FlexVPN Remote Access AnyConnect

After consistently spending time in the lab troubleshooting/reading/learning the fundamentals of IKEV2. I was able to use the false positive debug information to track the root cause of this “passed authentication and failed authorization” issue.

I have finally managed to resolve this issue and I hope this small write-up will help others in future too.

I was using the same version of anyconnect 4.8 in the article and IOS 15.7.

Authorization Failure:
The article really helped! however it left out a small issue:

From the article I learned that:

A VPN with Ikev2 requires the following:

IKEv2 proposal

IKEv2 policy

IKEv2 Authorization Policy (missing from the article and caused small confusion)

IKEv2 profile

IKEv2 keyring

IPSec:

IPSec transform-set

IPSec profile

When you are configuring the profile in IKEv2
and you are declaring the aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK You must FOLLOW this up with the KEv2 Authorization Policy!!

This applies to you if you are using a radius or local authentication!

for example aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'

even if you are using a policy derived from radius you must use a “dummy” authorization policy!

A populated authorization policy example:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255

a “dummy” authorization policy:

crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY

(EMPTY)

The issue with “Smart Defaults”
The main issue with smart defaults IS even IF you don’t configure it and you let “smart defaults” predefine a “default” authorization policy, that authorization policy name will be required to be called in the profile! otherwise authentication will pass but authorization will FAIL!( my experience). If you don’t call and name a authorization policy I’m not sure how we can specify it in the profile!

Cryptographic Errors when using anyconnect 4.9+

AnyConnect 4.9.00086 disables certain cryptography encryption/hash and groups DES, 3DES, MD5, and DH groups 2,5, 14, and 24

Workaround:

SOLUTION 1: Simply specify all encryption and hash in the proposal

crypto ikev2 proposal MY_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 3des
integrity sha512 sha384 sha256 sha1
group 21 20 19 16 14 5 2

crypto ikev2 policy MY_IKEV2_POLICY
proposal MY_IKEV2_PROPOSAL

Solution 2:
Write separate proposals and specify them in the ikev2 Policy(not to be confused with the “authorization policy”)

crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 policy MY_IKEV2_POLICY
proposal HIGH
proposal MEDIUM
proposal LOW

Solution 3: Use “anyconnect version pre 4.9”
NOTE: You are then resorting to utilising depreciated cryptography “encryption/hash and groups”

Remember both these issue apply if you are using radius ISE OR local database for AAA

I hope that makes sense, please leave me a comment for any further clarification.