cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3943
Views
10
Helpful
16
Replies

anyconnect IKEv2

Benjamin Saito
Level 1
Level 1

I am configuring a new connection profile for remote access using IKEv2 instead of ssl. I used the following link for guidelines:

https://supportforums.cisco.com/document/74111/asa-anyconnect-ikev2-configuration-example

It is pretty straightforward but it's not working for me. When I try to connect to the connection profile I get the following error:

"Login denied, unauthorized connection mechanism, contact your administrator"

I haven't configured any DAP records to it's just using the default one that allows all connections. I am not really finding too much information on that error, anyone know what I can do to fix this? Thanks!

1 Accepted Solution

Accepted Solutions

I just checked our ASA.  Your config is very similar to mine.  I don't have this line:

anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml


I also have a newer version of AnyConnect deployed:

 anyconnect image disk0:/anyconnect-win-4.1.06020-k9.pkg 1 regex "Windows NT"

I have found the clients *.XML profile can be a bit touchy.  Below is a sample XML profile that I use:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.
xsd">
<ServerList>
<HostEntry>
<HostName>"customer name"</HostName>
<HostAddress>"DNS name of device - must match certificate"</HostAddress>
<UserGroup>"group name"</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

View solution in original post

16 Replies 16

Philip D'Ath
VIP Alumni
VIP Alumni

Could you post your existing AAA config (all the lines containing aaa).

Here it is:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (vlan60) host 10.25.20.6
aaa-server TACACS+ (vlan60) host 10.20.20.6
aaa authentication enable console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa local authentication attempts max-fail 10

The ikev2 vpn is set up to use local authentication. Thanks!

Can you post the tunnel group configuration please (I especially want to see the authentication-server-group and authorization-server-group commands to confirm how authentication and authorization is being done).

Here are the configurations, I think I have everything in here:



tunnel-group anyconnect-ikev2 type remote-access
tunnel-group anyconnect-ikev2 general-attributes
 address-pool vpnpool
 default-group-policy GroupPolicy_anyconnect-ikev2
tunnel-group anyconnect-ikev2 webvpn-attributes
 group-alias anyconnect-ikev2 enable


crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-64-3.1.00495-k9.pkg 3
 anyconnect profiles anyconnect-ikev2_client_profile disk0:/anyconnect-ikev2_client_profile.xml
 anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml
 anyconnect profiles profile disk0:/profile.xml
 anyconnect enable
 tunnel-group-list enable

group-policy GroupPolicy_anyconnect-ikev2 internal
group-policy GroupPolicy_anyconnect-ikev2 attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2
 default-domain value redplaid.com
 webvpn
  anyconnect profiles value anyconnect-ikev2_client_profile type user

Try adding this to force the use of local usernames and passwords:

tunnel-group anyconnect-ikev2 type remote-access
tunnel-group anyconnect-ikev2 general-attributes
   authentication-server-group LOCAL

That didn't make any difference. The authentication appears to be working correctly either way according to the syslog messages:

Jan 13 16:38:52 x.x.x.x %ASA-6-113012: AAA user authentication Successful : local database : user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-113009: AAA retrieved default group policy (GroupPolicy_anyconnect-ikev2) for user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-113008: AAA transaction status ACCEPT : user = redplaid2
Jan 13 16:38:52 x.x.x.x %ASA-6-734001: DAP: User redplaid2, Addr x.x.x.x, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

Any other ideas?

Reading this more closely we are getting an authorization failure.  Can you show use a sanitised version of the local user account?

Can you also do a debug of the authorisation process?  Something like:

debug aaa authorization 

I see it is using the DAP default access policy.

The following DAP records were selected for this connection: DfltAccessPolicy

Do you promise me this is 100% normal and not customised in any way?

I assure you the DAP record was not altered in any way. I am able to log in to the ssl vpn connection profile just fine, it's just the ikev2 connection that I cannot log in to. I am also not seeing anything when I run the debugging, not sure if I am doing something wrong. Here is the username that I am using:

username redplaid2 password **************** encrypted privilege 15

Thanks!

Are you using the same trustpoint, ASDM_TrustPoint1, for the SSL VPN?

I just checked our ASA.  Your config is very similar to mine.  I don't have this line:

anyconnect profiles ikev2-anyconnect_client_profile disk0:/ikev2-anyconnect_client_profile.xml


I also have a newer version of AnyConnect deployed:

 anyconnect image disk0:/anyconnect-win-4.1.06020-k9.pkg 1 regex "Windows NT"

I have found the clients *.XML profile can be a bit touchy.  Below is a sample XML profile that I use:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.
xsd">
<ServerList>
<HostEntry>
<HostName>"customer name"</HostName>
<HostAddress>"DNS name of device - must match certificate"</HostAddress>
<UserGroup>"group name"</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

I notice in that link you supplied their XML profile doesn't have the UserGroup attribute.

We have multiple groups configured on our ASA.  Perhaps it is only needed if you have more than one (or perhaps it only uses the default group).  And from your post your ASA also sounds like it has multiple groups.

Thanks for the information Philip. I am not sure I know what you mean by user group. All we have is one database of users and it's the local database. The XML profile that is installed on the ASA was automatically created by the asa when I set this up using the remote access wizard in the ASDM. I adjusted the xml file earlier today but it was incorrect, I thought the "hostname" was supposed to be the dns name. I changed that and the "host address" but it's still giving me the same error.

From the above config, you group is anyconnect-ikev2.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: