4 - VPN TIP: HOW TO CREATE VPN ON ASA USING CISCO ANY CONNECT WITH IKEv2 Protocol:

AnyConnect Remote access VPN configurations with IKEv2:

Due to more advanced features in IKEv2 it doesn't work with legacy Cisco VPN client so we have  to use AnyConnect VPN client. We can either use the Split-tunneling or U-turning.

To study the U-turning and Split-tunneling please study these 2 articles.

http://arshad-it.blogspot.com/2017/07/vpn-tip-how-to-create-vpn-on-asa-using_15.html
http://arshad-it.blogspot.com/2017/07/vpn-tip-how-to-create-vpn-on-asa-using.html

In this article, I used U-turning procedure. 

I have configured the routing in such a way that vpn client can communicate with R3, R5, R4 and ASA outside interface but have no access to R2. R2 behaves as a router somewhere on the internet.  But ASA have the reachability to R2. 

When client will contact with ASA through AnyConnect it should ping R2 through ASA internet which is proof of Hair-pinning.  

The route configured on all the devices can be seen below.

R

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ASA

route outside 0.0.0.0 0.0.0.0 10.0.50.2 1

R4
ip route 10.0.10.0 255.255.255.0 10.0.30.2

ip route 10.0.20.0 255.255.255.0 10.0.30.2

ip route 10.0.40.0 255.255.255.0 10.0.30.2

R5

ip route 10.0.10.0 255.255.255.0 10.0.20.1

ip route 10.0.50.0 255.255.255.0 10.0.30.1

R2

ip route 0.0.0.0 0.0.0.0 10.0.40.2

R3

ip route 10.0.30.0 255.255.255.0 10.0.20.2

ip route 10.0.50.0 255.255.255.0 10.0.20.2

ASA > ping 10.0.40.1 = success 

In this type of VPN, we need a certificate so first we have to generate a self-signed certificate for ASA.

ASA Self-Signed Certificate configurations:

ASA(config)# ntp server 88.147.254.228

! ---It is very important to set the correct time or we can use ntp server.

ciscoasa(config)# hostname  ciscoasa

ciscoasa(config)# domain-name babar.com

ciscoasa(config)# crypto key generate rsa label sslvpnkeypair  modulus 1024

INFO: The name for the keys will be: sslvpnkeypair

Keypair generation process begin. Please wait...

ciscoasa(config)# crypto ca trustpoint Arshad

ciscoasa(config-ca-trustpoint)# enroll self

ciscoasa(config-ca-trustpoint)# fqdn ciscoasa.babar.com

ciscoasa(config-ca-trustpoint)# subject-name CN=ciscoasa.babar.com

ciscoasa(config-ca-trustpoint)# keypair sslvpnkeypair

ciscoasa(config-ca-trustpoint)# crypto ca enroll Arshad noconfirm

% The fully-qualified domain name in the certificate will be: ciscoasa.babar.com

ciscoasa(config)# ssl trust-point Arshad outside 

Let’s do VPN Configurations on ASA:

ciscoasa(config)#same-security-traffic permit intra-interface

ciscoasa(config)#ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

ciscoasa(config)#webvpn
ciscoasa(config-webvpn)#enable outside
ciscoasa(config-webvpn)#anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
ciscoasa(config-webvpn)#tunnel-group-list enable
ciscoasa(config-webvpn)#anyconnect enable

ciscoasa(config)#group-policy clientgroup internal
ciscoasa(config)#group-policy clientgroup attributes
ciscoasa(config-group-policy)#vpn-tunnel-protocol ssl-client ikev2
ciscoasa(config-group-policy)#split-tunnel-policy tunnelall

