Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
9
Replies

Cisco ASA IKEv2+IPSec Remote Access VPN

640KB
Level 1
Level 1

‎11-21-2024 08:52 AM - edited ‎11-21-2024 08:53 AM

Objective: Use ASA to support native VPN client for RA on current versions of Android, Windows 10/11 (and possibly others) using supported types such as IKEv2/IPSec+EAP/MSCHAPv2 for authentication.

An ASA (ASA5516/9.12) is currently used for IKEv1/LT2P Remote Access and IKEv1/IPSec L2L's, working well. It now needs to support IKEv2/IPSec for RA, as Android has removed support for LT2P (others will likely follow). If possible, would prefer to avoid using AnyConnect, SSL-based or any non-free client software. Would also prefer to use existing usernames on ASA for local authentication as done now with the IKEv1/LT2P, though (as far as I can tell) certificates are also required for IKEv2. Finally, IKEv1/LT2P and IKEv1/IPSec L2L also needs to continue to work as-is.

I have not found online references or articles that specifically address this use case, though this one that describes IKEv2/EAP RA with Windows native is the closest (however the configuration examples are a bit incomplete). This one covers IKEv2 RA, but is for IOS.

There is a CA certificate and a cert for both the ASA and an Android client. Using the native client with IKEv2/IPSec MSCHAPv2, gets as far as "Failed to locate an item in the database". My understanding of this is that it is failing to match the client to a `tunnel-group` - though there is both a tunnel group called `VPNGRP` and `DefaultRAGroup` (which I thought it would fall through to in this case). I had thought that the `ikev2 remote-authentication eap query-identity` would use EAP/PEAP/MSCHAPv2 as the peer's ID. Have also found references that says the certificate's `DN` could be used to match the policy/tunnel-group, however I have not been successful making that work (that may only apply to l2l).

Here's the ASA debug for the point where it fails:

IKEv2-PROTO-7: (143): SM Trace-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-7: (143): Received valid parameteres in process id
IKEv2-PROTO-7: (143): SM Trace-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (143): SM Trace-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (143): Searching policy based on peer's identity 'VPNGRP' of type 'key ID'
IKEv2-PROTO-2: (143): Failed to locate an item in the database
IKEv2-PROTO-7: (143): SM Trace-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (143): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (143): Sending authentication failure notify
IKEv2-PROTO-7: Construct Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-4: (143): Building packet for encryption.


Also, using a Windows native client, the peer identity type that it tries to match is `IPv4 address` which presents the LAN address of the device adapter (not very helpful). I've tried `peer-id-validate nocheck` and `isakmp identity key-id` and `auto` and does not change the error.

I believe the real issue is that I've reached the limits of my understanding of this configuration and I'm just not able to find any good references that explain how this particular use case may work. I may also be misunderstanding the role of the certificates in this configuration - I had thought that in this case it would replace the use of a `pre-shared-key` string while continuing to allow local/CHAP credentials to enable access for a specific user... this may be an incorrect assumption too.

Any suggestions or clarifications would be most appreciated. Thanks!

Relevant ASA config:

ASA Version 9.12(4)58 
!
hostname host
domain-name foo.local

access-list acl_vpn_split extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 

crypto ipsec ikev1 transform-set set_aes-256-hmac esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set set_aes-256-hma_trans esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set set_aes-256-hma_trans mode transport

crypto ipsec ikev2 ipsec-proposal AESSHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5

crypto ipsec profile VPNGRP
set ikev2 ipsec-proposal AES256
set trustpoint TP
crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map cdm_vpnclient 10 set ikev1 transform-set set_aes-256-hmac set_aes-256-hma_trans
crypto dynamic-map cdm_vpnclient 10 set ikev2 ipsec-proposal AESSHA256 AES256 AES192
crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_vpnclient
crypto map cm_outside interface outside

crypto ca trustpoint TP
enrollment terminal
subject-name CN=host.foo.local, ...
crl configure
crypto ca trustpool policy
crypto ca certificate chain TP
certificate 02
********
quit
certificate ca *
********
quit

crypto isakmp nat-traversal 30

crypto ikev2 policy 9
encryption aes-256
integrity sha256
group 24
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint TP

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

group-policy VPNGRP internal
group-policy VPNGRP attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_vpn_split
intercept-dhcp enable

dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultRAGroup general-attributes
address-pool pool_vpn
authentication-server-group (outside) LOCAL
default-group-policy VPNGRP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate TP
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2

tunnel-group VPNGRP type remote-access
tunnel-group VPNGRP general-attributes
address-pool pool_vpn
authentication-server-group (outside) LOCAL
default-group-policy VPNGRP
tunnel-group VPNGRP ipsec-attributes
ikev1 pre-shared-key *
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate TP

username user password * nt-encrypted
username user2 password * encrypted

Complete ASA debug attached (`100.100.100.100` is client, `200.200.200.200` is ASA).

Labels:
Preview file
21 KB
0 Helpful
9 Replies 9

640KB
Level 1
Level 1
In response to MHM Cisco World

‎11-21-2024 09:03 AM

Yeah, that was the link I referenced - it had a lot of good information. Following as closely as I could is where I got where the policy was attempting to match on `IPv4 address` (which isn't how the example was working) so wasn't able to get any further with that direction.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-21-2024 09:21 AM 

authentication-server-group (outside) LOCAL

This issue I think' you need to use local only. There are no radius server config.

MHM

0 Helpful

640KB
Level 1
Level 1
In response to MHM Cisco World

‎11-21-2024 09:24 AM

Right, that's the way I have it in that config.  Should I remove the 'authentication-server-group' entirely then?

0 Helpful

MHM Cisco World
VIP
VIP
In response to 640KB

‎11-21-2024 09:29 AM

if the user is EAP authc locally then you need to remove auth-server-group

MHM

0 Helpful

640KB
Level 1
Level 1
In response to MHM Cisco World

‎11-21-2024 09:58 AM

Removed it on both tunnel-groups, but still getting hung up in the same place. I don't see any mentions of tunnel-groups/crypto maps in the debug, so is this happening before those?

IKEv2-PROTO-4: (150): Searching policy based on peer's identity 'VPNGRP' of type 'key ID'
IKEv2-PROTO-2: (150): Failed to locate an item in the database

EAP was used in that example, but is it something I need if we want to just authenticate locally? The only VPN type on Android that specifies a username/password is the IKEv2/IPSec MSCHAPv2 (which I assumed was shortened from EAP+MSCHAPv2).  I tried swanStrong too and it's using peer's identity of type 'FQDN' instead of 'key ID'. How/where does those get matched?

 

0 Helpful

govindlenka777
Level 1
Level 1

‎01-06-2025 11:40 PM

did you find the solution to the issue?? I am having same issue now... If you did, please explain.

0 Helpful

MHM Cisco World
VIP
VIP
In response to govindlenka777

‎01-08-2025 11:30 AM

Can you make post 

MHM

0 Helpful

640KB
Level 1
Level 1
In response to govindlenka777

‎01-08-2025 11:32 AM

Unfortunately no, I have not yet found a working solution to this.

0 Helpful
Customers Also Viewed These Support Documents