Native macOS client and ASA IKEv2

paul_j_teeter · ‎11-17-2018

I have a 5506-X appliance running 9.9(2) software. Have been struggling to get IKEv2 support for native Apple clients working...macOS first then will worry about iOS.

At this point *I think* I'm close.

I've defined a custom IPSec IKEv2 proposal that appears to support what macOS wants:

crypto ipsec ikev2 ipsec-proposal AppleNativeClient
 protocol esp encryption aes-256 aes 3des
 protocol esp integrity sha-256 sha-1

I've modified the IKEv2 policies to conform to what macOS offers:

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption aes-256
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 50
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

I've extended the dynamic crypto map to support the 'AppleNativeClient':

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev2 ipsec-proposal AppleNativeClient

(Don't worry this a lab deployment...so default configuration is acceptable.) I've defined a new group-policy to support these Apple native clients:

group-policy IKEv2 internal
group-policy IKEv2 attributes
 dns-server value 10.0.20.80 10.0.20.69
 vpn-tunnel-protocol ikev2 
 default-domain value int.XXXXXX.net
 address-pools value IPSecIKEv1_IPv4_Pool

Finally, I've modified the 'DefaultRAGroup' for this group-policy...hoping to rely simply on a pre-shared key for starters:

tunnel-group DefaultRAGroup general-attributes
 default-group-policy IKEv2
tunnel-group DefaultRAGroup ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

With the macOS client configured for 'Shared Secret', connection attempts continue to fail. The error message that troubles me most is:

%ASA-3-751020: Local:10.0.20.8:4500 Remote:10.0.21.58:4500 Username:DefaultRAGroup IKEv2 An IPsec remote access connection failed. Attempting to use an NSA Suite B crypto algorithm (AES-GCM/GMAC encryption or SHA-2 integrity) without an AnyConnect Premium license.

I even went to far as to secure a test/temporary AnyConnect Premium license in hopes this might address the issue, no luck. Possibly this message is a distraction...I'm not certain? A little later in the debug, I see:

IKEv2-PROTO-4: (19): Processing IKE_AUTH message
IKEv2-PROTO-2: (19): Failed to find a matching policy
IKEv2-PROTO-2: (19): Received Policies: 
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 3: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 4: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 5: 3DES SHA96 Don't use ESN

IKEv2-PROTO-2: (19): Failed to find a matching policy
IKEv2-PROTO-2: (19): Expected Policies: 
IKEv2-PROTO-2: (19): Failed to find a matching policy
IKEv2-PROTO-4: (19): Sending no proposal chosen notify

Possibly this is more illustrative of the connection problem...again, not certain. I'm definitely faking my way through this so any help the community can offer would be much appreciated. Thanks in advance.

fatalXerror · ‎11-19-2018

Hi @paul_j_teeter,

I think you don't have the appropriate license in your ASA to enable strong encryption algorithms, did you load the AnyConnect Apex license?

Can you provide "show version" and what is the model of your ASA?

Thanks