Hi Marvin,

thank you for suggestion. My understanding is that this "preferences.xml" is meant to be overwritten, by design. So, I'd be reluctant to impose file read-only upon all users (especially those who access different VPN Gateways). Alternative suggestions most appreciated.

Since you brought up "preferences.xml" - a question: is it possible to force AnyConnect to use IKEv2 (instead of preferred SSL) for VPN connection at client-end (ie. without a AnyConnect VPN Profile or changing group-profile's "vpn-tunnel-protocol" at head-end)? (I have a firewall that can block SSL, but I'm looking for something more straightforward.)

R's, Alex

How about publishing a URL for the connection profiles and having the users enter that as an alternative to send their session straight to the desired profile?

As far as I know, the protocol (SSL/TLS vs. IKEv2 IPsec) needs to be specified in the profile - normally deployed from the headend but it can be predeployed manually.

> but it can be predeployed manually.
can you please provide clue as to how? Can this setting remain persistent (until, let's say, manually removed)?

Also can you confirm - even if IPsec is used for VPN transport, is SSL (port 443) is still innately required?

Build a VPN Profile using the desktop editor. The server list section allows you to save the protocol used.

VPN Profile with IPsec (IKEv2)

Save the file and copy it to clients (on Windows the location is C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) using:

1. Cut and paste the file manually,
2. Windows GPO or
3. Enterprise software management tool like SCCM or LANdesk

If there's no profile on the ASA, the client one will remain as-is persistent across connections and restarts. Any profile on the ASA that's associated with the client's connection will overwrite what the client has already, no matter how they got it.

Brilliant! Thank you... For Posterity, here's what I've done.

1. Created file (based on demo AnyConnect Profile) - "ikev2_anyconnect_client_profile2.xml" with ONLY following content:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ServerList>
<HostEntry>
<HostName>ikev2-5555</HostName>
<HostAddress>{redacted}</HostAddress>
<UserGroup>{redacted}</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

2. (as per your advice) placed file into "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\"

3. Try VPN connection

c:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client>vpncli
Cisco AnyConnect Secure Mobility Client (version 4.7.04056) .

Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.

>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
VPN> connect ikev2-5555
>> contacting host (ikev2-5555) for login information...
>> notice: Contacting ikev2-5555.

>> Please enter your username and password.

Username: [{redacted}]
Password: [redacted]
>> notice: Please respond to banner.

You are now connected to the {redacted} network. During this unusual time the {redacted} VPN service is critically important in delivering access to the {redacted} community. Streaming services like Netflix and Youtube will be blocked through the VPN tunnel until further notice.

accept? [y/n]: y
>> notice: Establishing VPN session...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> notice: Establishing VPN - Examining system...
>> notice: Establishing VPN - Activating VPN adapter...
>> state: Connecting
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Configuring system...
>> notice: Establishing VPN...
>> state: Connected
>> notice: Connected to ikev2-5555.
VPN> disconnect
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Disconnecting
>> state: Disconnected
>> notice: Ready to connect.
>> state: Disconnected

4. Observe in Wireshark - no traffic on port TCP/443 - I see only (source UDP/500 and UDP/4500) ISAKMP and ESP traffic - so answered own question - AnyConnect can be independent of SSL.

Indeed - that's it exactly.

TLS is only required with an IKEv2 remote access VPN if you want the client services - e.g the portal and the ability to update the profile from the headend. If you don't need either it can work purely over the ISAKMP (udp/500 and, if there's NAT Traversal, udp/4500) and ESP (protocol 50) IPsec-related protocols as you observed.

Using the above manually created AnyConnect profile, in Wireshark, I saw no attempt to connect to head-end using SSL. In fact, during testing, I denied SSL access to head-end on edge router - leading to two questions:
1. Isn't AnyConnect designed to automatically utilise IKEv2+ESP if SSL is unavailable? If so, how come I need the profile to explicitly specify "IPsec" for "PrimaryProtocol" - wouldn't failure to connect to head-end using SSL be sufficient to use IPsec?
2. Above vpncli printouts:
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
Seem fake, given that these "client-services" require SSL that isn't available - no?