Cisco ASA: Setting up anyconnect vpn with SSL and IPsec

Introduction
This post demonstrates how to set up anyconnect vpn for your mobile devices. In this post I am using an android mobile phone and downloaded anyconnect ICS+. Cisco ASA software version 9.1(4), ASDM version 7.1, with anyconnect essential license and anyconnect for mobile license.

This demonstration will configure IPsec and SSL remote access VPN, using AAA and Certificate authentication respectively.

User’s data to internal network will be tunnelled in VPN, other traffic will be through the internet.

ANYCONNECT1

Services to be enabled for anyconnect vpn
1. Enable anyconnect on the outside interface of the Cisco ASA.
2. Enable crypto ikev2 for IKEv2 phase 1 on the outside interface. (crypto ikev2 enable outside client-services port 443)
3. Enable crypto map for IKEv2 phase 2 on the outside interface. (crypto map RA_VPN_MAP interface outside)
4. Enable trustpoint of the identity certificate on the outside interface.

Create anyconnect profile
Anyconnect profile is in xml format, you can create a simple one using notepad. However you can create a complete on using ASDM anyconnect profile editor. For my case I used ASDM anyconnect profile editor.

ASDM anyconnect profile editor navigation flow

ASDM anyconnect profile editor navigation flow

You can start your anyconnect profile by listing the available server list you intend to create, after which you can click on apply the command anyconnect profiles YOUR_PROFILE disk0:/YOUR_PROFILE.xml will be added for you in the webvpn section.

Enable anyconnect on the outside interface

conf t
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-linux-3.1.05187-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 3
 anyconnect profiles RA_VPN disk0:/ra_vpn.xml
 anyconnect enable
 tunnel-group-list enable

Those commands that are required are highlighted. You do not need the anyconnect image to be installed in Cisco ASA for your mobile device to connect to VPN using anyconnect ICS+.

Create IKEv2 phase 1 proposal
IKEv2 phase 1 requires negotiation between server and client to setup phase 1 encrypted channel, the below are proposed encryption, integrity and DF group. Phase 1 is for authentication between peers.

crypto ikev2 policy 1
 encryption aes-256 aes-192 aes
 integrity sha256 sha md5
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 65000
 encryption aes-256 aes-192 aes 3des des
 integrity sha512 sha384 sha256 sha md5
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 65001
 encryption aes 3des des
 integrity sha md5
 group 5 2 1
 prf sha
 lifetime seconds 86400

Enable crypto ikev2 on the outside interface
This is required so that inbound initiator can initiate phase 1 with Cisco ASA.

crypto ikev2 enable outside client-services port 443

Enable CA trustpoint
For this setup I have made Cisco ASA to be a local certificate authority and issued itself a self-signed identity certificate as well as certificate for authentication. The trustpoint has to be pointed to the identity certs.

!RA_VPN_TP is the name of my CA trustpoint
crypto ikev2 remote-access trustpoint RA_VPN_TP
ssl trust-point RA_VPN_TP outside

Proposal for IKEv2 phase 2
Phase 2 is negotiated and setup under phase 1. The below is a list of proposal for phase 2 negotiation with inbound peers.

crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des des
 protocol esp integrity sha-1 md5

Create crypto dynamic-map
The cypto dynamic-map is to attach the phase 2 proposal, this dynamic map is in turn attached to the crypto map and the crypto map is enabled on outside interface.

!Attach phase 2 proposal to the dynamic map.
!RA_VPN is the name of the dynamic map.
crypto dynamic-map RA_VPN 1 set ikev2 ipsec-proposal AES 3DES

!Whenever a vpn peer has successfully connected, 
!a static route to the connected peer is injected 
!as long as the peer stays connected.
crypto dynamic-map RA_VPN 1 set reverse-route

!Attach the dynamic map onto crypto map
crypto map RA_VPN_MAP 1 ipsec-isakmp dynamic RA_VPN

!Enable crypto map on the outside interface.
crypto map RA_VPN_MAP interface outside

IP address pool for VPN users

ip local pool RA_VPN 192.168.10.33-192.168.10.62 mask 255.255.255.224

Split tunnel ACL
In group policy the default split tunnel policy is to tunnel all traffic to the vpn, however I can choose to exclude traffic to the vpn or specified the traffic I want to be sent through vpn, the interesting traffic is defined in ACL.

