Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
0
Helpful
5
Replies

group-policy anyconnect vpn tunnel protocol

john.wright
Level 3
Level 3

‎04-17-2012 10:06 AM - edited ‎02-21-2020 06:00 PM

I am trying to set up anyconnect ssl vpn for mac users along side our older ipsec vpn for windows.

The group-policy for our current vpn specifies: vpn-tunnel-protocol IPSec.

The group-policy vpn-tunnel attribute for anyconnect is: vpn-tunnel-protocol svc.

Can I place this vpn-tunnel-protocol svc paramenter as another option in our current group policy or do I need to create a new group policy for the anyconnect users?

Everything else in the current group policy is exactly what I need for the anyconnect users.

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎04-17-2012 10:39 AM

Hi,

To my understanding you should be able to have both SSL and IPsec VPN under the same configurations.

I'm not sure what the correct CLI format is. Is it to perhaps enter them both at same time or add them separately.

I guess it would be easiest to change the configurations through ASDM.

I made a quick IPsec-RA profile on my ASA and added to it the SSL VPN Client

It now shows

group-policy internal

group-policy attributes

vpn-tunnel-protocol ikev1 ssl-client

I also added

tunnel-group webvpn-attributes

group-alias enable

- Jouni

0 Helpful

john.wright
Level 3
Level 3
In response to Jouni Forss

‎04-17-2012 11:44 AM

Jouni

Thanks for the reply.

So you are at least able to apply two different tunnel protocols to the same group-policy attributes and your clients determine which to choose?

This set up is only going to be for the very few mac users that we have on site. The vast majority of our people use the Cisco VPN client 5.0 for windows.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to john.wright

‎04-17-2012 11:58 AM

Hi,

Well your IPsec VPN clients would still continue to connect straight with the Client software which has the profile created with the Group Name and PSK and peer IP address.

Your SSL VPN Clients would connect to the Web Portal of ASA and choose the connection profile in the drop down menu, log in and install the AnyConnect VPN Client.

Or if they had the Client already they would open the AnyConnect client and connect to the peer IP address, choose the group and log in.

- Jouni

0 Helpful

john.wright
Level 3
Level 3
In response to Jouni Forss

‎04-19-2012 11:23 AM

Jouni

One more thing.

We were thinking that we would deploy the client to the workstations since there are only about 10 people who will be using this. Is there really a need to deploy to the worksation since the client loads when they access the web portal?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to john.wright

‎04-19-2012 12:43 PM

Hello John,

If you are providing the client download via the Webvpn portal there is no need to install it on the client unless you want to stop downloading the client every single time a user connects.

In order to do that you just need to configure the SVC setting to keep the installer on the PC and then just change the option of downloading the Anyconnect without promting the user or cancel the download 4 sure.

Hope this helps.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents