Hi. I have a Cisco ISR 4331 router. I`ve set up IPSec VPN for site-to-site and clients (IKEv2 AnyConnect) for long ago so far...
Now our remote workers say from time to time that they have problems with IPSec connectivity from hotels and so on... so usual IPSec (UDP4500, ESP) issue with ISPs.
So I`ve decided to work out an option with simultaneous IPSec and SSL client VPN to our network but I got some problems and questions that want to address here:
1. I can`t do 'webvpn' on my ISR... Seems some licensing problems (or it`s like ISR4K don`t support SSL VPN at all?
Cisco IOS XE Software, Version 16.07.01
Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.7.1, RELEASE SOFTWARE (fc6)
#show license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9 yes yes no no yes
uck9 yes yes no no yes
securityk9 yes yes no yes yes
ipbasek9 no no no yes no
FoundationSuiteK9 yes yes no no yes
AdvUCSuiteK9 yes yes no no yes
cme-srst yes yes no no yes
hseck9 yes no no no no
throughput yes yes no no yes
internal_service yes no no no no
2. Is it possible to have both IPSec and SSL endpoints for clients to choose from on one ISR? Now my clients get a distro with AnyConnect and profile file to connect via IPSec... How can I give them an option to try SSL if they fail to connect through IPSec? (like two sets of Cisco ANyConnect Profiles or smth...)
3. I don`t want to have Web-server on my ISR to deploy AnyConnect (all my remote clients have it so far)... But it seems that every time a SSL VPN user has to use the web-interface to connect. Am I wrong?