This post demonstrates how to set up anyconnect vpn for your mobile devices. In this post I am using an android mobile phone and downloaded anyconnect ICS+. Cisco ASA software version 9.1(4), ASDM version 7.1, with anyconnect essential license and anyconnect for mobile license.
This demonstration will configure IPsec and SSL remote access VPN, using AAA and Certificate authentication respectively.
User’s data to internal network will be tunnelled in VPN, other traffic will be through the internet.
Services to be enabled for anyconnect vpn
1. Enable anyconnect on the outside interface of the Cisco ASA.
2. Enable crypto ikev2 for IKEv2 phase 1 on the outside interface. (
crypto ikev2 enable outside client-services port 443)
3. Enable crypto map for IKEv2 phase 2 on the outside interface. (
crypto map RA_VPN_MAP interface outside)
4. Enable trustpoint of the identity certificate on the outside interface.
Create anyconnect profile
Anyconnect profile is in xml format, you can create a simple one using notepad. However you can create a complete on using ASDM anyconnect profile editor. For my case I used ASDM anyconnect profile editor.
You can start your anyconnect profile by listing the available server list you intend to create, after which you can click on apply the command
anyconnect profiles YOUR_PROFILE disk0:/YOUR_PROFILE.xml will be added for you in the webvpn section.
Enable anyconnect on the outside interface
conf t webvpn enable outside anyconnect-essentials anyconnect image disk0:/anyconnect-linux-3.1.05187-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 2 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05187-k9.pkg 3 anyconnect profiles RA_VPN disk0:/ra_vpn.xml anyconnect enable tunnel-group-list enable
Those commands that are required are highlighted. You do not need the anyconnect image to be installed in Cisco ASA for your mobile device to connect to VPN using anyconnect ICS+.
Create IKEv2 phase 1 proposal
IKEv2 phase 1 requires negotiation between server and client to setup phase 1 encrypted channel, the below are proposed encryption, integrity and DF group. Phase 1 is for authentication between peers.
crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha256 sha md5 group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 65000 encryption aes-256 aes-192 aes 3des des integrity sha512 sha384 sha256 sha md5 group 2 prf sha lifetime seconds 86400 crypto ikev2 policy 65001 encryption aes 3des des integrity sha md5 group 5 2 1 prf sha lifetime seconds 86400
Enable crypto ikev2 on the outside interface
This is required so that inbound initiator can initiate phase 1 with Cisco ASA.
crypto ikev2 enable outside client-services port 443
Enable CA trustpoint
For this setup I have made Cisco ASA to be a local certificate authority and issued itself a self-signed identity certificate as well as certificate for authentication. The trustpoint has to be pointed to the identity certs.
!RA_VPN_TP is the name of my CA trustpoint crypto ikev2 remote-access trustpoint RA_VPN_TP ssl trust-point RA_VPN_TP outside
Proposal for IKEv2 phase 2
Phase 2 is negotiated and setup under phase 1. The below is a list of proposal for phase 2 negotiation with inbound peers.
crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des des protocol esp integrity sha-1 md5
Create crypto dynamic-map
The cypto dynamic-map is to attach the phase 2 proposal, this dynamic map is in turn attached to the crypto map and the crypto map is enabled on outside interface.
!Attach phase 2 proposal to the dynamic map. !RA_VPN is the name of the dynamic map. crypto dynamic-map RA_VPN 1 set ikev2 ipsec-proposal AES 3DES !Whenever a vpn peer has successfully connected, !a static route to the connected peer is injected !as long as the peer stays connected. crypto dynamic-map RA_VPN 1 set reverse-route !Attach the dynamic map onto crypto map crypto map RA_VPN_MAP 1 ipsec-isakmp dynamic RA_VPN !Enable crypto map on the outside interface. crypto map RA_VPN_MAP interface outside
IP address pool for VPN users
ip local pool RA_VPN 192.168.10.33-192.168.10.62 mask 255.255.255.224
Split tunnel ACL
In group policy the default split tunnel policy is to tunnel all traffic to the vpn, however I can choose to exclude traffic to the vpn or specified the traffic I want to be sent through vpn, the interesting traffic is defined in ACL.
In this setup if VPN user is sending data destined to the subnet or host specified in the split tunnel, the data will be sent through VPN, otherwise will be sent through public internet.
access-list SPLIT_TUNNEL standard permit 192.168.20.0 255.255.255.224 access-list SPLIT_TUNNEL standard permit 192.168.30.0 255.255.255.240
Cisco ASA has a system generated default group policy, if no group policy is specified in your tunnel-group the default will be used. The default group policy however does not include ikev2, anyconnect requires ikev2. For this setup I have created my custom group-policy for both ipsec as well as ssl vpn.
!Cisco ASA default group policy. This policy only defines protocol used. group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
the group policy for SSL VPN.
group-policy RA_POLICY internal group-policy RA_POLICY attributes wins-server none dns-server value 192.168.30.2 !protocol required for ssl vpn vpn-tunnel-protocol ssl-client ssl-clientless !Traffic destined to the network specified in the ACL will be through VPN. split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL default-domain none !VPN IP address pool address-pools value RA_VPN webvpn !Anyconnect profile created by ASDM anyconnect profile editor. anyconnect profiles value RA_VPN type user
The group policy for IPsec VPN.
group-policy RA_IPSEC_POLICY internal group-policy RA_IPSEC_POLICY attributes dns-server value 192.168.30.2 !anyconnect ipsec only requires ikev2, you do not need to follow this. vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec !Data destined to the address in ACL will be sent via VPN. split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT_TUNNEL default-domain value yourdomain.net !VPN IP address pool address-pools value RA_VPN webvpn anyconnect profiles value RA_VPN type user
Configure AD as authentication server
In this setup AD is used as the authentication server for IPsec VPN.
!Define the aaa-server protocol first, in this setup is ldap. aaa-server LDAP protocol ldap !Define the ip address of AD. aaa-server LDAP (inside) host 192.168.30.2 !Define the domain name, in this setup the AD domain is testlab.local. ldap-base-dn dc=testlab,dc=local !Active directory listing will be the entire forest. ldap-scope subtree !sAMAccountName is the default attribute for Microsoft Active Directory. ldap-naming-attribute sAMAccountName ldap-login-password ***** !Define the AD user account, in this setup I used the administrator user. !If you are unsure the attribute of your user, in your MS AD server issue !this command: dsquery user -samid Administrator ldap-login-dn CN=Administrator,CN=Users,DC=testlab,DC=local server-type microsoft
The group policy will be attached to the tunnel group, if no group policy is defined, the default group policy will be used.
Tunnel group for ssl vpn.
tunnel-group RA_VPN_TUN type remote-access tunnel-group RA_VPN_TUN general-attributes address-pool RA_VPN !Define the group policy, if none is defined the default group policy is used. default-group-policy RA_POLICY tunnel-group RA_VPN_TUN webvpn-attributes !Use certificate to authenticate, in ASDM this certificate is installed in CA Certificate. authentication certificate !VPN server address, and the user group, in this setup RA1 is the user group. group-url https://domain.yourdomain.net/RA1 enable
Tunnel group for ipsec vpn.
tunnel-group RA_IPSEC type remote-access tunnel-group RA_IPSEC general-attributes !VPN ip address pool address-pool RA_VPN !AD is the authentication server in this setup. authentication-server-group LDAP default-group-policy RA_IPSEC_POLICY tunnel-group RA_IPSEC webvpn-attributes !If authentication method is not defined, authentication aaa is used, !show run will not show &quot;authentication aaa&quot; authentication aaa !group-alias that will appear on anyconnect client after connected. group-alias RA_IPSEC enable group-url https://domain.yourdomain.net enable
The anyconnect client downloads the anyconnect profile and update the server list in the client. If your anyconnect client could not see the updated server list, check your anyconnect profile or check if the group-policy has assigned a correct anyconnect profile or not.