AnyConnect 4.x and 5.x doesn't negotiate DES anymore and it's unlikely you will want to use AnyConnect 3. Versions below AnyConnect 3.1.05187 support DES.
For ASA running on Firepower the RA VPN licensing model is trust-based, i.e. you don't install AnyConnect licenses to FP1120 running ASA. VPN is unlocked up to entire hardware capacity by default.
For FTD this is more complicated, because GUI managers impose their own restrictions. They may refuse to deploy configuration if the feature is unlicensed, although I don't want to comment on this more. @Rob Ingram can shed some more light on this. I can only mention that different parts of Cisco documentation contradict to each other.
E.g., for FMC:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-overview.html#reference_dmx_bml_wy
There is no specific licensing for enabling Secure Firewall Threat Defense VPN, it is available by default.
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/740/management-center-admin-74/system-licenses.html#id_48449
Secure Client Licenses
You can configure remote access VPN using the Secure Client and standards-based IPSec/IKEv2.
To enable remote access VPN, you must purchase and enable one of the following licenses: Secure Client Advantage, Secure Client Premier, or Secure Client VPN Only. You can select Secure Client Advantage and Secure Client Premier if you have both licenses and you want to use them both. The Secure Client VPN Onlylicense cannot be used with Apex or Plus. The Secure Client license must be shared with the Smart Account. For more instructions, see http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf.
You cannot deploy the remote access VPN configuration to the device if the specified device does not have the entitlement for a minimum of one of the specified Secure Client license types. If the registered license moves out of compliance or entitlements expire, the system displays licensing alerts and health events.
While using remote access VPN, your Smart Account must have the export controlled features (strong encryption) enabled. The threat defense requires strong encryption (which is higher than DES) for successfully establishing remote access VPN connections with Secure Clients.
You cannot deploy remote access VPN if the following are true:
For FDM:
https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-ravpn.html#concept_4A76B7F0339C4D7DB267D459A2B41FC7
Licensing Requirements for Remote Access VPN
Your base device license must meet export requirements before you can configure remote access VPN. When you register the device, you must do so with a Smart Software Manager account that is enabled for export-controlled features. You also cannot configure the feature using the evaluation license.
In addition, you need to purchase and enable a remote access VPN license, any of the following: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only. These licenses are treated the same for threat defense devices, even though they are designed to allow different feature sets when used with ASA Software-based headends.
To enable the license, select Device > Smart License > View Configuration, then select the appropriate license in the RA VPN License group. You need to have the license available in your Smart Software Manager account. For more information about enabling licenses, see Enabling or Disabling Optional Licenses.
For more information, see the Cisco AnyConnect Ordering Guide, http://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf. There are also other data sheets available on http://www.cisco.com/c/en/us/products/security/anyconnect-secure-mobility-client/datasheet-listing.html.
