Configuring remote access vpn with IKEv1, IKEv2 and SSL in the same time

Posted on March 9, 2011

4



With the following configuration and with sufficient license we should be able to connect to our Cisco ASA firewall with Cisco Anyconnect and with the new Anyconnect Secure Mobility Client (the first Cisco IKEv2 client) and with the old Cisco VPN client with IKEv1, that is natively supported on some Apple devices, like an IPad. What I miss on the ASA, that it does not support IKE over tcp for IKEv2.
This configuration was made with SW version 8.4(1) and the configuration has been a little bit changed.

RA VPN config for IKEv1

For authentication we can configure a lot of methods, like local username with password or RADIUS, LDAP or RSA Secureid or with certificate. I use here certificate authentication without CRL check. This comes later…
IP Address assignment happens not from a local pool, but from a dhcp server on the inside. A centralised IP Address management sometimes can be really helpful, its worth using an external dhcp.

Configuration Topology for VPN with Cisco ASA:

Cisco ASA VPN Configuration Flow

Cisco ASA VPN Configuration Flow

isakmp, for IKE Phase I.

myfirewall/act/pri# sh run cry ikev1
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 2
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

transform set, for setting the Security Protocols

myfirewall/act/pri# sh run cry ipsec
crypto ipsec ikev1 transform-set MycompanyTransformSet esp-3des esp-sha-hmac

dynamic map, for IKE Phase II.

myfirewall/act/pri# sh run cry dyn
crypto dynamic-map out_dyn_map 10 set ikev1 transform-set MycompanyTransformSet
crypto dynamic-map out_dyn_map 10 set security-association lifetime seconds 288000

crypto map

myfirewall/act/pri# sh run cry map
crypto map out_cry_map 10 ipsec-isakmp dynamic out_dyn_map
crypto map out_cry_map interface outside

trustpoint

myfirewall/act/pri# sh run cry ca trustpoint mytrustpoint
crypto ca trustpoint mytrustpoint
enrollment terminal
fqdn 30.30.30.1
subject-name CN=myfirewall.mycompany.com
serial-number
keypair mycert_key
crl configure

group policy

myfirewall/act/pri# sh run group-policy
group-policy MycompanyVpnPolicy internal
group-policy MycompanyVpnPolicy attributes
wins-server value 1.1.1.1
dns-server value 2.2.2.2
dhcp-network-scope 10.10.10.10
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1
default-domain value mycompany.com

tunnel group

myfirewall/act/pri# sh run tunnel-group ikev1tunnelgroup
tunnel-group ikev1tunnelgroup type remote-access
tunnel-group ikev1tunnelgroup general-attributes
default-group-policy MycompanyVpnPolicy
dhcp-server 3.3.3.3
tunnel-group ikev1tunnelgroup webvpn-attributes
authentication certificate
tunnel-group ikev1tunnelgroup ipsec-attributes
chain
ikev1 trust-point mytrustpoint
isakmp keepalive threshold 100 retry 2
ikev1 user-authentication none

tunnel group map

myfirewall/act/pri# sh run tunnel-group-map
tunnel-group-map enable rules
tunnel-group-map default-group ikev1tunnelgroup

RA VPN config with SSL

For the Anyconnect you have to create your Profile xml file. This requires ASDM.
You should go to the Profile Editor in ASDM and open your server list entry in your Profile and here you should set the gateway IP.
The basic authentication for SSL is EAP… You need to create at least a local user to be able to test it.

webvpn

myfirewall/act/pri# sh run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.0.0629-k9.pkg 2
anyconnect profiles sslprofile disk0:/sslprofile.xml
anyconnect profiles test2 disk0:/acv3ipsecprofile.xml
anyconnect enable
tunnel-group-list enable
certificate-group-map MyCertMap1 5 ssltunnelgroup

certificate map

My certificate map is really useless in a live enviroment, but it makes what I want for that simple test.

myfirewall/act/pri# sh run cry ca cert ma
crypto ca certificate map MyCertMap1 5
subject-name attr ea eq jimmy@mycompany.com

tunnel group

I could use the same tunnel-group that I have for IKEv1 and just simple add some webvpn commands to it, but I did 2 different tunnel-groups.

myfirewall/act/pri# sh run tun ssltunnelgroup
tunnel-group ssltunnelgroup type remote-access
tunnel-group ssltunnelgroup general-attributes
default-group-policy MycompanyVpnPolicy
dhcp-server 3.3.3.3
tunnel-group ssltunnelgroup webvpn-attributes
authentication certificate

group policy

The group policy could be 2 different group as well, but I used the same group for ssl what I have already configured for ike1 and added/changed some commands here.

myfirewall/act/pri# sh run group-policy MycompanyVpnPolicy
group-policy MycompanyVpnPolicy internal
group-policy MycompanyVpnPolicy attributes
wins-server value 1.1.1.1
dns-server value 2.2.2.2
dhcp-network-scope 10.10.10.10
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1 ssl-client
default-domain value mycompany.com
webvpn
anyconnect profiles value test2 type user

RA VPN config with IKEv2

With the colors you can see what is new for configuring IKEv2 and what is the old one.
In crypto configuration the key command is the “crypto dynamic-map”, that let us configure ikev2 for the same dynamic map that already has an IKEv1 config.
And here is something you have to know. The authentication method for IKEv2 can be some EAP methods listed in profile editor (for example IKE-RSA). If you need IKE-RSA you should not check the ‘Standard Authentication Only’ and choose in the “Authentication method during IKE Negotiation” list the IKE-RSA as the vpn will fail every time you connect with Anyconnect.

isakmp

myfirewall/act/pri# sh run cry ikev2
crypto ikev2 policy 1
encryption aes-256 aes-192 aes 3des
integrity sha md5
group 5 2 1
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint mytrustpoint

transform set

myfirewall/act/pri(config)# sh run crypto ipsec
crypto ipsec ikev1 transform-set MycompanysTransformSet esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal MycompanysTransformSet2
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1

dynamic map

myfirewall/act/pri# sh run cry dyn
crypto dynamic-map out_dyn_map 10 set ikev1 transform-set MycompanyTransformSet
crypto dynamic-map out_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map out_dyn_map 20 set ikev2 ipsec-proposal MycompanyTransformSet2

crypto map

myfirewall/act/pri(config)# sh run cry map
crypto map out_cry_map 10 ipsec-isakmp dynamic out_dyn_map
crypto map out_cry_map interface outside

The rest of the config (webvpn, tunnel-group, group-policy, certificate map)

Here is a small command topology to understand the relationship between the important conguration parts.

webvpn
| |
| with “certificate-group-map” command we bind the
| ^ ^
| | |
| | “crypto ca certificate map” command
| |
| ^
| “tunnel-group” command
|
^
with “anyconnect profiles” command we bind the
|
^
anyconnect profiles value” command in group-policy (actually it defines anyconnect profile for webvpn)

webvpn

For the Anyconnect you have to customize again your Profile xml file. This is the first (and hopefully the last) thing that requires ASDM.
You should go to the Profile Editor in ASDM and open your server list entry in your Profile and here you should change you Primary Protocol to IPSec.

myfirewall/act/pri(config)# sh run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.0629-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-3.0.0629-k9.pkg 2
anyconnect profiles test2 disk0:/acv3ipsecprofile.xml
anyconnect enable
tunnel-group-list enable
certificate-group-map MyCertMap1 5 ssltunnelgroup

certificate map

myfirewall/act/pri(config)# sh run cry ca cert ma
crypto ca certificate map MyCertMap1 5
subject-name attr ea eq test2@mycompany.com

tunnel-group

myfirewall/act/pri# sh run tun ssltunnelgroup
tunnel-group ssltunnelgroup type remote-access
tunnel-group ssltunnelgroup general-attributes
default-group-policy MycompanyVpnPolicy
dhcp-server 3.3.3.3
tunnel-group ssltunnelgroup webvpn-attributes
authentication certificate

group-policy

There is a lot of changes that need to be done. see below :-)

myfirewall/act/pri# sh run group-policy MycompanyVpnPolicy
group-policy MycompanyVpnPolicy internal
group-policy MycompanyVpnPolicy attributes
wins-server value 1.1.1.1
dns-server value 2.2.2.2
dhcp-network-scope 10.10.10.10
vpn-simultaneous-logins 20
vpn-tunnel-protocol ikev1 ikev2 ssl-client
default-domain value mycompany.com
webvpn
anyconnect profiles value test2 type user

Good luck if you just start it on your own and remember, there are two kinds of angry people: explosive and implosive.
Explosive is the kind of individual that you see screaming at the cashier for not taking their coupons.
Implosive is the cashier who remains quiet, day after day and finally shoots everyone in the store.
(Anger Management)
If it does not work today it will work tomorrow…

Advertisements
Posted in: ASA, Cisco, Security, VPN