Cisco Anyconnect Ipsec

admin



  1. Cisco Anyconnect Updates
  2. Cisco Anyconnect Vpn
  3. Cisco Anyconnect Ipsec

Testing Connectivity Using a straight through Ethernet cable, connect the Wired Client to an available port on the router. This varies by router model; however, all routers recommended for use with Cisco dCloud have an available port. Configure the Ethernet port on the Wired Client to receive its IP address via DHCP. One of the reason why AnyConnect could be slower than IPSEC is because AnyConnect by default uses TCP/443, and IPSEC uses either ESP protocol or UDP/4500 if the tunnel goes through PAT device.

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

Create a CA Trustpoint

Authenticate the Trustpoint

In this example the ASA will enrol with a Windows Certificate Authority.

  • Open the CA’s Trusted Root certificate in notepad
  • Copy the contents on the certificate
  • On the ASA run the command crypto ca authenticate LAB_PKI
  • When prompted paste the contents of the CA Trusted Root certificate
  • Type quit at the end
  • Enter yes to import the certificate

EnrolL ASA for Identity Certificate

The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.

  • On the ASA run the command crypto ca enroll LAB_PKI
  • When prompted copy the contents of the CSR
  • Complete the Certificate Signing Request
  • On the Window CA open the Web page to sign certificates, click Request a certificate
  • Click advanced certificate request
  • Paste the CSR generated on the ASA in the previous step above
  • Select the Certificate Template Web Server
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate, save the file to a file for use in the next step
  • On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
  • When prompted paste the contents of the saved file (generated in the previous step)
  • Type quit at the end
  • Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
  • In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).

Enable the Certificate Trustpoint on the OUTSIDE interface

Enable the Certificate Trustpoint for Remote Access

Define IKEv2 Policy

Cisco


Define IPSec Transform Sets

Define Crypto Map

Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface

Modify Group Policy to enable IKEv2

Enable AAA and Certificate authentication

For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).

Enable AAA accounting (if not already enabled)

AAA accounting should be enabled to keep track of the connections.

ISE Configuration

The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.

Cisco Anyconnect Updates

  • Create a new Authorization rule called AnyConnect IPSec VPN
  • Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
  • Permissions: VPN_Permit_DACL

Testing & Verification

You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor

  • Open the VPN Profile Editor
  • Navigate to the Server List and click Add
  • Define a display name for the connection e.g ASA IKEv2/IPSec VPN
  • Define the FQDN
  • Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
  • Set the Primary Protocol to IPSec


  • Click Save and ensure the file is saved to the folder location:
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
  • Restart the Cisco AnyConnect services or reboot
  • Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection


The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.

  • On the ASA run the command debug aaa authentication
  • On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent

Cisco Anyconnect Vpn

From the ASA debugs you can see the certificate authentication was successful

Is world of warcraft for mac. Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.

  • On the ASA run the command show vpn-session detail anyconnect

Cisco Anyconnect Ipsec

You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.