Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8488
Views
0
Helpful
3
Replies

Using Microsoft's IKEv2 with Cisco ASA

Go to solution
ryabutler
Level 1
Level 1

‎03-02-2011 08:42 AM

Hi,

Just want to confirm something, so I can put this issue to rest.

We have a Cisco ASA 5505 running OS 8.4

For remote access, we have setup SSL VPN to include IPSec (IKEv2).

Using our AnyConnect client works.  No problem there.

The question is on my Windows 7 computer when I setup a remote access profile I can select IKEv2 (not PPTP or L2TP/IPSec).  However this doesn't work.

It errors out to saying it "can't find a matching policy".  I'm assuming it mean't it couldn't find any IKE policies.  So I added other IKE policies, which found a match, but the ASA logs barks back saying "IKE neogoiation fails looking for a cert or a preshared key".

There is no option for inputing any pre-shared key for IKEv2 on Windows 7 with it's profile setup.

Therefore, I believe that IKEv2 on the ASA 5505 is only used for Remote Access with the AnyConnect client (or the AnyConnect Secure Mobility client) and NOT with other IKEv2 clients like Microsoft.

Is this really the case?  Or can I use IKEv2 built-in with Windows 7 to remote access the ASA 5505 enabled for IKEv2 for remote access (not as a site-based VPN)?  If so how did you get it to work.  This is a empty topic of discussion on the Internet.

Thank you!

-rya

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-02-2011 11:42 PM

Hi Rya,

I don't believe there were any changes to this recently but ASA works only with anyconnect with IKEv2.

I've recently written about it in my blog post

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/02/08/asa-84-ipsec-vpn--whats-new
(Point 4)

Quite frankly I have not been following developments of this features recently, so I might have missed something.

Marcin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-02-2011 11:42 PM

Hi Rya,

I don't believe there were any changes to this recently but ASA works only with anyconnect with IKEv2.

I've recently written about it in my blog post

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/02/08/asa-84-ipsec-vpn--whats-new
(Point 4)

Quite frankly I have not been following developments of this features recently, so I might have missed something.

Marcin

0 Helpful

Go to solution
ryabutler
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-04-2011 12:11 AM

Thanks for the response.  Yeah it's used AnyConnect.  I saw IKEv2 within the stats on the client endpoint once it was connected.

Using IKEv2 with the Microsoft client, the ASA thinks it is a Site VPN tunnel and not RAS.

Thank you!

-rya

0 Helpful

Go to solution
harrjd222
Level 1
Level 1
In response to ryabutler

‎09-14-2012 03:12 PM

I got past this error by adjusting the transform sets to something that Windows 7 supports,  the next thing you need to do is enable certification based authentication. It is supported but not using every auth method support on the cisco client.

see here.

http://supportforums.cisco.com/docs/DOC-24022

0 Helpful
Customers Also Viewed These Support Documents