Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
2
Replies

Easy replacement for Anyconnect SSL-VPN on IOS XE

Mathias Peter IT
Level 1
Level 1

‎12-14-2022 06:03 AM

Hello,

Cisco is not providing Anyconnect based SSL-VPN on IOS XE, stating IOS XE isn't a "strategic security platform". Aside from this decision annoying customers and administrators likewise, I fail to find a solution for this platform which is easy to implement on the IOS device, easy to deploy on the target platform.

Cisco provides so many Names, like EzVPN, FlexVPN, GetVPN, and more, without an easy to find, comprehensible overview which technology is current, which should no longer be deployed on new scenarios, and wich tchnology is appropriate for which use cases. Hints are well appreciated.

Today I was doing research for hours and hours what to do and came to the conclusion that there is no adequate replacement for SSL-VPN on IOS XE platforms. FlexVPN is immensely complex: To my understanding, a certificate infrastructure is necessary. Certificates expire sooner or later and this has proved to be a nightmare for many small customers. And you need to constantly refresh certificates for end users. A no-go for small shops. Also, the XML file being necessary for parameter passing to the AnyConnect client is annoyingly complex, includes many terms from the Microsoft Windows platform and increases setup complexity even more.

Besides that, it's hard (and unnecessarily expensive) to sell a customer a router for DMVPN-Access to the DC, and and ASA for VPN access.

No wonder people are so delighted about WireGuard!

Questions:

  • Is there a "technology" available on IOS XE being equally easy to deploy like the SSL-VPN "server" configuration?
  • Is there a "technology" available on IOS XE being equally easy to deploy on the target platforms? Preferably with the AnyConnect Client, users are already accustomed to?
  • Is there a "technology" available on IOS XE not requiring cumbersome handling of an XML file, or similar "running-config external" means?
  • Is there a "technology" available on IOS XE with decent security, where the OS provided VPN clients for Windows, macOS, Linux, iOS and Android can be used instead of AnyConnect?
  • Are certificates mandatory for FlexVPN? Or only for the EAP-Auth part of FlexVPN?

Thank you for your valuable input.

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎12-14-2022 06:14 AM

@Mathias Peter IT you are correct, SSL-VPN isn't really supported on IOS-XE.

FlexVPN is the Remote Access VPN solution on IOS-XE, however FTD or ASA is the preferred Cisco Remote Access VPN platform.

With FlexVPN, you need at least an identity certificate on the Hub, the client computer must trust the hub's certificate, so must have the root certificate installed. For the user authentication you can use EAP (username/password), so no need to distribute client certificates and renew.

 

 

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-15-2022 06:29 AM

Hi @Mathias Peter IT,

AnyConnect is actually supported on IOS XE, and you can find config guide here. However, I would really advise to stay away from this, as it comes with certain limitations, prerequisites, and I tend to find it hard for troubleshooting, given that it is not native platform for AnyConnect.

I would rather suggest to add small FPR platform (such as FPR1010 or 1120), and to implement AnyConnect there.

Kind regards,

Milos

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents