Configuring IKEv2 Reconnect

The IOS IKEv2 support for AutoReconnect feature of AnyConnect feature helps in reestablishing IKEv2 negotiation without user interaction with the Cisco AnyConnect client.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.

Prerequisites for Configuring IKEv2 Reconnect

  • You must enable the BypassDownloader function in the AnyConnectLocalPolicy file by setting the <BypassDownloader> value to true. If your device does not support SSL, the BypassDownloader function will not work.You must disable the function manually by setting the <BypassDownloader> value to false, else the connection will fail.

Restrictions for Configuring IKEv2 Reconnect

  • The preshared key authorization method cannot be configured on the Internet Key Exchange Version 2 (IKEv2) profile. This is because the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature uses the preshared key authorization method and configuring the preshared key on the same IKEv2 profile may lead to confusion.
  • The following commands cannot be configured on the IKEv2 profile: authentication local pre-share, authentication remote pre-share, keyring, aaa authorization group psk, and aaa authorization user psk .

Information About Configured IKEv2 Reconnect

IKEv2 and Cisco AnyConnect Client Reconnect Feature

The Auto Reconnect feature in the Cisco AnyConnect client helps the Cisco AnyConnect VPN client to remember the session for a period of time and to resume the connection after establishing the secure channel. As the Cisco AnyConnect Client is extensively used with Internet Key Exchange Version 2 (IKEv2), IKEv2 extends the Auto Reconnect feature support on Cisco IOS software through the IOS IKEv2 support for Auto Reconnect feature of AnyConnect feature.

Auto Reconnect in the Cisco AnyConnect client occurs in the following scenarios:

  • The intermediate network is down. The Cisco AnyConnect client tries to resume the session when it is up.
  • The Cisco AnyConnect client device switches between networks. This results in source IP or port change, which brings down the existing security association (SA) and, hence, the Cisco AnyConnect client tries to resume the SA using the Auto Reconnect feature.
  • The Cisco AnyConnect client device tries to resume SA after returning from sleep or hibernate mode.

Advantages of Using the Auto Reconnect Feature

  • The copy attributes used in the original session are reused without querying the authentication, authorization, and accounting (AAA) server.
  • The Cisco IOS gateway does not have to contact the RADIUS server for reconnecting to the client.
  • No user interaction for authentication or authorization is needed during resuming the session.
  • The authentication method is the preshared key when reconnecting a session. This authentication method is quick compared to other authentication methods (that include Rivest, Shamir, and Adelman (RSA) signature authentication method, Elliptic Curve Digital Signature Algorithm (ECDSA) signature (ECDSA-sig) authentication method, and Extensible Authentication Protocol (EAP) authentication method). The preshared key authentication method helps in resuming a session on the IOS software with minimal resources.
  • The unused security associations (SAs) are removed thereby freeing the crypto resources.

Auto Reconnect and DPD

Dead Peer Detection (DPD) is configured to confirm the availability of a peer send by sending queries to a peer. If there are no responses from the peer, the security association created for that peer is deleted. You need not configure DPD in a reconnect profile if DPD configured on the FlexVPN server because in both configuration scenarios, the purpose is the same . However, if the feature is enabled, DPD is queued as on demand DPD in IKEv2, which also stores the platform specific handle when deleting the SA.

Message Exchanges Between Cisco IOS Gateway and Cisco AnyConnect Client

The Cisco AnyConnect client contacts the Cisco IOS gateway to establish a security association (SA). During authorization or AUTH exchange (CFGMODE_REQ payload of IKE_AUTH request), IKEv2 checks if the IOS IKEv2 support for the Auto Reconnect feature of AnyConnect feature is enabled in the IKEv2 profile using the reconnect command, selects the IKEv2 policy of the chosen IKEv2 profile, and sends the session ID and the session token attributes to the Cisco AnyConnect client in CFGMODE_REPLY payload of the IKE_AUTH response. The authorization method is the preshared key between the client and Cisco IOS software for the SA.

IKEv2 periodically sends dead peer detection (DPD) messages to the Cisco AnyConnect client to validate if the client is active. The Cisco AnyConnect client responds to the DPD messages, which the Cisco IOS gateway understands as an active client and creates a security association (SA) with the client. However, if the client does not reconnect within 30 minutes, which is the default reconnect timeout period, the Cisco IOS gateway assumes that the client is inactive and deletes the SA for that client. The Cisco AnyConnect client needs to start a fresh connection.

Use the show crypto ikev2 stats reconnect command to view the connection statistics and the clear crypto ikev2 session command to delete the SA with the client.

How to Configure IKEv2 Reconnect

Enabling IKEv2 Reconnect

Perform this task to enable the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. crypto ikev2 profile profile-name
  4. reconnect [timeout seconds]
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.
  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal
Enters global configuration mode.
Step 3

crypto ikev2 profile profile-name

Example:

Device(config)# crypto ikev2 profile profile1
Defines an IKEv2 profile and enters IKEv2 profile configuration mode.
Step 4

reconnect [timeout seconds]

Example:

Device(config-ikev2-profile)# reconnect timeout 900
Enables the IKEv2 support for the Auto Reconnect feature.
Step 5

end

Example:

Device(config-ikev2-profile)# end
Exits IKEv2 profile configuration mode and returns to privileged EXEC mode.

Troubleshooting IKEv2 Reconnect Configuration

Use the following commands to verify or clear the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature configuration.

SUMMARY STEPS

  1. enable
  2. show crypto ikev2 stats reconnect

DETAILED STEPS

Step 1

enable

Enables privileged EXEC mode.
  • Enter your password if prompted.

Example:

Device> enable
Step 2

show crypto ikev2 stats reconnect

Displays the reconnect statistics.

Example:

Device# show crypto ikev2 stats reconnect

Total incoming reconnect connection:        10
Success reconnect connection:               10
Failed reconnect connection:                0
Reconnect capable active session count:     4
Reconnect capable inactive session count:   6

Configuration Examples for Configuring IKEv2 Reconnect

Example: Enabling IKEv2 Reconnect

The following example shows how to enable the IOS IKEv2 support for AutoReconnect feature of AnyConnect feature. 

Device> enable
Device# configure terminal
Device(config)# crypto ikev2 profile profile1
Device(config-ikev2-profile)# reconnect timeout 600
Device(config-ikev2-profile)# end

Additional References for Configuring IKEv2 Reconnect

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Security commands

Cisco AnyConnect VPN Client Information

Cisco AnyConnect VPN Client Administrator Guide, Release 2.4

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Configuring IKEv2 Reconnect

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Configuring IKEv2 Reconnect

Feature Name

Releases

Feature Information

IOS IKEv2 support for AutoReconnect feature of AnyConnect

The IOS IKEv2 support for AutoReconnect feature of AnyConnect feature helps in reestablishing IKEv2 negotiation without user interaction with the Cisco AnyConnect client.

The following commands were introduced or modified: clear crypto ikev2 stats, reconnect, show crypto ikev2 stats.