How can I easily migrate Remote Access VPN from IPSEC to SSL?

martinparker78 · ‎04-04-2013

Hi

I have a Cisco ASA 5540 running 8.4(2). We also use Anyconnct version 3.0.2052 for our RAS client.

The remote access solution has always used ipsec as this was company policy. We are now looking to move to SSL and I need to find the easiest way to do this. I would prefer it if the change was smooth and that the users didn't notice.

Any help with this would be much appriciated. I have a few ideas and I have tried a few things in the lab but all seem a bit messy or may require laptops being reconfigured.

Many thanks

Jouni Forss · ‎04-04-2013

Hi,

I dont really know how the users wouldnt notice since they will have to switch from using the old VPN Client to AnyConnect Secure Mobility Client. This means that every user will need to install the client the first time they connect.

If you now have a "tunnel-group" configured for IPsec VPN and a "group-policy" that limits the Client type to "ikev1" then you could always add "ssl-client" to the "group-policy" and add other configurations so your users can use both IPsec and SSL Client at the same time using the same "tunnel-group" / "group-policy" and migrate on their own pace.

I did a quick test on my own ASA to first create a IPsec VPN configuration. Added few SSL Client related configurations to the existing "tunnel-group" and "group-policy" and it works just fine.

To be honest I havent had to do this before. When we have needed to migrate from IPsec to SSL we have aquired completely new VPN equipment and the ones used for IPsec have usually been removed eventually.

- Jouni

martinparker78 · ‎04-04-2013

Thanks for the reply. We are using Anyconnect with IKEv2 to support ipsec.

I need it so that I can swop it over to SSL and when the user connects using ipsec they get the new policy that uses SSL. That way, they don't notice a change.