- Read Me First
- Introduction to FlexVPN
- Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site
- Configuring the FlexVPN Server
- Configuring the FlexVPN Client
- Configuring FlexVPN Spoke to Spoke
- Configuring IKEv2 Load Balancer
- Configuring IKEv2 Fragmentation
- Configuring IKEv2 Reconnect
- Configuring MPLS over FlexVPN
- Configuring IKEv2 Packet of Disconnect
- Configuring IKEv2 Change of Authorization Support
- Configuring Aggregate Authentication
- Appendix: FlexVPN RADIUS Attributes
- Appendix: IKEv2 and Legacy VPNs
- Finding Feature Information
- Prerequisites for Configuring IKEv2 Reconnect
- Restrictions for Configuring IKEv2 Reconnect
- Information About Configured IKEv2 Reconnect
- How to Configure IKEv2 Reconnect
- Configuration Examples for Configuring IKEv2 Reconnect
- Additional References for Configuring IKEv2 Reconnect
- Feature Information for Configuring IKEv2 Reconnect
Configuring IKEv2
Reconnect
The IOS IKEv2 support for AutoReconnect feature of AnyConnect feature helps in reestablishing IKEv2 negotiation without user interaction with the Cisco AnyConnect client.
- Finding Feature Information
- Prerequisites for Configuring IKEv2 Reconnect
- Restrictions for Configuring IKEv2 Reconnect
- Information About Configured IKEv2 Reconnect
- How to Configure IKEv2 Reconnect
- Configuration Examples for Configuring IKEv2 Reconnect
- Additional References for Configuring IKEv2 Reconnect
- Feature Information for Configuring IKEv2 Reconnect
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring IKEv2 Reconnect
-
You must enable the BypassDownloader function in the AnyConnectLocalPolicy file by setting the <BypassDownloader> value to true. If your device does not support SSL, the BypassDownloader function will not work.You must disable the function manually by setting the <BypassDownloader> value to false, else the connection will fail.
Restrictions for Configuring IKEv2 Reconnect
- The preshared key authorization method cannot be configured on the Internet Key Exchange Version 2 (IKEv2) profile. This is because the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature uses the preshared key authorization method and configuring the preshared key on the same IKEv2 profile may lead to confusion.
- The following commands cannot be configured on the IKEv2 profile: authentication local pre-share, authentication remote pre-share, keyring, aaa authorization group psk, and aaa authorization user psk.
Information About Configured IKEv2 Reconnect
IKEv2 and Cisco AnyConnect Client Reconnect Feature
The Auto Reconnect feature in the Cisco AnyConnect client helps the Cisco AnyConnect VPN client to remember the session for a period of time and to resume the connection after establishing the secure channel. As the Cisco AnyConnect Client is extensively used with Internet Key Exchange Version 2 (IKEv2), IKEv2 extends the Auto Reconnect feature support on Cisco IOS software through the IOS IKEv2 support for Auto Reconnect feature of AnyConnect feature.
Auto Reconnect in the Cisco AnyConnect client occurs in the following scenarios:
- The intermediate network is down. The Cisco AnyConnect client tries to resume the session when it is up.
- The Cisco AnyConnect client device switches between networks. This results in source IP or port change, which brings down the existing security association (SA) and, hence, the Cisco AnyConnect client tries to resume the SA using the Auto Reconnect feature.
- The Cisco AnyConnect client device tries to resume SA after returning from sleep or hibernate mode.
Advantages of Using the Auto Reconnect Feature
- The copy attributes used in the original session are reused without querying the authentication, authorization, and accounting (AAA) server.
- The Cisco IOS gateway does not have to contact the RADIUS server for reconnecting to the client.
- No user interaction for authentication or authorization is needed during resuming the session.
- The authentication method is the preshared key when reconnecting a session. This authentication method is quick compared to other authentication methods (that include Rivest, Shamir, and Adelman (RSA) signature authentication method, Elliptic Curve Digital Signature Algorithm (ECDSA) signature (ECDSA-sig) authentication method, and Extensible Authentication Protocol (EAP) authentication method). The preshared key authentication method helps in resuming a session on the IOS software with minimal resources.
- The unused security associations (SAs) are removed thereby freeing the crypto resources.
Auto Reconnect and DPD
Dead Peer Detection (DPD) is configured to confirm the availability of a peer send by sending queries to a peer. If there are no responses from the peer, the security association created for that peer is deleted. You need not configure DPD in a reconnect profile if DPD configured on the FlexVPN server because in both configuration scenarios, the purpose is the same . However, if the feature is enabled, DPD is queued as on demand DPD in IKEv2, which also stores the platform specific handle when deleting the SA.
Message Exchanges Between Cisco IOS Gateway and Cisco AnyConnect Client
The Cisco AnyConnect client contacts the Cisco IOS gateway to establish a security association (SA). During authorization or AUTH exchange (CFGMODE_REQ payload of IKE_AUTH request), IKEv2 checks if the IOS IKEv2 support for the Auto Reconnect feature of AnyConnect feature is enabled in the IKEv2 profile using the reconnect command, selects the IKEv2 policy of the chosen IKEv2 profile, and sends the session ID and the session token attributes to the Cisco AnyConnect client in CFGMODE_REPLY payload of the IKE_AUTH response. The authorization method is the preshared key between the client and Cisco IOS software for the SA.
IKEv2 periodically sends dead peer detection (DPD) messages to the Cisco AnyConnect client to validate if the client is active. The Cisco AnyConnect client responds to the DPD messages, which the Cisco IOS gateway understands as an active client and creates a security association (SA) with the client. However, if the client does not reconnect within 30 minutes, which is the default reconnect timeout period, the Cisco IOS gateway assumes that the client is inactive and deletes the SA for that client. The Cisco AnyConnect client needs to start a fresh connection.
Use the show crypto ikev2 stats reconnect command to view the connection statistics and the clear crypto ikev2 session and clear crypto ikev2 sa reconnect commands to delete the SA with the client.
How to Configure IKEv2 Reconnect
Enabling IKEv2 Reconnect
Perform this task to enable the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature.
1.
enable
2.
configure
terminal
3.
crypto ikev2 profile
profile-name
4.
reconnect [timeout
seconds]
5.
end
DETAILED STEPS
Troubleshooting IKEv2 Reconnect Configuration
Use the following commands to verify or clear the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature configuration.
1.
enable
2.
show
crypto ikev2 stats reconnect
3.
clear
crypto ikev2 stats reconnect
DETAILED STEPS
Configuration Examples for Configuring IKEv2 Reconnect
Example: Enabling IKEv2 Reconnect
The following example shows how to enable the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature.
Device> enable Device# configure terminal Device(config)# crypto ikev2 profile profile1 Device(config-ikev2-profile)# reconnect timeout 600 Device(config-ikev2-profile)# end
Additional References for Configuring IKEv2 Reconnect
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Security commands |
|
|
Cisco AnyConnect VPN Client Information |
Cisco AnyConnect VPN Client Administrator Guide, Release 2.4 |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring IKEv2 Reconnect
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IOS IKEv2 support for AutoReconnect feature of AnyConnect |
15.4(1)T Cisco IOS XE Release 3.11S |
The IOS IKEv2 support for AutoReconnect feature of AnyConnect feature helps in reestablishing IKEv2 negotiation without user interaction with the Cisco AnyConnect client. The following commands were introduced or modified: clear crypto ikev2 stats, reconnect, show crypto ikev2 stats. |
Feedback