Tags

, , , , , ,

Secure VPN remote access historically has been limited to IPsec (IKEv1) and SSL. These were supported using the “Cisco VPN client” for IPsec based VPN and Anyconnect for SSL based VPN.  Each of those products only supported their own protocol however with the introduction of Anyconnect Secure Mobility Client 3.0, the client can now use IPsec (IKEv2) or SSL for the transport of the VPN connection.

The remainder of this document will discuss the steps to configure an ASA to support Anyconnect clients using IKEv2.

Requirements:

1)     ASA running version 8.4.1 or later
2)     Anyconnect Secure Mobility Client 3.0 or later
3)     License for Anyconnect Peer (either “AnyConnect Essentials” or “AnyConnect Permium Peers”)

It is possible to configure the setup either through ASDM or via the CLI.  Using the former is the easiest and is listed below along with the CLI commands that are generated.

Configure via ASDM:

1)     Start ASDM
2)     Wizards -> VPN Wizards -> AnyConnect Wizard
3)     Configure a name for the tunnel group – RemoteAccessIKEv2

1

4) Configure the connection protocols.  It is possible to have both SSL and IPsec connections on the same tunnel group however in this example only IPsec will be selected.

2

5) Upload Anyconnect images to the ASA for each platform that need supporting (Windows, Mac, Linux).

3

6) Configure the user database.  If using the Local database users can be added/removed here.  If using a remote authentication server configure a new “AAA Server Group” by clicking on the “New…” button.

4

7) Create a pool of addresses that will get assigned to the vpn clients.

5

8)  Define the default domain name for the virtual adapter on the client and the internal DNS servers

6

9) Allow the VPN traffic to be exempted from NAT when accessing the internal network.

7

10)  Turn off Web Launch.  This is optional and would require the client to be pre-deployed (much in the same fashion as the Cisco VPN client).

If you wish to keep Web Launch on then SSL must also be checked on step 3.

8

11)  Save and Apply the configuration

At this point the ASA will have these commands added:

Commands Function
crypto ikev2 policy 1encryption aes-256integrity shagroup 5 2 1prf shalifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint rtpvpnoutbound7

This is adding the IKEv2 Policies.It also specifiies the certificate the ASA uses for IKEv2.
crypto ikev2 enable outside client-services port 443ssl trust-point rtpvpnoutbound7 outside Enabling client-services on the outside interface.It also specifies the certificate the ASA uses for SSL.client-services run over SSL.
crypto ipsec ikev2 ipsec-proposal DESprotocol esp encryption desprotocol esp integrity sha-1 md5crypto ipsec ikev2 ipsec-proposal 3DESprotocol esp encryption 3desprotocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

These define the transform sets that IKEv2 can use.
crypto map out-map 65000 ipsec-isakmp dynamic out-dyn-mapcrypto map out-map interface outsidecrypto dynamic-map out-dyn-map 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES This configures the crypto map to use the IKEv2 transform-sets
webvpnanyconnect image disk0:/anyconnect-linux-3.1.0059-k9.pkg 1anyconnect image disk0:/anyconnect-macosx-i386-3.0.4235-k9.pkg 2anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 5anyconnect profiles RemoteAccessIKEv2_client_profile disk0:/RemoteAccessIKEv2_client_profile.xmlanyconnect enable This configures the ASA to allow Anyconnect connections and the valid Anyconnect images.  If Web Launch is allowed it will installthe clients on the computers on first connect.In addition there is the programming of the profile that will be used by the client.
group-policy GroupPolicy_RemoteAccessIKEv2 internalgroup-policy GroupPolicy_RemoteAccessIKEv2 attributesvpn-tunnel-protocol ikev2dns-server value 10.1.2.3wins-server nonedefault-domain value example.com

webvpn

anyconnect profiles value RemoteAccessIKEv2_client_profile type user

This configures the group-policy to allow IKEv2 connections and defines which Anyconnect profile for the user.
ip local pool vpnpool 10.7.7.135-10.7.7.140 mask 255.255.255.0 This defines a pool of addresses.
tunnel-group RemoteAccessIKEv2 type remote-accesstunnel-group RemoteAccessIKEv2 general-attributesdefault-group-policy GroupPolicy_RemoteAccessIKEv2address-pool  vpnpooltunnel-group RemoteAccessIKEv2 webvpn-attributesgroup-alias RemoteAccessIKEv2 enable This ties the pool of addressess to the vpn connection.
object network NETWORK_OBJ_10.7.7.128_28subnet 10.7.7.128 255.255.255.240 Defines an object (will be used later)
nat (inside,outside) 8 source static any any destination static NETWORK_OBJ_10.7.7.128_28 NETWORK_OBJ_10.7.7.128_28 Defines the NAT rule that exempts the vpn traffic from being NATted.
<?xml version=”1.0″ encoding=”UTF-8″?><AnyConnectProfile xmlns=”http://schemas.xmlsoap.org/encoding/“><ServerList><HostEntry><HostName>rtpvpnoutbound7 (IPsec)</HostName><HostAddress>64.102.156.88</HostAddress>

<PrimaryProtocol>IPsec</PrimaryProtocol>

</HostEntry>

</ServerList>

</AnyConnectProfile>

This is the contents of the profile that gets written the ASA flash as RemoteAccessIKEv2_client_profile.xml

Testing:

If Web Launch was configured, on the client open up a web-browser and log into the ASA.  The client will self download and install.  It will connect with TLS/DTLS first.  If you disconnect, quit the client, then restart the client there will be a drop down entry for the IKEv2 connection.  Select it and the client will initate using IKEv2.

If Web Launch was not configured it will be necessary to manually install the client on the computer and to copy the

RemoteAccessIKEv2_client_profile.xml into the profile directory.  Start the client and select the drop down.  The connection will be initiated using IKEv2.

—————————————————————————————————————————-

If you feel this article helped you to get some learning, please support by clicking below.

paypal-button

Advertisements