01-10-2023 06:51 AM
Hi,
I have Ike policies setup for anyconnect on our ASA. Where would I go on a windows client using anyconnect to setup these same parameters? Hopefully I am saying that correctly. I would need to configure matching settings on the device also correct?
Thank you for any advice.
Solved! Go to Solution.
01-10-2023 07:13 AM - edited 01-10-2023 07:24 AM
@KGrev only IKEv2 is supported for Remote Access VPN, not IKEv1.
It's the policy number that specifies which to use first. You could create a new IKEv2 policy with stronger algorithms (AES-GCM, DH group 19/20/21) with a higher priority (lower number) than the existing policies.
01-10-2023 07:03 AM
@KGrev the AnyConnect client natively supports IPSec algorithms (and TLS), you just need to install the AnyConnect VPN client and configure an XML profile to define the ASA/FTD server FQDN/IP and to specify to use IPSec (instead of TLS). The XML profile would be stored here - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
01-10-2023 07:08 AM
@Rob IngramThanks for your reply.
Looks like my xml profile does specify IPsec, and the other items are configured. Lets say I have multiple Ikev1 and Ikev2 policies configured for items that do not support the highest hashes and DHgroups. How does the anyconnect decide which policy to use from the ones I have available?
01-10-2023 07:13 AM - edited 01-10-2023 07:24 AM
@KGrev only IKEv2 is supported for Remote Access VPN, not IKEv1.
It's the policy number that specifies which to use first. You could create a new IKEv2 policy with stronger algorithms (AES-GCM, DH group 19/20/21) with a higher priority (lower number) than the existing policies.
01-10-2023 07:17 AM
@Rob IngramThanks again for your help.
So one lest question just to make sure I've got all my things in order here. It just so happens that there are 4 IKEv2 policies on our ASA's numbered 1, 10, 20, and 60. In this case 60 will always be chosen first to establish a connection or "SA" if I am using that correctly? What condition would make it drop down to lets say #20?
01-10-2023 07:23 AM
@KGrev sorry, to clarify- the lower the priority number, the higher the priority. So 1 would be preferred over 10,20 or 60. If you've got really weaker algorithms defined on the ASA/FTD that AnyConnect no longer supports, the next lower priority number would be selected
01-10-2023 07:25 AM
Thanks for your help @Rob Ingram , that really cleared up a few things for me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide