IPSec + SSL on Anyconnect mobility client

lmutsa1988 · ‎05-29-2013

Hi All,

I have successfully configured cisco AnyConnect vpn. I can connect well with SSL but not IPSec. Currently the users want to connect via IPSec as well. How do I enable/configure both SSL and IPSec on Anyconnect VPN.

I have ASA AnyConnect Mobile license and Cisco AnyConnect Essentials license.

Thanks in advance

Karsten Iwen · ‎05-29-2013

There are basically three steps that have to be added to enable IPSec for your working AnyConnect-Clients. Here are the steps for ASDM:

On the connection-profile-page enable IPSec on the outside interface and make sure that you have the right certificate also for IPsec assigned.
Make sure that all needed group-policies have the tunneling-protocol "IPsec IKEv2" enabled.
Configure an AnyConnect Client Profile where you add an entry to the server-list for your gateway and activate IPsec as the primary protocol.

And of course you need the proper versions. Thats at least AnyConnect 3.0 and ASA 8.4.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

lmutsa1988 · ‎05-29-2013

Hi Karsten,

Thanks for your response. I have AnyConnect 3.0 but my ASA is 8.2...

Would that work? Right now i cant access my network so I can only try the configs in 10 hours time.

Karsten Iwen · ‎05-29-2013

No, that won't work. IKEv2 was introduced in ASA v8.4(1), and thats the only IPsec implementation the AnyConnect client supports. You need to upgrade the ASA. For that be aware that older ASAs need an memory upgrade to support the new software.

The only other option is to implement the legacy IPSec model (IKEv1) with the old IPSec VPN client.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

lmutsa1988 · ‎05-30-2013

Hi karsten,

Thank you for the response.

Im now planning for an upgrade of the firewall to version 8.4.