This document describes how to connect a PC to a Cisco Adaptive Security Appliance (ASA) with the use of AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA) authentication.
Note: The example that is provided in this document describes only the relevant parts that are used in order to obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided. Network Address Translation (NAT) or access-list configuration is not described or required in this document.
Prepare for the Connection
This section describes the perparations that are required before you can connect your PC to the ASA.
Certificates with Proper EKU
It is important to note that even though it is not required for the ASA and AnyConnect combination, RFC requires that certificates have Extended Key Usage (EKU):
The certificate for the ASA must contain the server-auth EKU.
The certificate for the PC must contain the client-auth EKU.
Note: An IOS router with the recent software revision can place EKUs onto certificates.
Configuration on the ASA
This section describes the ASA configurations that are required before the connection occurs.
Note: The Cisco Adaptive Security Device Manager (ASDM) allows you to create the basic configuration with only a few clicks. Cisco recommends that you use it in order to avoid mistakes.
Here are some important notes about this configuration example:
When you create the profile, the HostAddress must match the Certificate Name (CN) on the certificate that is used for IKEv2. Enter the crypto ikev2 remote-accesstrustpoint command in order to define this.
The UserGroup must match the name of the tunnelgroup to which the IKEv2 connection falls. If they do not match, the connection often fails and the debugs indicate a Diffie-Hellman (DH) group mismatch or a similar false negative.
Make the Connection
This section describes the PC-to-ASA connection when the profile is already present.
Note: The information that you input into the GUI in order to connect is the <HostName> value that is configured in the AnyConnect profile. In this case, bsns-asa5520-1 is entered, not the complete Fully Qualified Domain Name (FQDN).
When you first attempt to connect through AnyConnect, the gateway prompts you to select the certificate (if automatic certificate selection is disabled):
You must then enter the Username and Password:
Once the Username and Password are accepted, the connection is successful and the AnyConnect statistics can be verified:
Verification on ASA
Enter this command on the ASA in order to verify that the connection uses IKEv2 as well as AAA and certificate authentication:
bsns-asa5520-1# show vpn-sessiondb detail anyconnect filter name cisco
Session Type: AnyConnect Detailed Username : cisco Index : 6 Assigned IP : 172.16.99.5 Public IP : 220.127.116.11 Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent License : AnyConnect Premium Encryption : AES256 AES128 Hashing : none SHA1 SHA1 Bytes Tx : 0 Bytes Rx : 960 Pkts Tx : 0 Pkts Rx : 10 Pkts Tx Drop : 0 Pkts Rx Drop : 0 Group Policy : GroupPolicy_AC Tunnel Group : AC Login Time : 15:45:41 UTC Tue Aug 28 2012 Duration : 0h:02m:41s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none IKEv2 Tunnels: 1 IPsecOverNatT Tunnels: 1 AnyConnect-Parent Tunnels: 1 AnyConnect-Parent: Tunnel ID : 6.1 Public IP : 18.104.22.168 Encryption : none Auth Mode : Certificate and userPassword Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Client Type : AnyConnect Client Ver : 3.0.08057 IKEv2: Tunnel ID : 6.2 UDP Src Port : 60468 UDP Dst Port : 4500 Rem Auth Mode: Certificate and userPassword Loc Auth Mode: rsaCertificate Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86238 Seconds PRF : SHA1 D/H Group : 5 Filter Name : Client OS : Windows IPsecOverNatT: Tunnel ID : 6.3 Local Addr : 0.0.0.0/0.0.0.0/0/0 Remote Addr : 172.16.99.5/255.255.255.255/0/0 Encryption : AES128 Hashing : SHA1\ Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28638 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Bytes Tx : 0 Bytes Rx : 960 Pkts Tx : 0 Pkts Rx : 10
These are the known caveats and issues that are related to the information that is described in this document:
The IKEv2 and SSL trustpoints must be the same.
Cisco recommends that you use the FQDN as the CN for the ASA-side certificates. Ensure that you reference the same FQDN for the <HostAddress> in the AnyConnect profile.
Remember to insert the <HostName> value from the AnyConnect profile when you connect.
Even in the IKEv2 configuration, when AnyConnect connects to the ASA, it downloads profile and binary updates over SSL, but not IPsec.
The AnyConnect connection over IKEv2 to the ASA uses EAP-AnyConnect, a proprietary mechanism that allows simpler implementation.