03-31-2021 06:15 AM
Since upgrading to Anyconnect 4.9 I am getting the following error when connecting to an IPSec VPN on a 5525-X ASA: Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect
I know 4.9 has dropped support for some D-H groups but I have tried 19, 20, 21 and those do not work either.
Has anyone got a working config for a 4.9 IPSec VPN?
03-31-2021 06:30 AM - edited 03-31-2021 06:43 AM
What version of ASA software are you running?
Provide your IKE Policy and IPSec Transform set configuration for review.
Do you have any clients that connect? If so what ciphers do they connect with?
03-31-2021 08:06 AM
Hi Rob,
It is running 9.12(4)13.
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 24
prf sha256
lifetime seconds 86400
The 4.8 clients connect fine using AES-256 but the 4.9 clients will not. Thanks.
03-31-2021 08:17 AM - edited 03-31-2021 08:21 AM
As you know the the minimum cryptography settings in AnyConnect 4.9 have been increased. Refer to this blog:-
For IKEv2/IPsec, AnyConnect no longer supports the following algorithms:
Encryption algorithms: DES and 3DES
Psuedo Random Function (PRF) algorithm: MD5
Integrity algorithm: MD5
Diffie-Hellman (DH) groups: 2, 5, 14, 24
Remove MD5 from the IKEv2 Proposal. Add sha256 or better.
And change the DH group under the IKEv2 policy from 24 to 19, 20 or 21.
You've alraedy tried changing the DH groups, I assume (hope) that it's the MD5 integrity algorithm that is going to cause the issue, even though SHA is still defined. If the problem still occurs run an ikev2/ipsec debug and provide the output for review.
04-01-2021 04:06 AM
Thanks, Rob.
I have run a debug and found the error below:
IKEv2-PLAT-2: Failed to create an IKEv2 Proposal because an AnyConnect Premium license is required to support an IKEv2 remote access connection using NSA Suite B algorithms
The ASA had AnyConnect Essentials licensing enabled and this was the issue. After I changed it to AC Premium licenses then the 4.9 client could connect with D-H group 19.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide