Solved: Re: IKEv2 vs DTSL1.2 - Page 3

KGrev · ‎03-06-2023

Hi,

We are testing upgrading from a very old version of Cisco Anyconnect (4.6)

To a Newer 4.10 version due to DH group limitations.

When testing the newer version, the client no longer connects as Ikev2 IPSec connection and looks to be "Anyconnect-Parent SSL-Tunnel DTLS-Tunnel.

Is there a knowledgeable person that can explain to me if this is a good expected result and if this is the path forward for the anyconnect client? Sorry I'm still learning.

MHM Cisco World · ‎03-06-2023

https://community.cisco.com/t5/security-knowledge-base/asa-anyconnect-ikev2-configuration-example/ta-p/3117462

KGrev · ‎03-09-2023

@Rob Ingramso I Can run wireshark from the tablet running the new anyconnect version. I see my packets for isakmp.

As far as I can tell, the anyconnect client if offering proposals that would match policies that I have configured on the ASA. But in the debug on the ASA it says that there are no matching policies.

Wireshark dump for Packet#1 inbound------------

Frame 1: 726 bytes on wire (5808 bits), 726 bytes captured (5808 bits) on interface \Device\NPF_{837B6A94-4726-4512-B2CF-BE6CDDD6E290}, id 0

Raw packet data

Internet Protocol Version 4, Src: 10.255.201.127, Dst: ****EXT_FW_IP****

User Datagram Protocol, Src Port: 49231, Dst Port: 500

Internet Security Association and Key Management Protocol

Initiator SPI: 73926dbbdcd87ed8

Responder SPI: 0000000000000000

Next payload: Security Association (33)

Version: 2.0

0010 .... = MjVer: 0x2

.... 0000 = MnVer: 0x0

Exchange type: IKE_SA_INIT (34)

Flags: 0x08 (Initiator, No higher version, Request)

.... 1... = Initiator: Initiator

...0 .... = Version: No higher version

..0. .... = Response: Request

Message ID: 0x00000000

Length: 698

Payload: Security Association (33)

Next payload: Key Exchange (34)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 276

Payload: Proposal (2) # 1

Next payload: Proposal (2)

Reserved: 00

Payload length: 124

Proposal number: 1

Protocol ID: IKE (1)

SPI Size: 0

Proposal transforms: 13

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)

Transform Attribute (t=14,l=2): Key Length: 256

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 0100

Key Length: 256

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)

Transform Attribute (t=14,l=2): Key Length: 192

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 00c0

Key Length: 192

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)

Transform Attribute (t=14,l=2): Key Length: 128

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 0080

Key Length: 128

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_384 (6)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_512 (7)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_256 (5)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA1 (2)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Integrity Algorithm (INTEG) (3)

Reserved: 00

Transform ID (INTEG): NONE (0)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 256-bit random ECP group (19)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 384-bit random ECP group (20)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 521-bit random ECP group (21)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 3072 bit MODP group (15)

Payload: Transform (3)

Next payload: NONE / No Next Payload (0)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 4096 bit MODP group (16)

Payload: Proposal (2) # 2

Next payload: NONE / No Next Payload (0)

Reserved: 00

Payload length: 148

Proposal number: 2

Protocol ID: IKE (1)

SPI Size: 0

Proposal transforms: 16

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): ENCR_AES_CBC (12)

Transform Attribute (t=14,l=2): Key Length: 256

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 0100

Key Length: 256

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): ENCR_AES_CBC (12)

Transform Attribute (t=14,l=2): Key Length: 192

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 00c0

Key Length: 192

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 12

Transform Type: Encryption Algorithm (ENCR) (1)

Reserved: 00

Transform ID (ENCR): ENCR_AES_CBC (12)

Transform Attribute (t=14,l=2): Key Length: 128

1... .... .... .... = Format: Type/Value (TV)

Type: Key Length (14)

Value: 0080

Key Length: 128

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_384 (6)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_512 (7)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA2_256 (5)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Pseudo-random Function (PRF) (2)

Reserved: 00

Transform ID (PRF): PRF_HMAC_SHA1 (2)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Integrity Algorithm (INTEG) (3)

Reserved: 00

Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Integrity Algorithm (INTEG) (3)

Reserved: 00

Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Integrity Algorithm (INTEG) (3)

Reserved: 00

Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Integrity Algorithm (INTEG) (3)

Reserved: 00

Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 256-bit random ECP group (19)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 384-bit random ECP group (20)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 521-bit random ECP group (21)

Payload: Transform (3)

Next payload: Transform (3)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 3072 bit MODP group (15)

Payload: Transform (3)

Next payload: NONE / No Next Payload (0)

Reserved: 00

Payload length: 8

Transform Type: Diffie-Hellman Group (D-H) (4)

Reserved: 00

Transform ID (D-H): 4096 bit MODP group (16)

Payload: Key Exchange (34)

Next payload: Nonce (40)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 72

DH Group #: 256-bit random ECP group (19)

Reserved: 0000

Key Exchange Data: 0bf188fded5652a0b9bdbb95fc1e30047e438c115e4a4250e84548788e323927703e924a…

Payload: Nonce (40)

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 24

Nonce DATA: acbfcb18d161616a9acf5364ff6c25b3ff015c84

Payload: Vendor ID (43) : Cisco Delete Reason Supported

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 23

Vendor ID: 434953434f2d44454c4554452d524541534f4e

Vendor ID: Cisco Delete Reason Supported

Payload: Vendor ID (43) : Cisco Copyright

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 59

Vendor ID: 434953434f28434f505952494748542926436f7079726967687420286329203230303920…

Vendor ID: Cisco Copyright

Payload: Vendor ID (43) : Unknown Vendor ID

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 24

Vendor ID: 434953434f2d414e59434f4e4e4543542d454150

Vendor ID: Unknown Vendor ID

Payload: Vendor ID (43) : Cisco GRE Mode Supported

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 19

Vendor ID: 434953434f2d4752452d4d4f444503

Vendor ID: Cisco GRE Mode Supported

Payload: Vendor ID (43) : Unknown Vendor ID

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 20

Vendor ID: 434953434f2d4e47452d4c4556454c03

Vendor ID: Unknown Vendor ID

Payload: Vendor ID (43) : Unknown Vendor ID

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 26

Vendor ID: 434953434f2d414e59434f4e4e4543542d5354524150

Vendor ID: Unknown Vendor ID

Payload: Vendor ID (43) : Unknown Vendor ID

Next payload: Notify (41)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 29

Vendor ID: 434953434f2d414e59434f4e4e4543542d53545241502d4448

Vendor ID: Unknown Vendor ID

Payload: Notify (41) - NAT_DETECTION_SOURCE_IP

Next payload: Notify (41)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 28

Protocol ID: IKE (1)

SPI Size: 0

Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)

Notification DATA: 7bdff21b24706294e62413f825ad71b4636371a9

Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP

Next payload: Vendor ID (43)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 28

Protocol ID: IKE (1)

SPI Size: 0

Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)

Notification DATA: 9b8b8ca9efa7c1fe6a6ffd506a0ada4909e963f8

Payload: Vendor ID (43) : Cisco Fragmentation

Next payload: Configuration (47)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 20

Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d3

Vendor ID: Cisco Fragmentation

Payload: Configuration (47)

Next payload: Notify (41)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 14

Type: CFG_REQUEST (1)

Reserved: 000000

Config Attribute (t=28728,l=2): PRIVATE USE

0... .... .... .... = Format: Type/Length/Value (TLV)

Type: PRIVATE USE (28728)

Length: 2

Value: 0240

Payload: Notify (41) - REDIRECT_SUPPORTED

Next payload: NONE / No Next Payload (0)

0... .... = Critical Bit: Not critical

.000 0000 = Reserved: 0x00

Payload length: 8

Protocol ID: RESERVED (0)

SPI Size: 0

Notify Message Type: REDIRECT_SUPPORTED (16406)

Notification DATA: <MISSING>

KGrev · ‎04-19-2023

@Rob Ingram @MHM Cisco World @Marvin Rhoads My issue is now resolved. I needed to disable Anyconnect Essentials as explained in this forum.

https://community.cisco.com/t5/vpn/how-does-the-anyconnect-client-decide-its-proposals/m-p/4812203#M288678