06-28-2021 10:20 AM
Hi Team,
I would like to understand the pros and cons of anyconnect ssl vpn and anyconnect ipsec VPN. Which one enhances the security for any organization ?
Regards,
VJ
06-28-2021 10:22 AM
Anyconnect based on SSL protocol is called Anyconnect SSL VPN and if you deploy Anyconnect with IPSec protocol ,it is called IKev2.
Anyconnect (using IKEv2 or SSLVPN) doesn't use a pre-shared-key to authenticate the user. A certificate will be used to authenticate the ASA and either/both user+pass and certificate is used to authenticate the user. The XML profile is needed just to make the Anyconnect client use IKEv2 rather than the default of SSL when connecting to the ASA.
Here is the doc listing some of the benefits of using Anyconnect with Ikev2 as opposed to SSL VPN.
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-ikev2-flex.html#GUID-6548042E-1E4C-416A-8347-00DCF96F04DF
In essence, if you have got a fairly simple deployment , then you can go with SSL VPN setup and if you want to leverage additional features, you can use Anyconnect with IPSec.
Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
06-28-2021 10:36 AM
@inderdeeps - Thanks. Can you please elaborate more on sentence - "if you want to leverage additional features, you can use Anyconnect with IPSec"
06-28-2021 10:59 AM
@VijayBhargavR8067 : Below are the benefits
Dead Peer Detection and Network Address Translation-Traversal
Internet Key Exchange Version 2 (IKEv2) provides built-in support for Dead Peer Detection (DPD) and Network Address Translation-Traversal (NAT-T).
Certificate URLs
Certificates can be referenced through a URL and hash, instead of being sent within IKEv2 packets, to avoid fragmentation.
Denial of Service Attack Resilience
IKEv2 does not process a request until it determines the requester, which addresses to some extent the Denial of Service (DoS) problems in IKEv1, which can be spoofed into performing substantial cryptographic (expensive) processing from false locations.
EAP Support
IKEv2 allows the use of Extensible Authentication Protocol (EAP) for authentication.
Multiple Crypto Engines
If your network has both IPv4 and IPv6 traffic and you have multiple crypto engines, choose one of the following configuration options:
One engine handles IPv4 traffic and the other engine handles IPv6 traffic.
One engine handles both IPv4 and IPv6 traffic.
06-29-2021 03:55 AM
@inderdeeps Above mentioned are the features which IKEv2 protocol has. For example, DPD, rekeying can be manually configured for SSL VPN too. However, what i am looking is what advantages do I get from IPSEC compared to SSL VPN. Does this enhance the security by any means ? if so how? Does it makes sense to switch from existing SSL VPN to IPSEC ?
06-29-2021 04:21 AM
IPSec is generally used if mandated for compliance reasons, both IPSec and SSL-VPN can be secure as each other. SSL-VPN is more likely to work anywhere, not restricted through proxy servers or firewalls.
For SSL-VPN configure the TLS ciphers (remove the weaker ciphers) and disable SSL 3.0, TLS 1.0/1.1.
Use DTLS 1.2, AnyConnect 4.8+ and ASA 9.12+ for improved performance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide