Remote-access Guide

cisco asa ikev2 remote access vpn not anyconnect

by Domenica Kerluke Published 3 years ago Updated 2 years ago
image

How do I enable IPsec IKEv2 on AnyConnect?

NOTE: The AnyConnect client protocol defaults to SSL. To enable IPsec IKEv2, you must configure the IKEv2 settings on the ASA and also configure IKEv2 as the primary protocol in the client profile. The IKEv2enabled profile must be deployed to the endpoint computer, otherwise the client attempts to connect using SSL.

How to use clientless WebVPN with Asa?

The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, enter the IP address of the ASA and you will get access through a web portal. You only have limited access to a number of applications, for example: There is no full network access when you use clientless WebVPN.

How does the ASA assign IP addresses to remote users?

The ASA will assign IP addresses to all remote users that connect with the anyconnect VPN client. We’ll configure a pool with IP addresses for this: Remote users will get an IP address from the pool above, we’ll use IP address range 192.168.10.100 – 200.

What SSL VPN modes does the ASA offer?

When it comes to SSL, the ASA offers two SSL VPN modes: The clientless WebVPN method does not require a VPN client to be installed on the user’s computer.

image

Does Cisco AnyConnect use IKEv2?

Each of those products only supported their own protocol however with the introduction of Anyconnect Secure Mobility Client 3.0, the client can now use IPsec (IKEv2) or SSL for the transport of the VPN connection.

Is Cisco AnyConnect a remote access VPN?

Anyconnect VPN offers full network access. The remote user will use the anyconnect client to connect to the ASA and will receive an IP address from a VPN pool, allowing full access to the network. Above we have the ASA firewall with two security zones: inside and outside.

Can I use Cisco AnyConnect instead of Cisco VPN client?

The AnyConnect Secure Mobility Client is the preferred Cisco client option. It is actively updated and includes support for both IPsec and SSL VPN options. AnyConnect profiles are configured at the VPN server side and deployed to the client, and the AnyConnect client also supports IKEv2.

Does Cisco ASA support IKEv2?

IKEv2 has been published in RFC 5996 in September 2010 and is fully supported on Cisco ASA firewalls.

What type of VPN is AnyConnect?

Cisco AnyConnect VPNs utilize TLS to authenticate and configure routing, then DTLS to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where firewalls block UDP-based traffic.

How do I access my Cisco ASA remotely?

There are eight basic steps in setting up remote access for users with the Cisco ASA.Configure an Identity Certificate.Upload the SSL VPN Client Image to the ASA.Enable AnyConnect VPN Access.Create a Group Policy.Configure Access List Bypass.Create a Connection Profile and Tunnel Group.Configure NAT Exemption.More items...•

Can I use Windows VPN instead of Cisco AnyConnect?

So no, Windows cannot natively connect to a Cisco VPN because they use different protocols for the tunnel. +1 This is correct. Cisco used to use IPSec, but has switched to SSL (with the AnyConnect client). Windows allows L2TP/IPsec, SSTP, PPTP and IKEv2.

What is the difference between Cisco AnyConnect and VPN client?

Cisco AnyConnect vs Cisco VPN Client At a high level, there are two major differences between the two clients: First, the AnyConnect client supports both SSL and IPsec VPN options (including support for IKE 2.0 and NSA Suite B IPsec), while the VPN client only supports IPsec.

How do I change my Cisco AnyConnect settings?

If you are in ASDM, go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profiles, highlight the client profile you have and click the “Edit” button. Update the hostname to be the domain name and update the host address to be the new IP address and click OK.

How do I enable IKEv2 on Cisco ASA?

Configure the remote IPsec tunnel pre-shared key or certificate trustpoint. Create a crypto map and match based on the previously created ACL....IPsec IKEv2 Example.1Create and enter IKEv2 policy configuration mode.asa1(config)#crypto ikev2 policy 12Configure an encryption method.asa1(config-ikev2-policy)#encryption aes17 more rows•Nov 15, 2013

Which is better IKEv2 or IPsec?

IPSec is considered secure and reliable, while IKEv2 is extremely fast and stable – IKEV2 offers quick re-connections when switching networks or during sudden drops. Thus, a combination of IKEv2/IPsec forms one of the best VPN protocols that exhibits the advantages of the two.

How do I enable IKEv2?

To enable IKEv2 on a crypto interface, attach an IKEv2 profile to the crypto map or IPsec profile applied to the interface. You need not enable IKEv1 on individual interfaces because IKEv1 is enabled globally on all interfaces in the router.

How does Cisco AnyConnect VPN Work?

Remote and mobile users use the Cisco AnyConnect Secure VPN client to establish VPN sessions with the adaptive security appliance. The adaptive security appliance sends web traffic to the Web Security appliance along with information identifying the user by IP address and user name.

How do I enable Cisco AnyConnect VPN through Remote Desktop?

Go to the Cisco Anyconnect VPN program, enter your HSPH PIN password, and click accept. 2. Go to “Remote Desktop”, your IP address should already be there from the initial setup, click connect.

Does Cisco AnyConnect work anywhere?

Cisco AnyConnect Secure Mobility Client empowers employees to work from anywhere on company laptops or personal mobile devices. It also provides the visibility and control security teams need to identify who and which devices are accessing their infrastructure.

How do I use Cisco AnyConnect?

Connect to VPNConnect to the internet.Open Cisco AnyConnect Secure Mobility Client.Enter vpn.cmu.edu and click Connect.Click the Group drop-down and choose the VPN option that best suits your needs.Enter your Andrew userID and password.Authenticate with 2fa (DUO).Click OK.

What is IKEv2 in Cisco?

This document describes how to understand debugs on the Cisco Adaptive Security Appliance (ASA) when Internet Key Exchange Version 2 (IKEv2) is used with a Cisco AnyConnect Secure Mobility Client. This document also provides information on how to translate certain debug lines in an ASA configuration.

What is an ASA response?

The ASA generates a response to the IKE_AUTH message and prepares to authenticate itself to the client.

Why does the client omit the Auth payload from message 3?

The client omits the AUTH payload from message 3 in order to indicate a desire to use extensible authentication. When Extensible Authentication Protocol (EAP) authentication is specified or implied by the client profile and the profile does not contain the <IKEIdentity> element, the client sends an ID_GROUP type IDi payload with the fixed string *$AnyConnectClient$*. The client initiates a connection to the ASA on port 4500.

What does id mean in EAP?

id: 1 - The id helps match the EAP responses with the requests. Here the value is 1, which indicates that this is a response to the request previously sent by the ASA (authenticator). This EAP response has the 'config-auth' type of 'init'; the client is initializing the EAP exchange and is waiting for the ASA to generate the authentication request.

What is the length of an EAP packet?

Length: 150 - Length of the EAP packet includes the code, id, length, and EAP data.

Why does ASA use Auth?

The ASA sends the AUTH payload in order to request user credentials from the client. The ASA sends the AUTH method as 'RSA,' so it sends its own certificate to the client, so the client can authenticate the ASA server.

Is EAP authentication allowed?

Authentication is done with EAP. Only a single EAP authentication method is allowed within an EAP conversation. The ASA receives the IKE_AUTH message from the client.

What is Cisco AnyConnect Secure Mobility Solution?

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method. AnyConnect client can be used to connect both SSL VPN as well as IKEv2 IPSec VPN. In this document we will see how to configure only IKEv2 IPSec VPN.

What is active/active failover?

Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. We have already seen the configuration for Active/Standby failover in the previous article. This article focuses on how to configure an Active/Active Failover configuration on ASA Security Appliance. Network Diagram (Physical Topology)

What is AnyConnect VPN?

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN. AnyConnect VPN. The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, ...

What is the IP address of AnyConnect?

You can see that we received IP address 192.168.10.100 (the first IP address from the VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN client does.

What happens when a VPN user terminates a session?

Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.

What happens when you have an inbound access list?

When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:

Why does my client tries to download AnyConnect?

The client tries to download the Anyconnect automatically, this is because of the anyconnect ask none default anyconnect command that we used. Since we are using a self-signed certificate you will get the following error message:

When remote users connect to our WebVPN, do they have to use HTTPS?

The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:

What is an ayconnECT_policy?

The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.

Chapter Description

This chapter shows how to deploy and manage client-based Secure Sockets Layer (SSL) virtual private networks (VPN) on Cisco Adaptive Security Appliance (ASA) as the VPN gateway using AnyConnect Secure Mobility Client software.

From the Book

As you’ll see, you can initiate a client-based SSL VPN session from a broad range of devices and operating systems that support the install of AnyConnect Client (desktops, laptops, mobile devices), as shown in Figure 3-1.

Configuring Basic Cisco ASA SSL VPN Gateway Features

To initially prepare the ASA for SSL VPN termination, complete the following steps:

image

Introduction

  • This document describes how to understand debugs on the Cisco Adaptive Security Appliance (ASA) when Internet Key Exchange Version 2 (IKEv2) is used with a Cisco AnyConnect Secure Mobility Client. This document also provides information on how to translate certain debug lines in an ASA configuration. This document does not describe how to pass traf...
See more on cisco.com

Prerequisites

  • Requirements
    Cisco recommends that you have knowledge of the packet exchange for IKEv2. For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
  • Components Used
    The information in this document is based on these software and hardware versions: 1. Internet Key Exchange Version 2 (IKEv2) 2. Cisco Adaptive Security Appliance (ASA) Version 8.4 or later The information in this document was created from the devices in a specific lab environment. All …
See more on cisco.com

CORE Issue

  • The Cisco Technical Assistance Center (TAC) often uses IKE and IPSec debug commands in order to understand where there is a problem with IPSec VPN tunnel establishment, but the commands can be cryptic.
See more on cisco.com

Scenario

  • ASA Configuration
    This ASA configuration is strictly basic, with no use of external servers.
  • XML File
    Note: The UserGroup name in the XML client profile must be the same as the name of the tunnel-group on the ASA. Otherwise, the error message 'Invalid Host Entry. Please re-enter' is seen on the AnyConnect client.
See more on cisco.com

Debug Logs and Descriptions

  • Note: Logs from the Diagnostics and Reporting Tool (DART) are generally very chatty, so certain DART logs have been omitted in this example due to insignificance.
See more on cisco.com

Tunnel Verification

  • AnyConnect
    Sample output from the show vpn-sessiondb detail anyconnectcommand is:
  • ISAKMP
    Sample output from the show crypto ikev2 sacommand is: Sample output from the show crypto ikev2 sa detailcommand is:
See more on cisco.com

Related Information

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9