In this setup if VPN user is sending data destined to the subnet or host specified in the split tunnel, the data will be sent through VPN, otherwise will be sent through public internet.

access-list SPLIT_TUNNEL standard permit 192.168.20.0 255.255.255.224
access-list SPLIT_TUNNEL standard permit 192.168.30.0 255.255.255.240

Group policy
Cisco ASA has a system generated default group policy, if no group policy is specified in your tunnel-group the default will be used. The default group policy however does not include ikev2, anyconnect requires ikev2. For this setup I have created my custom group-policy for both ipsec as well as ssl vpn.

!Cisco ASA default group policy. This policy only defines protocol used.
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

the group policy for SSL VPN.

group-policy RA_POLICY internal
group-policy RA_POLICY attributes
 wins-server none
 dns-server value 192.168.30.2
 !protocol required for ssl vpn
 vpn-tunnel-protocol ssl-client ssl-clientless

 !Traffic destined to the network specified in the ACL will be through VPN.
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 default-domain none
 
 !VPN IP address pool
 address-pools value RA_VPN
 webvpn
  !Anyconnect profile created by ASDM anyconnect profile editor.
  anyconnect profiles value RA_VPN type user

The group policy for IPsec VPN.

group-policy RA_IPSEC_POLICY internal
group-policy RA_IPSEC_POLICY attributes
 dns-server value 192.168.30.2
 
 !anyconnect ipsec only requires ikev2, you do not need to follow this.
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

 !Data destined to the address in ACL will be sent via VPN.
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 default-domain value yourdomain.net
 !VPN IP address pool
 address-pools value RA_VPN
 webvpn
  anyconnect profiles value RA_VPN type user

Configure AD as authentication server
In this setup AD is used as the authentication server for IPsec VPN.

!Define the aaa-server protocol first, in this setup is ldap.
aaa-server LDAP protocol ldap

!Define the ip address of AD.
aaa-server LDAP (inside) host 192.168.30.2

 !Define the domain name, in this setup the AD domain is testlab.local.
 ldap-base-dn dc=testlab,dc=local

 !Active directory listing will be the entire forest.
 ldap-scope subtree

 !sAMAccountName is the default attribute for Microsoft Active Directory.
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****

 !Define the AD user account, in this setup I used the administrator user.
 !If you are unsure the attribute of your user, in your MS AD server issue 
 !this command: dsquery user -samid Administrator
 ldap-login-dn CN=Administrator,CN=Users,DC=testlab,DC=local
 server-type microsoft

Tunnel group
The group policy will be attached to the tunnel group, if no group policy is defined, the default group policy will be used.

Tunnel group for ssl vpn.

tunnel-group RA_VPN_TUN type remote-access
tunnel-group RA_VPN_TUN general-attributes
 address-pool RA_VPN

 !Define the group policy, if none is defined the default group policy is used.
 default-group-policy RA_POLICY
tunnel-group RA_VPN_TUN webvpn-attributes
 
 !Use certificate to authenticate, in ASDM this certificate is installed in CA Certificate.
 authentication certificate
 
 !VPN server address, and the user group, in this setup RA1 is the user group.
 group-url https://domain.yourdomain.net/RA1 enable

Tunnel group for ipsec vpn.

tunnel-group RA_IPSEC type remote-access
tunnel-group RA_IPSEC general-attributes
 
 !VPN ip address pool
 address-pool RA_VPN
 
 !AD is the authentication server in this setup.
 authentication-server-group LDAP
 default-group-policy RA_IPSEC_POLICY
tunnel-group RA_IPSEC webvpn-attributes
 !If authentication method is not defined, authentication aaa is used, 
 !show run will not show "authentication aaa"
 authentication aaa

 !group-alias that will appear on anyconnect client after connected.
 group-alias RA_IPSEC enable
 group-url https://domain.yourdomain.net enable

Result
This is the result after you have enable group-alias in tunnel-group
Screenshot_2014-11-18-20-52-02[1]

The anyconnect client downloads the anyconnect profile and update the server list in the client. If your anyconnect client could not see the updated server list, check your anyconnect profile or check if the group-policy has assigned a correct anyconnect profile or not.
server-list

IPsec
Tunneling Mode shows split include means traffic destined for subnet in ACL will be sent through VPN.
ipsec1

Protocol and cipher used for the IPsec VPN. Secured routes show the subnet defined in the split tunnel ACL.
ipsec2

SSL vpn
Although it is known as SSL vpn, the protocol supported is TLSv1.
ssl1

Advertisements
This entry was posted in ASA/PIX, Firewall and tagged , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Cisco ASA: Setting up anyconnect vpn with SSL and IPsec

  1. jtxmisc says:

    artikel menarik , Afra

  2. Anthony Franklin says:

    Awesome article. Resolved my issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s