ciscoasa(config)# tunnel-group RemoteUser type remote-access

ciscoasa(config)# tunnel-group RemoteUser general-attributes

ciscoasa(config-tunnel-general)# default-group-policy clientgroup

ciscoasa(config-tunnel-general)# address-pool  vpnpool

ciscoasa(config-tunnel-general)# tunnel-group RemoteUser webvpn-attributes

ciscoasa(config-tunnel-webvpn)# group-alias RemoteUser enable

ciscoasa(config)# crypto ikev2 policy 1

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# encryption aes-256

ciscoasa(config-ikev2-policy)# crypto ikev2 policy 10

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# encryption aes-192

ciscoasa(config-ikev2-policy)# crypto ikev2 policy 20

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# encryption aes

ciscoasa(config-ikev2-policy)# crypto ikev2 policy 30

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# encryption 3des

ciscoasa(config-ikev2-policy)# crypto ikev2 policy 40

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# encryption des

ciscoasa(config)# crypto ikev2 enable outside client-services port 443

ciscoasa(config)# crypto ikev2 remote-access trustpoint Arshad

ciscoasa(config)# Username Babar password cisco

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal AES256

ciscoasa(config-ipsec-proposal)# protocol esp encryption aes-256

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1 md5

ciscoasa(config-ipsec-proposal)# crypto ipsec ikev2 ipsec-proposal AES192

ciscoasa(config-ipsec-proposal)# protocol esp encryption aes-192

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1 md5

ciscoasa(config-ipsec-proposal)# crypto ipsec ikev2 ipsec-proposal AES

ciscoasa(config-ipsec-proposal)# protocol esp encryption aes

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1 md5

ciscoasa(config-ipsec-proposal)# crypto ipsec ikev2 ipsec-proposal 3DES

ciscoasa(config-ipsec-proposal)# protocol esp encryption 3des

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1 md5

ciscoasa(config-ipsec-proposal)# crypto ipsec ikev2 ipsec-proposal DES

ciscoasa(config-ipsec-proposal)# protocol esp encryption des

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1 md5

ciscoasa(config)# crypto dynamic-map DYN-MAP 65535 set ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES

ciscoasa(config)# crypto map outside_map 65535 ipsec-isakmp dynamic DYN-MAP

ciscoasa(config)# crypto map outside_map interface outside

Try connecting to 10.0.50.1 on client using anyconnect and it should connect. But ping 192.168.1.2 from client will not work because we have not configured the NAT exemption yet.

object network NET_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0

object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source static NET_OBJ_192.168.1.0_24 NET_OBJ_192.168.1.0_24 destination static NET_OBJ_192.168.10.0_24 NET_OBJ_192.168.10.0_24

Now Client can ping the 192.168.1.2. Both can ping to each other. But client internet is stopped working.  we need to add another nat entry so that traffic that comes from the outside network can be translated with outside IP address 10.0.50.1.

We can do that in 2 ways any of one can be used.

1. This is not recommended.  when we disconnect the vpn and ping ASA outside interface the ping not work as it translate the outside ip to 192.168.10.0. we can try in test environment before configuring it in the real network because I faced this issue in IKev2 remote access VPN.

object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0

object network NET_OBJ_0.0.0.0_0
subnet 0.0.0.0 0.0.0.0

ciscoasa(config)#nat (outside,outside) source static NET_OBJ_192.168.10.0_24 interface destination static NET_OBJ_0.0.0.0_0 NET_OBJ_0.0.0.0_0

2. This is a recommended solution.

object network NET_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
nat (outside,outside) dynamic interface

VPN Client ping > 10.0.40.1 is working now mean client have internet access through FW. 

TIPs:

> We can use the ACL so only ACL specified networks can communicate however it is not a requirement of the VPN.

> We can either use the Split tunnel or U-turning  

> We need another NAT entry to translate the oustide network to 10.0.50.1 that is ASA outside public ip.

>” same-security-traffic permit intra-interface" is compulsory required in this VPN.
> Make sure to not copy the commands directly from the webpage to firewall. First copy 

Note: I personally configured and tested this lab and its working and the ASA version is 9.5(2).

---------------The END------------------