Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18914
Views
20
Helpful
4
Replies

Cisco Anyconnect SSL VPN vs AnyConnect IPSec

Go to solution
B. BELHADJ
Level 4
Level 4

‎04-02-2016 02:37 PM - edited ‎02-21-2020 08:45 PM

Hello,

Can anyone tell me what is the difference between the Anyconnect SSL VPN and Anyconnect IPSec VPN.

When we use the one and not the other?

Thank you so much.

Best regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎04-02-2016 07:55 PM

Hello Abdollah,

Anyconnect based on SSL protocol is called Anyconnect SSL VPN and if you deploy Anyconnect with IPSec protocol ,it is called IKev2. 

Anyconnect (using IKEv2 or SSLVPN) doesn't use a pre-shared-key to authenticate the user.  A certificate will be used to authenticate the ASA and either/both user+pass and certificate is used to authenticate the user.  The XML profile is needed just to make the Anyconnect client use IKEv2 rather than the default of SSL when connecting to the ASA.

Here is the doc listing some of the benefits of using Anyconnect with Ikev2 as opposed to SSL VPN.
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-ikev2-flex.html#GUID-6548042E-1E4C-416A-8347-00DCF96F04DF

In essence, if you have got a fairly simple deployment , then you can go with SSL VPN setup and if you want to leverage additional features, you can use Anyconnect with IPSec.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

4 Replies 4

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎04-02-2016 07:55 PM

Hello Abdollah,

Anyconnect based on SSL protocol is called Anyconnect SSL VPN and if you deploy Anyconnect with IPSec protocol ,it is called IKev2. 

Anyconnect (using IKEv2 or SSLVPN) doesn't use a pre-shared-key to authenticate the user.  A certificate will be used to authenticate the ASA and either/both user+pass and certificate is used to authenticate the user.  The XML profile is needed just to make the Anyconnect client use IKEv2 rather than the default of SSL when connecting to the ASA.

Here is the doc listing some of the benefits of using Anyconnect with Ikev2 as opposed to SSL VPN.
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-ikev2-flex.html#GUID-6548042E-1E4C-416A-8347-00DCF96F04DF

In essence, if you have got a fairly simple deployment , then you can go with SSL VPN setup and if you want to leverage additional features, you can use Anyconnect with IPSec.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
B. BELHADJ
Level 4
Level 4
In response to Dinesh Moudgil

‎04-03-2016 03:33 AM

Hello Dinesh,

Thank you for your reply, that was helpful :)

So for complex architectures, IKEv2 is recommended than SSL?

Best regards.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to B. BELHADJ

‎04-03-2016 04:24 PM

That is right, you can leverage the benefits of Ikev2 for complex deployments but it is more or less dependent directly on your needs rather complexity,

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
Florin Barhala
Level 6
Level 6
In response to Dinesh Moudgil

‎08-23-2022 07:36 AM

Can you maybe detail the complexities/flexibility/features that IKEv2 gives you over SSL?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents