Ipsec Anyconnect



AnyConnect implements the Samsung Knox VPN framework and is compatible with the Knox VPN SDK. It's recommended to use Knox version 2.2 and above with AnyConnect. All operations from IKnoxVpnService are supported. For detailed description of each operation, please see the IKnoxVpnService documentation published by Samsung.

Nov 17, 2020 IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. Step 4: Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. Step 5: IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

Knox VPN JSON Profile

As required by the Knox VPN framework, each VPN configuration is created using a JSON object. This object has provides three main sections of the configuration:

  • The video walks you through configuration of Cisco AnyConnect Secure Mobility VPN with IPSec IKEv2. IKEv2 is an alternative protocol to SSL for those that have unique security requirement such as regulation compliancy.
  • AnyConnect Plus/Apex licensing and Cisco head-end hardware is required. The application is not permitted for use with legacy licensing (Essentials or Premium PLUS Mobile). AnyConnect may not be used with non-Cisco hardware under any circumstances.
  1. General attributes - 'profile_attribute'
  2. Vendor (AnyConnect) specific attributes - 'vendor'
  3. Knox specific profile attributes - 'knox'

Supported profile_attribut Fields

  • profileName - Unique name for the connection entry to appear in the connection list of the AnyConnect home screen and the Description field of the AnyConnect connection entry. We recommend using a maximum of 24 characters to ensure that they fit in the connection list. Use letters, numbers, or symbols on the keyboard displayed on the device when you enter text into a field. The letters are case-sensitive.
  • vpn_type - The VPN protocol used for this connection. Valid values are:
    • ssl
    • ipsec
  • vpn_route_type - Valid values are:
    • 0 – System VPN
    • 1 – Per-app VPN
Ipsec

For more information regarding the common profile attributes, please see the Samsung KNOX Framework Vendor Integration Guide.

AnyConnect specific configuration is specified via 'AnyConnectVPNConnection' key inside inside the 'vendor' section. Sample:

Supported AnyConnectVPNConnection Fields

  • host - The domain name, IP address, or Group URL of the ASA with which to connect. AnyConnect inserts the value of this parameter into the Server Address field of the AnyConnect connection entry.
  • authentication - (optional) Only applies when vpn_type (in profile_attributes) is set to 'ipsec'. Specifies the authentication method used for an IPsec VPN connection Valid values are:
    • EAP-AnyConnect (default value)
    • EAP-GTC
    • EAP-MD5
    • EAP-MSCHAPv2
    • IKE-PSK
    • IKE-RSA
    • IKE-ECDSA
  • ike-identity - Used only if authentication is set to EAP-GTC, EAP-MD5, or EAP-MSCAPv2. Provides the IKE identity for these authentication methods.
  • usergroup (optional) The connection profile (tunnel group) to use when connecting to the specified host. If present, used in conjunction with HostAddress to form a Group-based URL. If you specify the Primary Protocol as IPsec, the User Group must be the exact name of the connection profile (tunnel group). For SSL, the user group is the group-url or group-alias of the connection profile.
  • certalias (optional)- KeyChain alias of a client certificate that should be imported from Android KeyChain. The user must acknowledge an Android system prompt before the cert could be used by AnyConnect.
  • ccmcertalias (optional)- TIMA alias of a client certificate that should be imported from the TIMA certificate store. No user action is necessary for AnyConnect to receive the cert. Please note: this certificate must have been explicitly whitelisted for use by AnyConnect (e.g. using the Knox CertificatePolicy API).

Inline VPN Packet App Metadata

Inline app metadata for VPN packets is an exclusive feature available on Samsung Knox devices. It is enabled by MDM and provides AnyConnect with source application context for enforcing routing and filtering policies. It is required for implementing certain per-app VPN filtering policies from the VPN gateway on Android devices. Policies are defined to target specific application id or groups of apps via wildcarding and is matched against the source application id of each outbound packet.

MDM dashboard should provide administrators with an option to enable inline packet metadata. Alternatively, MDM could hardcode this option to always be enabled for AnyConnect, which will make use of it as per headend policy.

For more information on AnyConnect’s per-app VPN policies, please see the section on 'Define a Per App VPN Policy for Android Devices' in the Cisco AnyConnect Secure Mobility Client Administrator Guide.

MDM Configuration


To enable inline packet metadata, set 'uidpid_search_enabled' to 1 in the Knox specific attribute for a configuration. Sample:

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

Create a CA Trustpoint

Authenticate the Trustpoint

In this example the ASA will enrol with a Windows Certificate Authority.

  • Open the CA’s Trusted Root certificate in notepad
  • Copy the contents on the certificate
  • On the ASA run the command crypto ca authenticate LAB_PKI
  • When prompted paste the contents of the CA Trusted Root certificate
  • Type quit at the end
  • Enter yes to import the certificate

EnrolL ASA for Identity Certificate

The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.

  • On the ASA run the command crypto ca enroll LAB_PKI
  • When prompted copy the contents of the CSR
  • Complete the Certificate Signing Request
  • On the Window CA open the Web page to sign certificates, click Request a certificate
  • Click advanced certificate request
  • Paste the CSR generated on the ASA in the previous step above
  • Select the Certificate Template Web Server
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate, save the file to a file for use in the next step
  • On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
  • When prompted paste the contents of the saved file (generated in the previous step)
  • Type quit at the end
  • Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
  • In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).

Enable the Certificate Trustpoint on the OUTSIDE interface

Enable the Certificate Trustpoint for Remote Access

Define IKEv2 Policy


Define IPSec Transform Sets

Define Crypto Map

Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface

Modify Group Policy to enable IKEv2

Enable AAA and Certificate authentication

For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).

Enable AAA accounting (if not already enabled)

AAA accounting should be enabled to keep track of the connections.

ISE Configuration

The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.

  • Create a new Authorization rule called AnyConnect IPSec VPN
  • Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
  • Permissions: VPN_Permit_DACL

Testing & Verification

You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor

  • Open the VPN Profile Editor
  • Navigate to the Server List and click Add
  • Define a display name for the connection e.g ASA IKEv2/IPSec VPN
  • Define the FQDN
  • Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
  • Set the Primary Protocol to IPSec


  • Click Save and ensure the file is saved to the folder location:
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
  • Restart the Cisco AnyConnect services or reboot
  • Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection

The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.

  • On the ASA run the command debug aaa authentication
  • On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent

From the ASA debugs you can see the certificate authentication was successful

Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.

  • On the ASA run the command show vpn-session detail anyconnect

Anyconnect Ipsec Ikev1

You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.