See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
- Cisco Site To Site Vpn
- Anyconnect Ipsec Ikev2
- Ipsec Anyconnect Mac
- Setup Anyconnect Ipsec Vpn On Windows 10
- Anyconnect Ipsec Pre-shared Key
ASA Configuration
Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license. These were supported using the 'Cisco VPN client' for IPsec based VPN and Anyconnect for SSL based VPN. Each of those products only supported their own protocol however with the introduction of Anyconnect Secure Mobility Client 3.0, the client can now use IPsec (IKEv2) or SSL for the transport of the VPN connection. Anyconnect IPsec to Fortigate Anyone have luck creating an Cisco Anyconnect profile that works with a Fortigate as the VPN provider? Using the default Fortigate wizard for Anyconnect and the default settings on the client do not seem to work. IPsec and AnyConnect share the same configured RADIUS and active directory servers The use of a server identity certificate with a custom hostname is not supported at this time. Currently, the MX will automatically enroll in a publicly trusted certificate using the Meraki Dynamic DNS host name on the dashboard network. Mar 11, 2018 See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
Create a CA Trustpoint
Authenticate the Trustpoint
In this example the ASA will enrol with a Windows Certificate Authority.
- Open the CA’s Trusted Root certificate in notepad
- Copy the contents on the certificate
- On the ASA run the command crypto ca authenticate LAB_PKI
- When prompted paste the contents of the CA Trusted Root certificate
- Type quit at the end
- Enter yes to import the certificate
EnrolL ASA for Identity Certificate
The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.
- On the ASA run the command crypto ca enroll LAB_PKI
- When prompted copy the contents of the CSR
- Complete the Certificate Signing Request
- On the Window CA open the Web page to sign certificates, click Request a certificate
- Click advanced certificate request
- Paste the CSR generated on the ASA in the previous step above
- Select the Certificate Template Web Server
- Click Submit
- Select Base 64 encoded
- Click Download certificate, save the file to a file for use in the next step
- On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
- When prompted paste the contents of the saved file (generated in the previous step)
- Type quit at the end
- Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
- In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).
Enable the Certificate Trustpoint on the OUTSIDE interface
Enable the Certificate Trustpoint for Remote Access
Define IKEv2 Policy
Define IPSec Transform Sets
Define Crypto Map
Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface
Modify Group Policy to enable IKEv2
Enable AAA and Certificate authentication
For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).
Cisco Site To Site Vpn
Enable AAA accounting (if not already enabled)
AAA accounting should be enabled to keep track of the connections.
ISE Configuration
The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.
- Create a new Authorization rule called AnyConnect IPSec VPN
- Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
- Permissions: VPN_Permit_DACL
Testing & Verification
You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor
- Open the VPN Profile Editor
- Navigate to the Server List and click Add
- Define a display name for the connection e.g ASA IKEv2/IPSec VPN
- Define the FQDN
- Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
- Set the Primary Protocol to IPSec
- Click Save and ensure the file is saved to the folder location:
- C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
- C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
- Restart the Cisco AnyConnect services or reboot
- Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection
The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.
Anyconnect Ipsec Ikev2
- On the ASA run the command debug aaa authentication
- On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent
From the ASA debugs you can see the certificate authentication was successful
Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.
- On the ASA run the command show vpn-session detail anyconnect
You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.
Introduction
This document describes how to connect a PC to a Cisco Adaptive Security Appliance (ASA) with the use of AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA) authentication.
Note: The example that is provided in this document describes only the relevant parts that are used in order to obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided. Network Address Translation (NAT) or access-list configuration is not described or required in this document.
Prepare for the Connection
This section describes the perparations that are required before you can connect your PC to the ASA.
Certificates with Proper EKU
It is important to note that even though it is not required for the ASA and AnyConnect combination, RFC requires that certificates have Extended Key Usage (EKU):
- The certificate for the ASA must contain the server-auth EKU.
- The certificate for the PC must contain the client-auth EKU.
Note: An IOS router with the recent software revision can place EKUs onto certificates.
Configuration on the ASA
This section describes the ASA configurations that are required before the connection occurs.
Note: The Cisco Adaptive Security Device Manager (ASDM) allows you to create the basic configuration with only a few clicks. Cisco recommends that you use it in order to avoid mistakes.
Crypto Map Configuration
Here is a crypto map example configuration:
IPsec Proposals
Here is an IPsec proposal example configuration:
IKEv2 Policies
Here is an IKEv2 policy example configuration:
Client Services and Certificate
You must enable client services and certificates on the correct interface, which is the outside interface in this case. Here is an example configuration:
Note: The same trustpoint is also assigned for Secure Sockets Layer (SSL), which is intended and required.
Enable AnyConnect Profile
Ipsec Anyconnect Mac
You must enable the AnyConnect profile on the ASA. Here is an example configuration:
Username, Group-Policy, and Tunnel-Group
Here is an example configuration for a basic username, group-policy, and tunnel-group on the ASA:
Setup Anyconnect Ipsec Vpn On Windows 10
AnyConnect Profile
Here is an example profile with the relevant parts shown in bold:
Here are some important notes about this configuration example:
- When you create the profile, the HostAddress must match the Certificate Name (CN) on the certificate that is used for IKEv2. Enter the crypto ikev2 remote-accesstrustpoint command in order to define this.
- The UserGroup must match the name of the tunnelgroup to which the IKEv2 connection falls. If they do not match, the connection often fails and the debugs indicate a Diffie-Hellman (DH) group mismatch or a similar false negative.
Make the Connection
This section describes the PC-to-ASA connection when the profile is already present.
Note: The information that you input into the GUI in order to connect is the <HostName> value that is configured in the AnyConnect profile. In this case, bsns-asa5520-1 is entered, not the complete Fully Qualified Domain Name (FQDN).
When you first attempt to connect through AnyConnect, the gateway prompts you to select the certificate (if automatic certificate selection is disabled):
You must then enter the Username and Password:
Once the Username and Password are accepted, the connection is successful and the AnyConnect statistics can be verified:
Verification on ASA
Enter this command on the ASA in order to verify that the connection uses IKEv2 as well as AAA and certificate authentication:
Anyconnect Ipsec Pre-shared Key
Known Caveats
These are the known caveats and issues that are related to the information that is described in this document:
- The IKEv2 and SSL trustpoints must be the same.
- Cisco recommends that you use the FQDN as the CN for the ASA-side certificates. Ensure that you reference the same FQDN for the <HostAddress> in the AnyConnect profile.
- Remember to insert the <HostName> value from the AnyConnect profile when you connect.
- Even in the IKEv2 configuration, when AnyConnect connects to the ASA, it downloads profile and binary updates over SSL, but not IPsec.
- The AnyConnect connection over IKEv2 to the ASA uses EAP-AnyConnect, a proprietary mechanism that allows simpler implementation.