With the following configuration and with sufficient license we should be able to connect to our Cisco ASA firewall with Cisco Anyconnect and with the new Anyconnect Secure Mobility Client (the first Cisco IKEv2 client) and with the old Cisco VPN client with IKEv1, that is natively supported on some Apple devices, like an IPad. What I miss on the ASA, that it does not support IKE over tcp for IKEv2.
This configuration was made with SW version 8.4(1) and the configuration has been a little bit changed.
RA VPN config for IKEv1
For authentication we can configure a lot of methods, like local username with password or RADIUS, LDAP or RSA Secureid or with certificate. I use here certificate authentication without CRL check. This comes later…
IP Address assignment happens not from a local pool, but from a dhcp server on the inside. A centralised IP Address management sometimes can be really helpful, its worth using an external dhcp.
Configuration Topology for VPN with Cisco ASA:
Cisco ASA VPN Configuration Flow
isakmp, for IKE Phase I.
myfirewall/act/pri# sh run cry ikev1 crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 crypto ikev1 policy 2 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 |
transform set, for setting the Security Protocols
myfirewall/act/pri# sh run cry ipsec crypto ipsec ikev1 transform-set MycompanyTransformSet esp-3des esp-sha-hmac |
dynamic map, for IKE Phase II.
myfirewall/act/pri# sh run cry dyn crypto dynamic-map out_dyn_map 10 set ikev1 transform-set MycompanyTransformSet crypto dynamic-map out_dyn_map 10 set security-association lifetime seconds 288000 |
crypto map
myfirewall/act/pri# sh run cry map crypto map out_cry_map 10 ipsec-isakmp dynamic out_dyn_map crypto map out_cry_map interface outside |
trustpoint
myfirewall/act/pri# sh run cry ca trustpoint mytrustpoint crypto ca trustpoint mytrustpoint enrollment terminal fqdn 30.30.30.1 subject-name CN=myfirewall.mycompany.com serial-number keypair mycert_key crl configure |
group policy
myfirewall/act/pri# sh run group-policy group-policy MycompanyVpnPolicy internal group-policy MycompanyVpnPolicy attributes wins-server value 1.1.1.1 dns-server value 2.2.2.2 dhcp-network-scope 10.10.10.10 vpn-simultaneous-logins 20 vpn-tunnel-protocol ikev1 default-domain value mycompany.com |
tunnel group
myfirewall/act/pri# sh run tunnel-group ikev1tunnelgroup tunnel-group ikev1tunnelgroup type remote-access tunnel-group ikev1tunnelgroup general-attributes default-group-policy MycompanyVpnPolicy dhcp-server 3.3.3.3 tunnel-group ikev1tunnelgroup webvpn-attributes authentication certificate tunnel-group ikev1tunnelgroup ipsec-attributes chain ikev1 trust-point mytrustpoint isakmp keepalive threshold 100 retry 2 ikev1 user-authentication none |
tunnel group map
myfirewall/act/pri# sh run tunnel-group-map tunnel-group-map enable rules tunnel-group-map default-group ikev1tunnelgroup |
RA VPN config with SSL
For the Anyconnect you have to create your Profile xml file. This requires ASDM.
You should go to the Profile Editor in ASDM and open your server list entry in your Profile and here you should set the gateway IP.
The basic authentication for SSL is EAP… You need to create at least a local user to be able to test it.
webvpn
myfirewall/act/pri# sh run webvpn webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-3.0.0629-k9.pkg 2 anyconnect profiles sslprofile disk0:/sslprofile.xml anyconnect profiles test2 disk0:/acv3ipsecprofile.xml anyconnect enable tunnel-group-list enable certificate-group-map MyCertMap1 5 ssltunnelgroup |
certificate map
My certificate map is really useless in a live enviroment, but it makes what I want for that simple test.
myfirewall/act/pri# sh run cry ca cert ma crypto ca certificate map MyCertMap1 5 subject-name attr ea eq jimmy@mycompany.com |
tunnel group
I could use the same tunnel-group that I have for IKEv1 and just simple add some webvpn commands to it, but I did 2 different tunnel-groups.
myfirewall/act/pri# sh run tun ssltunnelgroup tunnel-group ssltunnelgroup type remote-access tunnel-group ssltunnelgroup general-attributes default-group-policy MycompanyVpnPolicy dhcp-server 3.3.3.3 tunnel-group ssltunnelgroup webvpn-attributes authentication certificate |
group policy
The group policy could be 2 different group as well, but I used the same group for ssl what I have already configured for ike1 and added/changed some commands here.
myfirewall/act/pri# sh run group-policy MycompanyVpnPolicy group-policy MycompanyVpnPolicy internal group-policy MycompanyVpnPolicy attributes wins-server value 1.1.1.1 dns-server value 2.2.2.2 dhcp-network-scope 10.10.10.10 vpn-simultaneous-logins 20 vpn-tunnel-protocol ikev1 ssl-client default-domain value mycompany.com webvpn anyconnect profiles value test2 type user |
RA VPN config with IKEv2
With the colors you can see what is new for configuring IKEv2 and what is the old one.
