

 

Peter

 

 

 

 

Content for Community-Ad