Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3197
Views
5
Helpful
10
Replies

Anyconnect with IKEv2

Go to solution
mahesh18
Level 6
Level 6

‎04-14-2014 01:09 PM - edited ‎02-21-2020 07:36 PM

 

Hi Everyone,

I have config Anyconnect with IKEv2  only no SSL and web launch is also turned off.

i downloaded the anyconnect --anyconnect-win-3.1.05160-k9.pkg  on PC.

tried to connect  but no luck.

Will it is designed to work this way?

 

Regards

 

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-15-2014 06:14 AM

Yes - that's one way to do it.

The .xml profile is a very small simple (but critical) file you you can copy manually from the ASA to your PC as well as via the automatic method which, as we note, requires client services over SSL on the ASA. If you have the correct .xml file (should specify IPsec transport) and AnyConnect client software on the PC, you do not need the ASA client services via SSL.

If you do the manual method, any future update to the profile will likewise have to be distributed manually.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-15-2014 08:48 AM

That's how I understand it.

I haven't actually used this method of manual deployment plus turning off SSL on the ASA (which is required for client services = primarily the package deployment and profile push/update) but it is documented to work that way.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-14-2014 02:41 PM

Mahesh,

The pkg file is ONLY for deployment from the ASA. If you want to install locally on your own, you need to download the pre-deploy ISO file and extract the installation files from it.

It has a bundled installer (setup.exe) from which you can choose among all the various AnyConnect Secure Mobility Client components - VPN, DART, WebSecurity, NAM, Telemetry, Posture and Gina (Start Before Logon).

For VPN the correct file you can run separately to install would be anyconnect-win-3.1.05160-pre-deploy-k9.msi (version number will change over time of course).

If you don't want to run client services over SSL, you will also need to manually pre-deploy the profile.xml file. This is described in the links I included with the answer to your earlier question today.

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-14-2014 06:06 PM

 

Hi Marvin,

Few questions here

should i remove then anyconnect-win-3.1.05160-k9.pkg  from flash?

via

webvpn

no anyconnect image disk0://......

 

Now i installed .iso image on PC and extract the image using winrar.

After that i ran setup and selected anyconnect vpn only but when i try to connect i get error

login failed.

 

Regards

 

Mahesh

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-15-2014 05:02 AM

Even if you are not deploying the client pkg file from the ASA you still need the pkg file there (set to be the AnyConnect image) in order to extract the schema used by the AnyConnect profile editor within ASDM.

(Assuming you use that function within ASDM to create and modify your profile - you could alternatively create the profile in the offline AnyConnect profile editor tool or just generate it manually using a texst editor if you're comfortable with the xml syntax.)

Have you deployed the XML profile manually onto your client?

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-15-2014 05:56 AM

 

Hi Marvin,

 

My job is to config and install ikev2 with ipsec and then our desktop team can run the

stand alone anyconnect client on users  laptops.

So first step i should do is to anyconnect-win-3.1.05160-k9.pkg  back to flash.

Then i can remove and reconfig anyconnect via wizard i can choose both

ssl and ikev2.

Also i can select the web deployment method at the end of wizard.

 

This way i can go to https download the client on test pc and get connected.

Once connected i will have that .xml profile created on this PC.

 

Now i can disable the SSL on ASDM so that users can not  go to https website.

IF i copy this .xml profile to user PC  and run standalone client on user pc will it work?

 

Regards

Mahesh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-15-2014 06:14 AM

Yes - that's one way to do it.

The .xml profile is a very small simple (but critical) file you you can copy manually from the ASA to your PC as well as via the automatic method which, as we note, requires client services over SSL on the ASA. If you have the correct .xml file (should specify IPsec transport) and AnyConnect client software on the PC, you do not need the ASA client services via SSL.

If you do the manual method, any future update to the profile will likewise have to be distributed manually.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-15-2014 07:36 AM

 

Hi MArvin,

 

Seems i am learning lot new from this post.

One way is to use ssl and enable web deployment.

Other way if i only use ikev2 to config anyconnect.

I checked .xml profile in ASA flash does this mean that when we config anyconnect on ASA then .xml profile is created automatically on ASA?

 

Now if i only config anyconnect to use ikev2 and copy the file(.xml profile) from ASA flash to PC and then test via standalone anyconnect it should work right?

 

Best regards

 

Mahesh

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-15-2014 08:48 AM

That's how I understand it.

I haven't actually used this method of manual deployment plus turning off SSL on the ASA (which is required for client services = primarily the package deployment and profile push/update) but it is documented to work that way.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-18-2014 01:46 PM

 

Hi Marvin,

I tested it manually by running the standalone client and ASA was config to use

only IPSEC ikev2.

I did not work.Even i copy the .xml profile from ASA flash to PC everytime it gives me error login failed.

Then i opened  Tac case with cisco.

Cisco Engineer checked the config all was good.

He then enabled SSL in group policy of ASA via CLI  after that i went to url and anyconnect

worked fine.Then i disabled the SSL  from CLI and config anyconnect to only

use IKEv2.After this i again connected from same PC and it worked fine.

Then i copy that profile - file--.xml to another PC and try to connect it give me same error message login failed.

 

Seems when we try to connect using  ikev2 first time from PC it need SSL enabled to download the profile from ASA?

even though profile is already there on this PC.Thats pretty strange.

 

Regards

MAhesh

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-30-2014 10:51 AM

 

Hi Marvin,

 

I was able to install anyconnect as standalone client on user PC

and make it able to work using ikev2 only.

Best regards

MAhesh

0 Helpful

Go to solution
AminRadin
Level 1
Level 1
In response to Marvin Rhoads

‎10-05-2020 03:03 AM - edited ‎10-31-2020 01:07 PM

Guys you meant by client service = AnyConnect client Profile ? right ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents