AnyConnect (Cisco Secure Client) supports two transport options when connecting to an ASA: SSL/TLS over TCP/443 and IKEv2/IPsec over UDP/500 + UDP/4500. SSL is the default for most deployments because it traverses captive-portal networks the easiest, but IKEv2 has real advantages for performance, posture compliance, and FIPS-validated environments. This article walks the full IKEv2 remote-access configuration on Cisco ASA 9.x with show output captured from a live ASAv 9.23(1) in the PingLabz ASA reference lab.
If you have already worked through Cisco ASA AnyConnect SSL VPN Configuration, much of the foundation here is the same: identity certificate, IP pool, AAA. The IKEv2-specific pieces are an IKEv2 policy, an IKEv2 remote-access trustpoint, and a tunnel-group with IKEv2-specific authentication settings.
When to Use IKEv2 Instead of SSL
Three reasons engineers reach for IKEv2 RA VPN on the ASA:
| Reason | Detail |
|---|---|
| Performance | IKEv2 over UDP/4500 (NAT-T) avoids the TCP-over-TCP slowdown that SSL VPN suffers under loss. Throughput is consistently better, especially on lossy links. |
| Posture compliance | FIPS, FedRAMP, and DOD environments often require IPsec instead of TLS for remote access. IKEv2 with AES-256-GCM and SHA-384 meets the bar. |
| Mobile resilience | IKEv2 handles network changes (Wi-Fi to cellular) much more cleanly than SSL VPN because of MOBIKE. |
The trade-off: IKEv2 needs UDP/500 and UDP/4500 to be open end-to-end. Hotel networks that block UDP outright will break it. SSL VPN over TCP/443 almost always works, which is why most deployments offer both transports and let the client choose.
Step 1: Prerequisites Already in Place
From the SSL VPN config, the following pieces are reused for IKEv2:
- The identity certificate (
PINGLABZ-SELFSIGNED). The same trustpoint authenticates the gateway to the IKEv2 client. - The IP local pool (
VPN-POOL, 10.99.99.10-10.99.99.250). One pool can serve both SSL and IKEv2 connections. - The split-tunnel ACL (
SPLIT-TUNNEL). Same ACL works for both transports. - The AAA server group (
RADIUS-VPN). RADIUS handles IKEv2 EAP just fine.
What we add for IKEv2: an IKEv2 policy (Phase 1 cipher suite), an IKEv2 IPsec proposal (Phase 2 cipher suite), a remote-access dynamic-map binding, an IKEv2 group-policy, and a dedicated tunnel-group with IKEv2 attributes.
Step 2: IKEv2 Policy and IPsec Proposal
The IKEv2 policy controls the Phase 1 (IKE_SA_INIT and IKE_AUTH) cipher suite. The IPsec proposal controls the Phase 2 (CREATE_CHILD_SA) cipher suite for the data-plane ESP tunnel.
ASA-PERIM(config)# crypto ikev2 policy 10
ASA-PERIM(config-ikev2-policy)# encryption aes-256
ASA-PERIM(config-ikev2-policy)# integrity sha256
ASA-PERIM(config-ikev2-policy)# group 14
ASA-PERIM(config-ikev2-policy)# prf sha256
ASA-PERIM(config-ikev2-policy)# lifetime seconds 86400
ASA-PERIM(config-ikev2-policy)# exit
ASA-PERIM(config)# crypto ipsec ikev2 ipsec-proposal AES256-SHA256
ASA-PERIM(config-ipsec-proposal)# protocol esp encryption aes-256
ASA-PERIM(config-ipsec-proposal)# protocol esp integrity sha-256
ASA-PERIM(config-ipsec-proposal)# exit
Why these particular settings:
- aes-256 + sha256 + DH group 14 (2048-bit MODP): a balanced, broadly compatible suite. Group 14 is widely supported by every modern Cisco Secure Client. For tighter security, use group 19 (256-bit ECP) or group 20 (384-bit ECP) and pair with aes-256-gcm and sha-384.
- PRF sha256: matches the integrity hash. Mismatching PRF and integrity is a common Phase 1 failure cause.
- Lifetime 86400 seconds: 24 hours is the common ASA default. Some deployments set 8 hours to align with daily IKE rekeys.
Verify with show running-config crypto ikev2:
ASA-PERIM# show running-config crypto ikev2
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint PINGLABZ-SELFSIGNED
The two extra lines (crypto ikev2 enable outside client-services port 443 and crypto ikev2 remote-access trustpoint) are added in step 4 below.
Step 3: Group-Policy for IKEv2 Clients
The IKEv2 group-policy looks similar to the SSL one but with vpn-tunnel-protocol ikev2 instead of ssl-client. Keeping them as separate group-policies makes it easy to enforce different attributes per transport (for example, a tighter split-tunnel for IKEv2 because it's the FIPS path).
ASA-PERIM(config)# group-policy ANYCONNECT-IKEV2-GP internal
ASA-PERIM(config)# group-policy ANYCONNECT-IKEV2-GP attributes
ASA-PERIM(config-group-policy)# vpn-tunnel-protocol ikev2
ASA-PERIM(config-group-policy)# split-tunnel-policy tunnelspecified
ASA-PERIM(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ASA-PERIM(config-group-policy)# dns-server value 10.10.0.10
ASA-PERIM(config-group-policy)# default-domain value pinglabz.lab
ASA-PERIM(config-group-policy)# exit
Notice we did not add the webvpn sub-block here. The webvpn-only attributes (anyconnect ssl rekey, dpd-interval, ssl dtls) are SSL-specific and ignored by IKEv2 clients. The IKEv2 client gets DPD parameters from the IKEv2 SA itself.
Step 4: Tunnel-Group with IKEv2 Authentication
The IKEv2 tunnel-group differs from the SSL one in the ipsec-attributes sub-block, where we specify how the gateway authenticates itself to the client and how it expects the client to authenticate.
ASA-PERIM(config)# tunnel-group IKEV2_PROFILE type remote-access
ASA-PERIM(config)# tunnel-group IKEV2_PROFILE general-attributes
ASA-PERIM(config-tunnel-general)# default-group-policy ANYCONNECT-IKEV2-GP
ASA-PERIM(config-tunnel-general)# address-pool VPN-POOL
ASA-PERIM(config-tunnel-general)# exit
ASA-PERIM(config)# tunnel-group IKEV2_PROFILE ipsec-attributes
ASA-PERIM(config-tunnel-ipsec)# ikev2 remote-authentication eap query-identity
ASA-PERIM(config-tunnel-ipsec)# ikev2 local-authentication certificate PINGLABZ-SELFSIGNED
ASA-PERIM(config-tunnel-ipsec)# exit
The two authentication lines are the heart of IKEv2:
ikev2 remote-authentication eap query-identity: the client authenticates using EAP, which the ASA proxies to the AAA server group. This lets you reuse RADIUS / LDAP / TACACS+ user authentication. Other choices arecertificate(mutual cert auth) andpre-shared-key(rare for RA VPN).ikev2 local-authentication certificate PINGLABZ-SELFSIGNED: the gateway proves its identity to the client using the trustpoint cert. This is the cert the client validates and pins.
Verify the tunnel-group:
ASA-PERIM# show running-config tunnel-group IKEV2_PROFILE
tunnel-group IKEV2_PROFILE type remote-access
tunnel-group IKEV2_PROFILE general-attributes
address-pool VPN-POOL
default-group-policy ANYCONNECT-IKEV2-GP
tunnel-group IKEV2_PROFILE ipsec-attributes
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate PINGLABZ-SELFSIGNED
Step 5: Bind to a Dynamic Crypto Map
Remote-access IKEv2 connections require a dynamic crypto map because the client's source IP (and which networks the client wants to reach) are not known until login. The dynamic map sits at the highest sequence number on the outside crypto map.
ASA-PERIM(config)# crypto dynamic-map RA-DYN-MAP 65535 set ikev2 ipsec-proposal AES256-SHA256
ASA-PERIM(config)# crypto map OUTSIDE-MAP 65535 ipsec-isakmp dynamic RA-DYN-MAP
ASA-PERIM(config)# crypto map OUTSIDE-MAP interface outside
ASA-PERIM(config)# crypto ikev2 enable outside client-services port 443
ASA-PERIM(config)# crypto ikev2 remote-access trustpoint PINGLABZ-SELFSIGNED
Three things are happening:
- The dynamic-map references our IPsec proposal (the Phase 2 cipher).
- The static crypto map at sequence 65535 wraps the dynamic map, and the whole crypto map is bound to the outside interface.
crypto ikev2 enable outside client-services port 443turns on the IKEv2 listener and ALSO offers IKEv2 over TCP/443 (in addition to UDP/500), which is an ASA-specific feature that lets clients fall back to TCP if UDP is blocked.crypto ikev2 remote-access trustpointglobally tells the ASA which cert to present for any RA IKEv2 tunnel-group that does not have its own cert specified.
Verify the Listener and Wait for a Client
Two quick checks:
ASA-PERIM# show running-config | include ikev2
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint PINGLABZ-SELFSIGNED
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificate PINGLABZ-SELFSIGNED
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA-PERIM# show vpn-sessiondb anyconnect
INFO: There are presently no active sessions of the type specified
The IKEv2 listener is up. No active sessions yet because (in our lab) we do not have a real Cisco Secure Client image uploaded. When a client does connect, the session shows up here with its protocol marked as IKEv2 IPsec instead of SSL/TLS.
SSL vs IKEv2 Side by Side
| Attribute | SSL (TCP/443) | IKEv2 (UDP/500 + 4500) |
|---|---|---|
| Transport | TLS 1.2+ over TCP/443; DTLS over UDP/443 for data plane | IKE over UDP/500 + 4500 (or TCP/443 with client-services); ESP over UDP/4500 |
| Hotel-network friendly | Almost always works (TCP/443 is rarely blocked) | UDP/500 / 4500 commonly blocked |
| Throughput on lossy links | TCP-over-TCP can degrade; DTLS helps but is not always negotiated | Native UDP-based ESP is consistently faster |
| Mobile / network change | Tunnel re-auths on network change | MOBIKE can preserve SA across IP changes |
| FIPS / FedRAMP path | TLS counts but most compliance frameworks prefer IPsec | IPsec with AES-GCM-256 + SHA-384 + DH 19 is the go-to path |
| Authentication | Username/password (RADIUS/LDAP/local), client cert, or both | EAP (proxied to AAA), client cert, or PSK |
| Group-policy attribute | vpn-tunnel-protocol ssl-client | vpn-tunnel-protocol ikev2 |
Common Gotchas
Five things that catch first-time IKEv2 RA VPN setups:
- Forgetting
crypto ikev2 enable outside. Everything else is configured but no IKEv2 listener is bound to the interface. Tunnel-group and group-policy are present, but clients see "no response" on UDP/500. - EAP set up but no AAA server group on the tunnel-group. The client gets to EAP but the ASA has nowhere to send the credentials. Add
authentication-server-groupin the tunnel-group's general-attributes. - Missing crypto map dynamic entry. IKEv2 negotiation succeeds for Phase 1 but Phase 2 fails because there's no template for the data-plane SA. Symptom: tunnel comes halfway up and tears down.
- Trustpoint without a real CN/SAN matching the FQDN clients connect to. Cisco Secure Client warns or refuses if the cert's CN does not match the gateway hostname the client used. Use a real CA-issued cert with proper SAN entries in production.
- NAT exemption missing for the VPN pool. Same gotcha as SSL VPN. The VPN pool subnet has to be exempt from any dynamic PAT applying to inside-to-outside traffic. Walked through in Cisco ASA Identity NAT / NAT Exemption for VPNs.
Key Takeaways
AnyConnect IKEv2 RA VPN on the ASA reuses most of the SSL VPN scaffolding (cert, IP pool, AAA, split-tunnel ACL). The IKEv2-specific pieces are an IKEv2 policy, an IPsec proposal, a tunnel-group with EAP authentication and a local cert authentication, and a dynamic crypto map that anchors the gateway-side of all RA SAs. The single most common Phase 1 failure cause is a mismatched or missing PRF; the most common Phase 2 failure cause is forgetting the dynamic crypto map. When connections fail at either phase, see Troubleshoot Cisco ASA IPsec VPN Phase 1 and Phase 2.
For the full Cisco ASA reference, including site-to-site IPsec, NAT, ACLs, failover, and the troubleshooting tools, see the Cisco ASA pillar. To compare with SSL transport, return to Cisco ASA AnyConnect SSL VPN Configuration.