In crypto configuration the key command is the “crypto dynamic-map”, that let us configure ikev2 for the same dynamic map that already has an IKEv1 config.
And here is something you have to know. The authentication method for IKEv2 can be some EAP methods listed in profile editor (for example IKE-RSA). If you need IKE-RSA you should not check the ‘Standard Authentication Only’ and choose in the “Authentication method during IKE Negotiation” list the IKE-RSA as the vpn will fail every time you connect with Anyconnect.
isakmp
myfirewall/act/pri# sh run cry ikev2 crypto ikev2 policy 1 encryption aes-256 aes-192 aes 3des integrity sha md5 group 5 2 1 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 remote-access trustpoint mytrustpoint |
transform set
myfirewall/act/pri(config)# sh run crypto ipsec crypto ipsec ikev1 transform-set MycompanysTransformSet esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal MycompanysTransformSet2 protocol esp encryption aes-256 aes-192 aes 3des protocol esp integrity sha-1 |
dynamic map
myfirewall/act/pri# sh run cry dyn crypto dynamic-map out_dyn_map 10 set ikev1 transform-set MycompanyTransformSet crypto dynamic-map out_dyn_map 10 set security-association lifetime seconds 288000 crypto dynamic-map out_dyn_map 20 set ikev2 ipsec-proposal MycompanyTransformSet2 |
crypto map
myfirewall/act/pri(config)# sh run cry map crypto map out_cry_map 10 ipsec-isakmp dynamic out_dyn_map crypto map out_cry_map interface outside |
The rest of the config (webvpn, tunnel-group, group-policy, certificate map)
Here is a small command topology to understand the relationship between the important conguration parts.
“webvpn”
| |
| with “certificate-group-map” command we bind the
| ^ ^
| | |
| | “crypto ca certificate map” command
| |
| ^
| “tunnel-group” command
|
^
with “anyconnect profiles” command we bind the
|
^
“anyconnect profiles value” command in group-policy (actually it defines anyconnect profile for webvpn)
webvpn
For the Anyconnect you have to customize again your Profile xml file. This is the first (and hopefully the last) thing that requires ASDM.
You should go to the Profile Editor in ASDM and open your server list entry in your Profile and here you should change you Primary Protocol to IPSec.
myfirewall/act/pri(config)# sh run webvpn webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-3.0.0629-k9.pkg 2 anyconnect profiles test2 disk0:/acv3ipsecprofile.xml anyconnect enable tunnel-group-list enable certificate-group-map MyCertMap1 5 ssltunnelgroup |
certificate map
myfirewall/act/pri(config)# sh run cry ca cert ma crypto ca certificate map MyCertMap1 5 subject-name attr ea eq test2@mycompany.com |
tunnel-group
myfirewall/act/pri# sh run tun ssltunnelgroup tunnel-group ssltunnelgroup type remote-access tunnel-group ssltunnelgroup general-attributes default-group-policy MycompanyVpnPolicy dhcp-server 3.3.3.3 tunnel-group ssltunnelgroup webvpn-attributes authentication certificate |
group-policy
There is a lot of changes that need to be done. see below :-)
myfirewall/act/pri# sh run group-policy MycompanyVpnPolicy
group-policy MycompanyVpnPolicy internal
group-policy MycompanyVpnPolicy attributes
wins-server value 1.1.1.1
dns-server value 2.2.2.2
dhcp-network-scope 10.10.10.10
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1 ikev2 ssl-client
default-domain value mycompany.com
webvpn
anyconnect profiles value test2 type user
|
Good luck if you just start it on your own and remember, there are two kinds of angry people: explosive and implosive.
Explosive is the kind of individual that you see screaming at the cashier for not taking their coupons.
Implosive is the cashier who remains quiet, day after day and finally shoots everyone in the store.
(Anger Management)
If it does not work today it will work tomorrow…
itsecworks 
Voitek
July 17, 2013
Hi
I am failing just cannot connect any time,
Does ssl and ikev2 needs to be active just for ikev2?
Am using certs ikev2
Voitek
July 17, 2013
Hi I have this up and running but without to certs, unfortunately cant have clyerts validated ;/ without them ikev2 aaa works fine.. any solution to correct apply certs?
Harris
December 15, 2013
hi, you have a mistake in your configuration. When you configure the main static crypro map you have a wrong referenced name in the dynamic map:
This command:
crypto map out_cry_map 10 ipsec-isakmp dynamic outside_dynmap
must be changed to
crypto map out_cry_map 10 ipsec-isakmp dynamic out_dyn_map
Other than the above, this is an excellent example. Thanks.
Regards
Harris
itsecworks
December 15, 2013
Thanks for your feedback, config corrected.
Jake K
January 16, 2023
Nice bllog