08-13-2015 01:13 PM - edited 02-21-2020 08:23 PM
Hi,
I have a few questions about Remote Access Anyconnect VPN.
Does the anyconnect client works either with SSL or IPSec ISAKMPv2? Is there any default or preferred method?
Where would you identify which method you're chosing? Does the anyconnect client automatically detects the type (SSL or IPSec) based on VPN server? How does SSL over IPSec works in this case? What is new ANyconnect 4.xclient?
Solved! Go to Solution.
08-13-2015 04:10 PM
I'd say 90% or more of customers are using SSL.
IPsec IKEv2 is used mostly by two classes of folks:
1. those requiring next gen cryptographic algorithms for legal or regulatory reasons
2. those who've had enthusiasts or CCIE candidates setup their VPN (kidding - just a bit)
Either, when implemented properly, does a good job at securing your traffic.
The server (e.g. the ASA) specifies the method and the client honors that by virtue of the associated connection profile which updates / downloads from the server.
That initial process, even when you have IPsec IKEv2, normally happens via SSL as part of the preamble to IPsec session establishment. You can manually eliminate that bit but it's generally more trouble than it's worth.
08-13-2015 04:10 PM
I'd say 90% or more of customers are using SSL.
IPsec IKEv2 is used mostly by two classes of folks:
1. those requiring next gen cryptographic algorithms for legal or regulatory reasons
2. those who've had enthusiasts or CCIE candidates setup their VPN (kidding - just a bit)
Either, when implemented properly, does a good job at securing your traffic.
The server (e.g. the ASA) specifies the method and the client honors that by virtue of the associated connection profile which updates / downloads from the server.
That initial process, even when you have IPsec IKEv2, normally happens via SSL as part of the preamble to IPsec session establishment. You can manually eliminate that bit but it's generally more trouble than it's worth.
08-14-2015 01:10 PM
Thanks Marvin..appreciate it !!
08-17-2015 06:06 AM
Is it an issue if I just configure SSL for Anyconnect on the ASA? Are there any client types that only support ikev2 that may not connect?
08-17-2015 06:20 AM
If you have an SSL VPN configured on the ASA, it requires you to at least point to an AnyConnect image package on the ASA that clients can download via the web portal if they don't already have it installed locally.
I'm not aware of any third party IKEv2-only VPN client software (although I'm sure somebody could build one if they cared to do so).
05-08-2017 02:01 PM
Dear Marvin,
We're using AnyConnect with IPsec IKEv2 as the main protocol and we're seeing many users on the field not being able to connect to the ASA gateway. When we switch to SSL, everything works properly.
I need to justify to management switching to SSL to improve compatibility. We have over 15,000 users all over the world.
Ideally the AnyConnect client should automatically fallback to SSL in case it can't connect using IPsec but apparently this feature doesn't exist.
Could you elaborate a little more on the pros/cons of IPsec vs SSL?
Thanks!
05-09-2017 07:02 AM
Not knowing the specifics of your head end setup and your users' problems, it's hard to say definitively that SSL VPN would fix them.
As I mentioned back when this thread started, the only reasons I have ever seen cited for adopting IKEv2-based IPsec remote access VPN is because there is some legal or regulatory requirement that mandates the organization must do so.
Initially some cited IKEv2 as "more secure" as it has built-in support for stronger encryption algorithms like AES-256-GCM and integrity assurance mechanisms like SHA2-384. However, advances in browser and server-side support allow us to use these methods with SSL VPN as well.
One down side and something that may be part of your clients' issues is that many remote networks restrict the protocols that are permitted to egress their networks to a few widely-used ones like http and https (tcp/80 and 443). If an end user needs to establish an IKEv2 IPsec connection, they will need udp/500, udp/4500 (may not always be required) and protocol 50 (ESP) allowed from the remote network.
06-10-2019 09:00 AM
Hi Marvin,
I have an ASA 5515 currently setup with IPSEC for Anyconnect access. I've recently tried to setup a IPSEC tunnel from a site with a dynamic ip address. I can get this new tunnel up but when I do, AnyConnect stops working for some of my machines. If I go in and manually delete the local connection profile on the laptops, Anyconnect begins working again on some machines but not all. I believe if I move from IPSEC to SSL for my Anyconnect setup I can eliminate this profile issue (feel free to tell me I'm wrong). Currently I've disabled the new dynamic IPSEC connection because AnyConnect access is more important. Is moving to SSL as simple as removing IPSEC from the Group Policy? Do I need to worry about orphaned profiles on remote machines? I don't have admin access to a couple of my machines so I can't remove the locally stored profiles. My end goal is to have the dynamic IPSEC tunnel working alongside of AnyConnect, without having to manually touch the remote Anyconnect machines. The current Anyconnect client is 4.3 but I'm working on upgrading.
Thanks,
Jack
08-23-2022 07:34 AM
Hey Marvin,
What about FPR box performance SSL vs IKEv2? Would this be a reason to use IKEv2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide