Anyconnect Ipsec

admin



Introduction

  1. IPsec VPNs protect IP packets exchanged between remote networks or hosts and an IPsec gateway located at the edge of your private network. SSL/TLS VPN products protect application traffic streams.
  2. IPsec and AnyConnect share the same configured RADIUS and active directory servers The use of a server identity certificate with a custom hostname is not supported at this time. Currently, the MX will automatically enroll in a publicly trusted certificate using the Meraki Dynamic DNS host name on the dashboard network.

This document describes how to connect a PC to a Cisco Adaptive Security Appliance (ASA) with the use of AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA) authentication.

These were supported using the 'Cisco VPN client' for IPsec based VPN and Anyconnect for SSL based VPN. Each of those products only supported their own protocol however with the introduction of Anyconnect Secure Mobility Client 3.0, the client can now use IPsec (IKEv2) or SSL for the transport of the VPN connection. It appears from my fw logs that anyconnect is still reaching out to the Fortigate over tcp/443 even though it's set up for ipsec.I think it's expecting a Cisco at the other end to feed it a config. The anyconnect ipsec config is very terse, there's not much to set. Waiting for support, but I suspect that this just isn't possible. The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. The Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks.

Note: The example that is provided in this document describes only the relevant parts that are used in order to obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided. Network Address Translation (NAT) or access-list configuration is not described or required in this document.

Ipsec

Prepare for the Connection

This section describes the perparations that are required before you can connect your PC to the ASA.

Certificates with Proper EKU

It is important to note that even though it is not required for the ASA and AnyConnect combination, RFC requires that certificates have Extended Key Usage (EKU):

  • The certificate for the ASA must contain the server-auth EKU.
  • The certificate for the PC must contain the client-auth EKU.

Note: An IOS router with the recent software revision can place EKUs onto certificates.

Configuration on the ASA

Anyconnect

Avogadro 2. This section describes the ASA configurations that are required before the connection occurs.

Note: The Cisco Adaptive Security Device Manager (ASDM) allows you to create the basic configuration with only a few clicks. Cisco recommends that you use it in order to avoid mistakes. Super smash flash 2 v0 9b mods.

Vpn

Crypto Map Configuration

Here is a crypto map example configuration:

IPsec Proposals

Anyconnect Ipsec Configuration

Here is an IPsec proposal example configuration:

IKEv2 Policies

Here is an IKEv2 policy example configuration:

Client Services and Certificate

You must enable client services and certificates on the correct interface, which is the outside interface in this case. Here is an example configuration:

Note Codesniffer phpstorm. : The same trustpoint is also assigned for Secure Sockets Layer (SSL), which is intended and required.

Enable AnyConnect Profile

You must enable the AnyConnect profile on the ASA. Here is an example configuration:

Username, Group-Policy, and Tunnel-Group

Here is an example configuration for a basic username, group-policy, and tunnel-group on the ASA:

AnyConnect Profile

Here is an example profile with the relevant parts shown in bold:

Here are some important notes about this configuration example:

Ipsec Vpn Client Windows 10

  • When you create the profile, the HostAddress must match the Certificate Name (CN) on the certificate that is used for IKEv2. Enter the crypto ikev2 remote-accesstrustpoint command in order to define this.
  • The UserGroup must match the name of the tunnelgroup to which the IKEv2 connection falls. If they do not match, the connection often fails and the debugs indicate a Diffie-Hellman (DH) group mismatch or a similar false negative.

Make the Connection

This section describes the PC-to-ASA connection when the profile is already present.

Ipsec

Note: The information that you input into the GUI in order to connect is the <HostName> value that is configured in the AnyConnect profile. In this case, bsns-asa5520-1 is entered, not the complete Fully Qualified Domain Name (FQDN).

When you first attempt to connect through AnyConnect, the gateway prompts you to select the certificate (if automatic certificate selection is disabled):

You must then enter the Username and Password:

Once the Username and Password are accepted, the connection is successful and the AnyConnect statistics can be verified:

Verification on ASA

Enter this command on the ASA in order to verify that the connection uses IKEv2 as well as AAA and certificate authentication:

Anyconnect Ipsec Vpn

Known Caveats

These are the known caveats and issues that are related to the information that is described in this document:

Anyconnect Ipsec Profile

  • The IKEv2 and SSL trustpoints must be the same.
  • Cisco recommends that you use the FQDN as the CN for the ASA-side certificates. Ensure that you reference the same FQDN for the <HostAddress> in the AnyConnect profile.
  • Remember to insert the <HostName> value from the AnyConnect profile when you connect.
  • Even in the IKEv2 configuration, when AnyConnect connects to the ASA, it downloads profile and binary updates over SSL, but not IPsec.
  • The AnyConnect connection over IKEv2 to the ASA uses EAP-AnyConnect, a proprietary mechanism that allows simpler implementation.