Solved: Cisco any connect - IPSEC

ifthekharul.alam · ‎04-25-2013

Hi All,

I want to use Cisco any connect software and have IPSEC VPN tunnel. As far as i see, now a days i need to update to IKE v 2 with IOS above 8.4. My query is - After update the IOS can i use :

i) Cisco any connect VPN client softwaer to have IPSEC tunnel?

ii) Do we need any license for that?

iii) I can't find any "AnyConnect Premium " options in cisco configuration tool.

Can anybody help me in this situation?

Rudy Sanjoko · ‎05-06-2013

Yes, that is the part number if you want to have AnyConnect Essential on your ASA (ASA-AC-E-5540) and it fits your requirement.

View solution in original post

barry · ‎04-25-2013

Hi

Hopefully a few things that may assist.

1. The old Cisco VPN Client (IPSEC IKEv1) will carry on working, and you don't need any additional licenses for this. Note that this is now end of sale from Cisco, and is only supported up to Windows 7.

2. For IPSEC IKEv2 and SSL VPN you need to use AnyConnect which is licensed. This is available in two difference license formats - Essentials and Premium.

Essentials gives you remote access over either IPSEC or SSL for clients running the AnyConnect software and is licensed per ASA (a single license on the ASA enables the maximum number of users that that model of ASA supports).

Premium gives you Essentials PLUS clientless VPN (portal) access and a few other things. Premium is licensed per concurrent user on each ASA unlike Essentials. You cannot mix Essentials and Premium licenses on the same ASA.

An overview is here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

HTH

Barry Hesk

Intrinsic Network Solutions

ifthekharul.alam · ‎04-26-2013

Hi Barry,

Thanks for your reply.

I want to use any connect client software to be installed at user machine and do the IPSEC VPN from his/her laptop. I will update the OS for IKEv2.

If i purchase : ASA-AC-E-5540 , will it be enough for me?

As per the below documents -

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

At Ordering Information: point 2 - it states that: "The use of the AnyConnect client can be enabled through the purchase of an Essential VPN license, which enables the basic AnyConnect features, including IPsec IKEv2 and SSL VPN access."

Thanks in advance.

Russell

Rudy Sanjoko · ‎04-29-2013

it depends on your requirement, if you don't need to have clientless ssl and SCD then it is much better and cost effective to use the essential license. installing the essential will max out your vpn sessions, on 5540 you will have 5000 sessions which is the limit.

ifthekharul.alam · ‎05-04-2013

Hi Rudy,

Thanks for the information.

I am bit confused exact part number ordered to CISCO. So, above part number (ASA-AC-E-5540) will it be enough for me, as per my requirement.

Requirement,

1. IPSEC VPN only (client installed)

rkumar5 · ‎05-04-2013

Hi

If your requirement is to only use the IPSEC client for anyconnect you can go with the Anyconect Esentials.

- Internet Key Exchange version 2 (IKEv2) is the latest key exchange protocol used to establish and control Internet Protocol Security (IPsec) tunnels. The AnyConnect Secure Mobility Client now supports IPsec with IKEv2 for all desktop operating systems supported by AnyConnect 3.0 and above.

- ASA release 8.4(001) and ASDM 6.4(1) or later is required to support AnyConnect IPsec IKEv2 connections.

- AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license.

Thanks

Raj

Rudy Sanjoko · ‎05-06-2013

Yes, that is the part number if you want to have AnyConnect Essential on your ASA (ASA-AC-E-5540) and it fits your requirement.