The iPad native vpn client supports ikev2. I have searched many documents in the internet and most of them are example for site-to-site, very few useful documentation about remote access vpn with ipsec using ikev2 perhaps for remote access ssl vpn is more convenient and popular.
So here’s the sample config. The config use certificate to authenticate the phase 1 and 2 tunnels, eap is not used in this configuration, also over in iPad local id is left blank hence in ASA need to disable peer-id check.
If during connection ASA syslog says something like EAP message is null then you need to turn on the debug to find out what’s wrong. iPad native vpn client does support EAP, and EAP is the default.
In the iPad native vpn client, the remote id is the fqdn of the ASA vpn server you want to connect to. The fqdn is based on the certificate that is enable in the ASA vpn server.
Need to use the default tunnel group provided by Cisco, because the native vpn client does not send group information.
In this example configuration there are site to site vpn within the crypto map, this is to give you an insight on which remote access sequence number you should use for ipsec remote access. The site to site and remote access can both co-exist in the crypto map.
A few debug commands that are useful:
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
debug crypto connection peer 1.1.1.1
where 1.1.1.1 is your peer’s ip address.
ip local pool private_pool 192.168.249.1-192.168.249.254 mask 255.255.255.0 group-policy IPSEC internal group-policy IPSEC attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ikev2 ip-comp enable pfs enable split-tunnel-policy tunnelall default-domain value xyz.local split-tunnel-all-dns enable gateway-fqdn value test.xyz.local address-pools value private_pool tunnel-group DefaultRAGroup general-attributes address-pool private_pool default-group-policy IPSEC tunnel-group DefaultRAGroup ipsec-attributes peer-id-validate nocheck ikev2 remote-authentication certificate ikev2 local-authentication certificate ASDM_TrustPoint1 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-512 sha-256 sha-1 crypto ikev2 policy 1 encryption aes-256 aes-192 aes integrity sha512 sha256 sha group 14 5 prf sha512 sha256 sha lifetime seconds 86400 crypto dynamic-map IPSEC_VPN 1 set pfs group14 crypto dynamic-map IPSEC_VPN 1 set ikev2 ipsec-proposal AES256 crypto dynamic-map IPSEC_VPN 1 set reverse-route crypto map outside_map 5 match address XYZ_VPN1 crypto map outside_map 5 set pfs group14 crypto map outside_map 5 set peer 123.123.123.123 crypto map outside_map 5 set ikev2 ipsec-proposal IKEV2-AES crypto map outside_map 5 set nat-t-disable crypto map outside_map 5 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic IPSEC_VPN crypto map outside_map interface outside crypto ikev2 enable outside crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
cyruslab 