Solved: Anyconnect VPN Tunnel w/certificates IKEv2

Douglas Holmes · ‎10-15-2012

We have an ASA5525 that we are attempting to use to create a VPN tunnel using certificates. For now the ASA will be the CA. It appears that we have successfully downloaded the cert to the client. Our network is fairly simple. ASA is at 10.0.0.1 on the outside and client at 10.0.0.3. The client connects through a switch to the outside of the VPN. This part works.

The requiement is for the client to authenicate using only a cert. From debugging, it appears that the cert checks out ok. When attempting to connect the client (AnyConnect V3.1) receives a pop up to choose a group, when the group is chosen, login is denied for unauthorized connection mechanism. We are trying to use IKEv2. Please note that we are using a beta release of code for the ASA. I have attached a log of our attempt, a "show run" and a "show version".

Thanks

Douglas

Javier Portuguez · ‎10-26-2012

Douglas,

So it is working, right?

Portu.

View solution in original post

Douglas Holmes · ‎10-17-2012

I have made some progress with this configuration. Added a rule to allow "any any" on the outside.

When I attempt with anyconnect without a profile (simply by IP) I connect using SSL:

ciscoasa# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : bart Index : 2

Assigned IP : 192.168.30.5 Public IP : 10.0.0.4

Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel

License : AnyConnect Essentials

Encryption : RC4 AES128 Hashing : none SHA1 SHA1

Bytes Tx : 10710 Bytes Rx : 3761

Group Policy : AnyConnect-policy Tunnel Group : AnyConnect-group

Login Time : 12:46:17 UTC Wed Oct 17 2012

Duration : 0h:00m:09s

Inactivity : 0h:00m:00s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

However we are unable to connect using IKEv2 (using our anyconnect client profile) we received the following:

%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.

%ASA-6-717022: Certificate was successfully validated. serial number: 04, subject name: cn=bart.

%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

%ASA-3-751013: Local:10.0.0.1:4500 Remote:10.0.0.4:63175 Username:DefaultL2LGroup Failed to process Configuration Payload request

for attribute 0x1. Error: Platform errors

Douglas Holmes · ‎10-24-2012

I guess nobody is working on this sort of thing.

Javier Portuguez · ‎10-24-2012

Hi Douglas,

Please check this out:

ASA Anyconnect IKEv2 configuration example

From the logs, it looks like you are hitting the DefaultL2LGroup. Review the previous link and adjust your settings.

HTH.

Portu.

Please rate any helpful posts

Douglas Holmes · ‎10-24-2012

Thank you for your prompt reply. I will set this up again in my lab right away and give it a very close examination.

Javier Portuguez · ‎10-24-2012

Sounds good to me.

Thanks for heads up!

Please rate any helpful posts

Douglas Holmes · ‎10-26-2012

I was working on another project and will be resuming on this one today. I am working on Suite B. so for the past week I tabled this one to work on an Aruba 650. Got it working.

The project will be a user using anyconnect to the ASA5525. Then the via Aruba client will launch and connect to the Aruba 650. So two VPN sessions both using Certs.

And now back to this one, I got the ASA loaded with the configuration that was used in the example above. Will review the documentation closely and report back. Again, thanks.

Douglas

Douglas Holmes · ‎10-26-2012

Worked on this most of the day. Checked out the document from the link above. Worked mainly on making sure that the configuration matched line for line. I cannot say which of the changes made allowed the change in the device. Basically I killed the configuration. Copied the last known configuration from flash to start and reloaded. I then when through the document in the ASDM. I also loaded ASDM "asdm-70025.bin" instead of the previously used "asdm-66114.bin". I made a few changes in the ASDM which are hard to remember. And cleaned up the access lists. Basically did an "ip any any" and applied it globally. Don't need security setup since we just wanted to test the certs and the client.

Next step is a point to point tunnel using certs between the Cisco ASA and the Aruba 650.

Douglas

Javier Portuguez · ‎10-26-2012

Douglas,

So it is working, right?

Portu.

Douglas Holmes · ‎10-26-2012

Yes it is. ASA devices are not my strong suite. I am more of a switch and router person. Thanks for your assistance.

Douglas

Javier Portuguez · ‎10-26-2012

Well my friend let me tell you that you just configured an advance deployment!

Thanks for sharing your results, please feel free to open a TAC case or a new post here if you experience any issues with LAN-to-LAN tunnel using certificates.

Portu.