To be honest, there isn’t much of a change in the configuration of an IPsec Remote Access VPN in ASA 8.3/8.4. There is just a minor change in some of the ‘crypto’ statements wherein you need to specify it as either IKEv1 or IKEv2.
So if you are planning to use the legacy IPsec VPN client (the one with that yellow lock icon) then you need to configure your Remote Access VPN with IKEv1 option. And if you’re planning to move to the new AnyConnect VPN client, then you need to configure your Remote Access VPN for IKEv2. AnyConnect does support IPsec VPN, it’s just that it will only work when you have the respective remote access VPN configured for IKEv2.
Please note that the ASA can simultaneously be configured for both IKEv1 and IKEv2. Though they use the same UDP port they are not interoperable but they work independently without any conflicts.
The following post covers the basic configuration that will be required for running an IKEv1 Remote Access VPN in ASA 8.3/8.4.
Remote Access gateway configuration:-
1. Create the Phase 1 policy. Pre 8.3, this was the ‘crypto isakmp policy’.
crypto ikev1 policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
2. Setup Phase 2 parameters. Pre 8.3, it was ‘crypto ipsec transform-set’
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
3. Create an IP pool from which IP addresses will be assigned to the remote clients who are successfully authenticated.
ip local pool client_pool 192.168.1.1-192.168.1.5 mask 255.255.255.248
4. Create a group-policy.
The policy can either be applied to the tunnel-group as the default-group-policy or it can be specifically assigned to a username under its attributes. This is also where the split-tunnel needs to be configured (by default all traffic generated by the remote client is routed to the tunnel – ‘tunnelall’).
access-list split_tunnel_acl standard permit 172.21.1.0 255.255.255.0 ! group-policy ipsec_ra_policy internal group-policy ipsec_ra_policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value split_tunnel_acl
5. Create the tunnel-group to which the users will connect to.
Refer the local pool we created earlier in the general-attributes. Pre 8.3, the pre-shared-key command under the ipsec-attributes did not have ‘ikev1’ appended to it.
tunnel-group ipsec_ra_tunnel type remote-access tunnel-group ipsec_ra_tunnel general-attributes address-pool client_pool default-group-policy ipsec_ra_policy authentication-server-group LOCAL tunnel-group ipsec_ra_tunnel ipsec-attributes ikev1 pre-shared-key c1sc0
6. Create a Dynamic Crypto Map.
Again, the ‘ikev1’ in ‘set transform-set’ was not appended in the earlier versions of ASA. Reverse-route injection puts a route in the routing table of the ASA for the remote clients IP pool and points it to the next-hop (show command output shown at the end of the post).
crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1
7. Create a crypto map entry and associate the dynamic map to it.
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
8. Apply the crypto map to the outside interface.
crypto map outside_map interface outside
9. Enable IKEv1 on the outside interface. Pre 8.3, ‘ISAKMP’ was enabled on the interface.
crypto ikev1 enable outside
10. Create a username and password in the local database as the remote clients with be authenticated based on the LOCAL authentication.
username officeguy password strongpassword
11. Create Identity NAT because most probably there will be a Dynamic PAT running on the outside interface. Identity NAT from your internal network to the remote access VPN client IP pool.
object-group network obj_192.168.1.1_248 network 192.168.1.1 255.255.255.248 object-group network obj_172.21.1.0_24 172.21.1.0 255.255.255.0 nat (inside,outside) source static obj_172.21.1.0_24 obj_172.21.1.0_24 destination static obj_192.168.1.1_248 obj_192.168.1.1_248 no-proxy-arp route-lookup
Client side configuration:-
Connection Entry > New
Enter the username and password created in the local username database.
ASA# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.1.1.100 Type : user Role : responder Rekey : no State : AM_ACTIVE There are no IKEv2 SAs ASA# show route ! output omitted for brevity C 220.127.116.11 255.255.255.0 is directly connected, outside C 172.21.1.0 255.255.255.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 18.104.22.168, outside
Also check Part 2 of this post which shows some useful commands (although optional) that you can make use of while configuring an IPsec Remote Access VPN.