AnyConnect® 3.0 and Internet Key Exchange (IKE) Version 2 — Part I

Almost a year ago I posted a two-part series on IKE version 2 about the protocol and some fundamental implementation principles on the Cisco IOS® router. With the announcement toward the end of last year of AnyConnect® Secure Mobility Client version 3.0 along with this year’s availability of ASA OS 8.4 and 8.5, discussion of the security appliance implementation of IKEv2 is timely. Due to the volume of information, I’ll again separate this post into two parts.

Before I dig into the details, let me mention that my research was based on an ASA5520 model with OS version 8.4(1) and ASDM version 6.4(1). One of the benefits of more recent versions of ASDM is that they now include a profile editor for AnyConnect, although later on I’ll point out a current implementation problem with that approach.

My first task, as shown by the ASDM screen below, was to enable IPSec access by selecting the “Allow Access” check box underneath the IPSec columns for the outside interface. As can be seen from the display, this necessitated the use of a certificate.

Once the certificate was configured, I wanted to ensure that the AnyConnect client used IKEv2 to connect and not SSL; consequently, the profile editor was used as shown in the two screenshots below.

When IPSec was chosen as the “Primary Protocol” for the GKL-ASA server shown above, the grayed-out “Auth Method Used During IKE Negotiation” defaults to IKE-RSA and cannot be changed unless the “Standard Authentication Only” check box is selected (I will elaborate on this point later). As the documentation points out, this default setting along with the “Enable Client Services” check box in the previous screen-shot is necessary for the AnyConnect client to dynamically acquire the IP configuration attributes for full tunnel access.

Once the profile was saved and downloaded to the appropriate workstation folder on which AnyConnect was installed, connection using IKEv2 proceeded rather easily. Since the IKE-RSA method requires a digital certificate on the ASA, this cert must also be accepted by the user at the client workstation upon connection. Once this was done, the following details screen verified the nature of the connection:

As the above screen indicates, IKE version 2 is being used along with the NAT-Traversal (NAT-T) encapsulation variant of IPSec. The next article in this series will explore what happened when I attempted the use of the “Standard Authentication Only” option in the profile editor screen above.

References:
AnyConnect Secure Mobility Client Administrator Guide 3.0

In this article

Join the Conversation