Thanks Marvin..appreciate it !!

Is it an issue if I just configure SSL for Anyconnect on the ASA? Are there any client types that only support ikev2 that may not connect? 

If you have an SSL VPN configured on the ASA, it requires you to at least point to an AnyConnect image package on the ASA that clients can download via the web portal if they don't already have it installed locally.

I'm not aware of any third party IKEv2-only VPN client software (although I'm sure somebody could build one if they cared to do so). 

Dear Marvin,

We're using AnyConnect with IPsec IKEv2 as the main protocol and we're seeing many users on the field not being able to connect to the ASA gateway. When we switch to SSL, everything works properly.

I need to justify to management switching to SSL to improve compatibility. We have over 15,000 users all over the world.

Ideally the AnyConnect client should automatically fallback to SSL in case it can't connect using IPsec but apparently this feature doesn't exist.

Could you elaborate a little more on the pros/cons of IPsec vs SSL?

Thanks!

Not knowing the specifics of your head end setup and your users' problems, it's hard to say definitively that SSL VPN would fix them.

As I mentioned back when this thread started, the only reasons I have ever seen cited for adopting IKEv2-based IPsec remote access VPN is because there is some legal or regulatory requirement that mandates the organization must do so.

Initially some cited IKEv2 as "more secure" as it has built-in support for stronger encryption algorithms like AES-256-GCM and integrity assurance mechanisms like SHA2-384. However, advances in browser and server-side support allow us to use these methods with SSL VPN as well.

One down side and something that may be part of your clients' issues is that many remote networks restrict the protocols that are permitted to egress their networks to a few widely-used ones like http and https (tcp/80 and 443). If an end user needs to establish an IKEv2 IPsec connection, they will need udp/500, udp/4500 (may not always be required) and protocol 50 (ESP) allowed from the remote network.

Hi Marvin,

I have an ASA 5515 currently setup with IPSEC for Anyconnect access. I've recently tried to setup a IPSEC tunnel from a site with a dynamic ip address. I can get this new tunnel up but when I do, AnyConnect stops working for some of my machines. If I go in and manually delete the local connection profile on the laptops, Anyconnect begins working again on some machines but not all. I believe if I move from IPSEC to SSL for my Anyconnect setup I can eliminate this profile issue (feel free to tell me I'm wrong). Currently I've disabled the new dynamic IPSEC connection because AnyConnect access is more important. Is moving to SSL as simple as removing IPSEC from the Group Policy? Do I need to worry about orphaned profiles on remote machines? I don't have admin access to a couple of my machines so I can't remove the locally stored profiles. My end goal is to have the dynamic IPSEC tunnel working alongside of AnyConnect, without having to manually touch the remote Anyconnect machines. The current Anyconnect client is 4.3 but I'm working on upgrading.

Thanks,

Jack

Hey Marvin,

What about FPR box performance SSL vs IKEv2? Would this be a reason to use IKEv2?