Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
10
Helpful
6
Replies

Cisco Anyconnect Client Settings?

Go to solution
KGrev
Level 4
Level 4

‎01-10-2023 06:51 AM

Hi,

I have Ike policies setup for anyconnect on our ASA. Where would I go on a windows client using anyconnect to setup these same parameters? Hopefully I am saying that correctly. I would need to configure matching settings on the device also correct?

Thank you for any advice.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to KGrev

‎01-10-2023 07:13 AM - edited ‎01-10-2023 07:24 AM

@KGrev only IKEv2 is supported for Remote Access VPN, not IKEv1.

It's the policy number that specifies which to use first. You could create a new IKEv2 policy with stronger algorithms (AES-GCM, DH group 19/20/21) with a higher priority (lower number) than the existing policies.

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-10-2023 07:03 AM

@KGrev the AnyConnect client natively supports IPSec algorithms (and TLS), you just need to install the AnyConnect VPN client and configure an XML profile to define the ASA/FTD server FQDN/IP and to specify to use IPSec (instead of TLS). The XML profile would be stored here - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

 

 

Go to solution
KGrev
Level 4
Level 4
In response to Rob Ingram

‎01-10-2023 07:08 AM

@Rob IngramThanks for your reply.

Looks like my xml profile does specify IPsec, and the other items are configured. Lets say I have multiple Ikev1 and Ikev2 policies configured for items that do not support the highest hashes and DHgroups. How does the anyconnect decide which policy to use from the ones I have available?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to KGrev

‎01-10-2023 07:13 AM - edited ‎01-10-2023 07:24 AM

@KGrev only IKEv2 is supported for Remote Access VPN, not IKEv1.

It's the policy number that specifies which to use first. You could create a new IKEv2 policy with stronger algorithms (AES-GCM, DH group 19/20/21) with a higher priority (lower number) than the existing policies.

 

Go to solution
KGrev
Level 4
Level 4
In response to Rob Ingram

‎01-10-2023 07:17 AM

@Rob IngramThanks again for your help.

So one lest question just to make sure I've got all my things in order here. It just so happens that there are 4 IKEv2 policies on our ASA's numbered 1, 10, 20, and 60. In this case 60 will always be chosen first to establish a connection or "SA" if I am using that correctly? What condition would make it drop down to lets say #20?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to KGrev

‎01-10-2023 07:23 AM

@KGrev sorry, to clarify- the lower the priority number, the higher the priority. So 1 would be preferred over 10,20 or 60. If you've got really weaker algorithms defined on the ASA/FTD that AnyConnect no longer supports, the next lower priority number would be selected

 

0 Helpful

Go to solution
KGrev
Level 4
Level 4
In response to Rob Ingram

‎01-10-2023 07:25 AM

Thanks for your help @Rob Ingram , that really cleared up a few things for me!

0 Helpful
Customers Also Viewed These Support Documents