AnyConnect SMC - Pure IKEv2 Connection With ASA as Headend


Mar 23, 2012 11:30 AM
Mar 23rd, 2012


AnyConnect, as you all know, has been a well-known SSL VPN Client (both  for ASA and IOS headends), but not anymore, thanks to IKEv2. Recent  advancements in IKEv2 technology both in ASA and IOS, have made  AnyConnect 'THE' IKEv2 Client. However, the ikev2 version of the AC client was designed to incorporate the existing advanced features of the Anyconnect SSL client, like web deployment or automatic profile updates and so forth. Because of this, the ikev2 tunnel isn't a pure IPSEC tunnel, instead it requires SSL to enable all these features, otherwise known as "client services".  In this document we will see how to configure an ASA and an AnyConnect client, which eliminates the requirement for client services and ssl completely.

AnyConnect IKEv2 with ASA as headend

1. Requirements

  • ASA 5500 running 8.4.1 or above
  • AnyConnect License on ASA - Either AnyConnect Essentials or AnyConnect Premium Peers (Default: 2 AnyConnect Premium Peers)
  • AnyConnect 3.x

Configuration Steps

For Reference:

Connecting AnyConnect with ASA as Headend and SSL as the primary protocol


3. Overview

Step 1: Get a certificate (I am using Self-Signed-Certificate) or Get a third party certificate

Step 2: Load AnyConnect SMC Package on the ASA:

Step 3: Enable WebVPN on an interface and Allow AnyConnect

Step 4: Create a Group-Policy

Step 5: Configure the Connection Profile aka Tunnel-Group

Step 6: AnyConnect XML Profile Configuration:

Step 7: Add IKEv2 policies and Enable it on the desired Interface:

Step 8: Add IPSec Config and Enable it on the desired Interface:

Step 9: Users (In my case: Local Database)

Step 10: Configure AnyCOnnect Profile

Let us start with configuring the ASA from scratch. I will focus on CLI only:


5. Configuration

! RSA Keys

crypto key generate rsa general-keys label ASA-SSC modulus 1024

! Self-Signed Certificate trustpoint

crypto ca trustpoint ASA-SSC
     enrollment self
     keypair ASA-SSC
     crl configure

crypto ca enroll ASA-SSC noconfirm

ssl trust-point ASA-SSC

! show crypto key mypubkey rsa
! show crypto ca trustpoint
! show crypto ca certificate
! show run all ssl

copy ftp://praveen:******@ flash

! Global Webvpn Config

     enable outside
     anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
     anyconnect enable
     tunnel-group-list enable

! about the profile, check the "Profile" Section below.

! Split-Tunnel Access-list

access-list split standard permit host

! Group-Policy

group-policy IKEV2 internal
group-policy IKEV2 attributes
     wins-server none
     dns-server value
     vpn-tunnel-protocol ikev2
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split
     default-domain value

! VPN Client Pool

ip local pool VPN_POOL mask

! show run tunnel-group AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

     address-pool VPN_POOL

     default-group-policy IKEV2

tunnel-group AnyConnect webvpn-attributes

     group-alias AnyConnect enable

     group-url enable

! Make sure the group-url is: https://<fqdn/ip-address>/<Tunnel-Group-Name> and

! make sure it is consistent with the way the Server-Entry in the profile is defined (as below)

! show run crypto ikev2

crypto ikev2 policy 10

     encryption aes-192

     integrity sha

     group 2

     prf sha

     lifetime seconds 86400

crypto ikev2 policy 20
     encryption aee
     integrity sh
     group 2
     prf sha
     lifetime seconds 86400

crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASA-SSC

!  Note: Due to the Bug: CSCty43072, if you are using one of the affected HostScan Images:
! use the same Trustpoint for IKEv2 and SSL as i have done  above
! Bug Link :

! show run crypto dynamic-map

crypto dynamic-map DynMap 1000 set pfs group1
crypto dynamic-map DynMap 1000 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

! show run crypto map

crypto map outside_map 1000 ipsec-isakmp dynamic DynMap
crypto map outside_map interface outside

! show run username

username pshanubh password ******
username pshanubh attributes
     vpn-group-policy IKEV2

6. Profile

! Refer to the attached profile (anyconnect.xml) for template. It is reusable after editing the HostName,HostAddress and UserGroup

! Load the attached xml to:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

(Or %PROGRAMDATA%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile)










! Here the UserGroup must be identical to the tunnel-group with which this profile is attached.

Important Note: Notice how the Profile is loaded only on the client machines, and not on the ASA. Refer to the upcoming Client-Services and Profile update section in this artical.

For More info:


Now  that the profile (attached to this doc) exists on the PC, which dictates the client to  initiate an IPSec Session and the only way the AnyConnect client knows  how to perform IP-Security is using IKEv2, you will see the following on  the ASA:

Notice how it says IKEv2 IPSecOverNatT:

#  sh vpn-sess anyconnect

Session Type: AnyConnect

Username     : pshanubh               Index        : 9499

Assigned IP  :                Public IP    :

Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent

License      : AnyConnect Premium

Encryption   : AES256                 Hashing      : none SHA1

Bytes Tx     : 0                      Bytes Rx     : 1325

Group Policy : IKEV2                  Tunnel Group : AnyConnect

Login Time   : 07:20:33 UTC Fri Mar 23 2012

Duration     : 0h:00m:03s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

If you want to see more detailed output,

show vpn-sessiondb detail anyconnect

and the IKEv2 Security Association:

# show crypto ikev2 sa

IKEv2 SAs:

Session-id:14, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

994834887      READY    RESPONDER

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: RSA, Auth verify: EAP

      Life/Active Time: 86400/65 sec 

Child sa: local selector -

          remote selector -

          ESP spi in/out: 0x7f8cf6fb/0x4b1ce95b


If you want to see more detailed output,

show crypto ikev2 sa detail
Average Rating: 5 (1 ratings)


kalebaks86 Tue, 02/19/2013 - 10:21


Can someone confirm whether this it is mandatory to import the client profile to the local machine or not? I've been through the Cisco Press VPN book and it doesn't mention this step as being neccesary. However it wasn't working until i did this :S.

Would be grateful for any information on this.



Login or Register to take actions

This Document

Posted March 23, 2012 at 11:30 AM
Comments:2 Avg. Rating:5
Views:4383 Contributors:2
Categories: AnyConnect, ASA

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points