IKEv2 IPSec Remote Access VPN with Anyconnect on Cisco ASA

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method. AnyConnect client can be used to connect both SSL VPN as well as IKEv2 IPSec VPN. In this document we will see how to configure only IKEv2 IPSec VPN.

! Generate rsa keys, which will be used in configuring trustpoint for obtaininng certificate.

crypto key generate rsa label VPNKeyPair modulus 1024 noconfirm  

! Configure a trustpoint and enroll for Self-Signed-Certificate.

crypto ca trustpoint LocalTrust
enrollment self
fqdn ravpn.pacificgroup.co.in
subject-name CN=ravpn.pacificgroup.co.in
keypair VPNKeyPair
crypto ca enroll LocalTrust noconfirm

! Create a local IP pool for assigning IP addresses to the clients.

ip local pool RA_VPN_POOL mask

! copy Anyconnect client package to flash

copy tftp:// flash:

! copy the client profile xml file to flash

copy tftp:// disk0:

NOTE: The AnyConnect client protocol defaults to SSL. To enable IPsec IKEv2, you must configure the IKEv2 settings on the ASA and also configure IKEv2 as the primary protocol in the client profile. The IKEv2enabled profile must be deployed to the endpoint computer, otherwise the client attempts to connect using SSL. 

! Refer to the below client profile template, which is reusable after editing the HostName and HostAddress.


! Global webvpn configuration

  anyconnect profiles IKEv2_ANYCONNECT_VPN_client_profile disk0:/IKEv2_ANYCONNECT_VPN_client_profile.xml

! Local user creation

username prashant password 123456

! Group Policy configuration

group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN internal
group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN attributes
  vpn-tunnel-protocol ikev2
    anyconnect profiles value IKEv2_ANYCONNECT_VPN_client_profile type user

group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN attributes
  dns-server value

! Tunnel group configuration

 tunnel-group IKEv2_ANYCONNECT_VPN type remote-access
tunnel-group IKEv2_ANYCONNECT_VPN general-attributes
  default-group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN
  address-pool  RA_VPN_POOL
tunnel-group IKEv2_ANYCONNECT_VPN webvpn-attributes
  group-alias IKEv2_ANYCONNECT_VPN enable

! ISAKMP policy configuration.

 crypto ikev2 policy 40
  group 2 5
  encryption aes

! Enable IKEv2 on outside interface
! Associate a trustpoint with the IKEv2
! Configure IPSec parameters

crypto ikev2 enable OUTSIDE
crypto ikev2 remote-access trustpoint LocalTrust
crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption AES
  protocol esp integrity sha-1

! configure dynamic-map and associate it with a crypto-map
! apply the crypto map to the outside interface

crypto dynamic-map IKEv2_RA_VPN_CRYPTO_MAP 1000 set  ikev2 ipsec-proposal AES
crypto map OUTSIDE_map 500 ipsec-isakmp dynamic IKEv2_RA_VPN_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE


  1. Hello,
    I hope you can help me.
    this configuration in what file i have too aplicated
    ! Refer to the below client profile template, which is reusable after editing the HostName and HostAddress.


    I tried in the name file preferences.xml and the AnyConnect Profile.xsd.

    Can you help me please



Post a Comment

Popular posts from this blog

Specifying SSH port in Ansible Inventory

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

Filtering Routes in BGP using Route-maps and Prefix-list

Ansible Playbook for Network OS Upgrade with pre and post checks

Bypassing Proxy Server in Google Chrome

VMware NSX Traffic Flow — East-West & North-South

Export or Backup Azure Network Security Groups into CSV using PowerShell

Ansible-playbook for backing up running config of Cisco IOS