cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1919
Views
0
Helpful
4
Replies

Annyconnect 3.0.5 - VPN access

Jim Main
Level 1
Level 1

Hi there ... I've ASA 5520 with 8.4(3) running

I want to set up VPN remote access using following document (https://supportforums.cisco.com/docs/DOC-18960)

I managed to get a connection running, but when I check the connection on the ASA, it shows as a SSL-tunnel, not an IKEv2 tunnel

How can I assure I have an IKEv2 tunnel instead of a SSL tunnel ?

Can I do with annyconnect same kind of connections I used to do with the Cisco VPN client for IPSEC?

Thanks

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

If your new group policy specifies ONLY IKEv2 and is your client AnyConnect 3.0, you should get an IKEv2 connection. You can check it in the client - click "Advanced" link and choose Statistics in the resultant window. (In ASDM, "Monitoring, VPN Sessions, Statistics" will show an active session under Anyconnect Client IKEv2 IPSec as well.)

If you verified the settings but are still not getting an IKEv2 connection, please post the configuration.

I'm not sure what you're asking about the old Cisco VPN Client for IPSec. It doesn't support IKEv2.

I'm not sure about my client only trying Ikev2 though ... in a nutshell, new config is below. (I'm not adding parts that are shared with other profiles as ip_pools, as those are not relevant for the case)

Thanks for the help

____________________________________________________

crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2


crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5


crypto dynamic-map External_dyn_map 1 set ikev2 ipsec-proposal AES256 3DES
crypto dynamic-map External_dyn_map 1 set security-association lifetime seconds 28800
crypto dynamic-map External_dyn_map 1 set security-association lifetime kilobytes 4608000
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map

group-policy GroupPolicy_TestIKEv2 internal
group-policy GroupPolicy_TestIKEv2 attributes
wins-server none
dns-server value 192.168.208.29 192.168.208.32
vpn-tunnel-protocol ikev2
webvpn
  anyconnect profiles value TestIKEv2 type user


tunnel-group TestIKEv2 general-attributes
address-pool SSLVPNCLIENTPOOL
authorization-server-group LOCAL
default-group-policy GroupPolicy_TestIKEv2
tunnel-group TestIKEv2 webvpn-attributes
group-alias IKEv2Test enable

Hmm. It looks pretty straightforward. Can you confirm that the file used for client profile (TestIKEv2.xml) is present on disk0?

Can you give more details of the steps you are using to log on to the Remote Access VPN? After you log on, what does:

     show vpn-sessiondb any filter proto ikev2

yield?

Sure, here are some more notes

- I have Annyconnect 3.0.5 installed on my PC, which I installed as standalone (not distributed from ASA)

- I open it up and connect to the ASA using a URL

- Different profiles show up. I chose the one I'm using for testing IKEv2

- enter username and password, and it connects

When I check on ASA, there's no vpn connected using IKEv2. The connection I just made, shows on the monitoring tab as being a SSL connection

Yes, I do have the profile on the flash of the device

Now, some weird things.

a) the profile is never transferred to my local machine. I don't find any .xml on the "Cisco AnyConnect VPN Client"

b) the strangest thing is that on ASDM, when I create or edit the Annyconnect client profile, it doesn't look same as the standalone profile editor I installed on my PC from the Annyconnect 3.0.5 installatin ISO.  On the one I have on my PC, I can define I want to use IPSEC on the list of servers, while on the ASDM I don't have that option. It's quite different

I tried to upload the profile I created locally to the ASA, but after it, it says there's an error as it doesn't recognize the XML tags for host entry   

 

   Test IKEv2

   xxxx.xxxx.xxxx

   IPsec

 


 

I am lost and planning to start all over on a fresh ASA, but I can't believe that would help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: