Introduction
This document describes the scenarios of Any-connect installation.
Prerequisites
- Any-connect client
- ASA 5540
Scenario 1
Problem:
User wish to know is it possible to use group name/password from legacy vpn client in cisco any-connect client ? User checked "VPN XML Reference" from Any-connect Administrator Guide and found nothing about it.
Solution:
Any-connect Secure Mobility Client (VPN Module) can be used to connect to two types of remote access VPN:
- Full tunnel SSL VPN
- IKEv2 IPsec VPN.
The legacy VPN client is used only with the older IKEv1 IPsec VPN and you cannot use Any-connect as the client on that type of VPN.
What is IKE?
IKE is used for enabling negotiation of ESP and/or AH SAs.
Endpoint-to-Endpoint Transport:
In this scenario, at both the endpoints IPsec is implemented. There will be no inner IP header in transport. If we have an inner IP header, the outer addresses will be same as the inner addresses. A single pair of addresses is negotiated to be protected by the SA. These endpoints MAY implement application layer access controls based on the IPsec authenticated identities of the participants. This implementation enables end-to-end security which has been a thumb rule for the Internet.
Scenario 2
Problem:
User is using the Cisco Any-connect VPN client with the ASA 5540 firewall. He need to enable a timeout on VPN clients so they disconnect after x hours of inactivity.
Solution:
Source Discussion