04-04-2013 05:25 AM - edited 02-21-2020 06:48 PM
Hi
I have a Cisco ASA 5540 running 8.4(2). We also use Anyconnct version 3.0.2052 for our RAS client.
The remote access solution has always used ipsec as this was company policy. We are now looking to move to SSL and I need to find the easiest way to do this. I would prefer it if the change was smooth and that the users didn't notice.
Any help with this would be much appriciated. I have a few ideas and I have tried a few things in the lab but all seem a bit messy or may require laptops being reconfigured.
Many thanks
04-04-2013 05:53 AM
Hi,
I dont really know how the users wouldnt notice since they will have to switch from using the old VPN Client to AnyConnect Secure Mobility Client. This means that every user will need to install the client the first time they connect.
If you now have a "tunnel-group" configured for IPsec VPN and a "group-policy" that limits the Client type to "ikev1" then you could always add "ssl-client" to the "group-policy" and add other configurations so your users can use both IPsec and SSL Client at the same time using the same "tunnel-group" / "group-policy" and migrate on their own pace.
I did a quick test on my own ASA to first create a IPsec VPN configuration. Added few SSL Client related configurations to the existing "tunnel-group" and "group-policy" and it works just fine.
To be honest I havent had to do this before. When we have needed to migrate from IPsec to SSL we have aquired completely new VPN equipment and the ones used for IPsec have usually been removed eventually.
- Jouni
04-04-2013 06:01 AM
Thanks for the reply. We are using Anyconnect with IKEv2 to support ipsec.
I need it so that I can swop it over to SSL and when the user connects using ipsec they get the new policy that uses SSL. That way, they don't notice a change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide