Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
5
Replies

Easy VPN vs Dynamic L2L

de1denta
Level 3
Level 3

‎12-06-2017 03:16 AM - edited ‎03-12-2019 04:48 AM

Hi All,

 

I'm looking for a solution to provide backup VPN for a number of remote sites with basic ADSL connections. The ADSL connections will not have static public IP addresses so I need a solution that supports dynamic IP addresses on one side of the VPN.

 

I am looking at either Easy VPN or Dynamic L2L VPN. I have tested both solutions and they work, however, I'm concerned about security risks with Dynamic L2L as it seems that the only level of authentication that we have is the PSK under the DefaultL2LGroup which will be shared by all sites. Obviously we will configure a complex key, however, our concern is what happens if one of the remote site routers is stolen or the config is compromised, we would have to end up changing the PSK and updating all sites. This is not a concern with Easy VPN as it supports secondary authentication which we can back off to ISE and control the authentication there.

 

Are my concerns valid? Any guidance would be greatly appreciated.

 

Thank you

Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎12-06-2017 04:12 AM

Easy VPN is currently being replaced by Cisco and not supported in later
IOS releases. If you are concerned about security, consider flexvpn which
runs in IKEv2 and can fullfill your requirements.

I don't suggest to go with solution which is declared as EOL.
0 Helpful

de1denta
Level 3
Level 3
In response to Mohammed al Baqari

‎12-06-2017 05:55 AM

Hi,

 

Thanks for the reply.

 

Do you have a link to any notifications that mentions that Cisco Easy VPN is no longer supported in the latest IOS releases? I have checked but I couldn't find anything.

 

 

0 Helpful

GioGonza
Level 4
Level 4

‎12-06-2017 05:52 AM

Hello @de1denta

 

Based on your query, you are using a Legacy ASA for branch/branches and you don´t want to invest money to change it since it works and it is probably a small office (I get that). 

 

Based on my expirience, I would recommend Dynamic to Static configuration instead of EzVPN (I actually call it Not That EzVPN when you are troubleshooting) but your concern is correct about Dynamic since it will use the Default tunnel-group and the PSK is the main concern if you need to change it. 

 

There is an option to make the connection land in another tunnel-group but it uses Aggressive-Mode, Ouch!!

 

With this being said, the only option I see is to use EzVPN. You have another option and you can use certificates for that connection since you can do certificate mapping and add another layer for authentication if you like to go that way, link.

 

HTH

Gio

0 Helpful

de1denta
Level 3
Level 3
In response to GioGonza

‎12-06-2017 06:20 AM

Ok thanks for this. The preference is to use Easy VPN as it supports secondary authentication.

 

We have an ASA 5512 as the Easy VPN server and the Easy VPN clients are a mix of ASA 5506X and Cisco 890 series routers. I have checked the features for the latest IOS versions and they are all showing that Easy VPN is supported

 

I know that Cisco VPN software client is EoL but I cant see anything for the Cisco Easy VPN hardware client. Can anyone confirm this?

0 Helpful

GioGonza
Level 4
Level 4
In response to de1denta

‎12-06-2017 06:39 AM

Hello @de1denta

 

If you check this link for Cisco IOS Easy VPN, there is no EOL-EOS announced by Cisco. But digging deeper I found this link where it says that Cisco Easy VPN is obsolete but there is no reference or official documentation about it, this is the only information I got from this. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents