cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8944
Views
25
Helpful
10
Replies

Make AnyConnect use IPsec instead of SSL

NazgulNr5
Level 1
Level 1

We are currently switching from the old IPsec client to AnyConnect. Unfortunately we can't get AnyConnect to connect to our ASA. The ASA is behind a Peplink loadbalancer and we think the Peplink is blocking/not forwarding correctly the SSL traffic. AnyConnect always times out as there is no reply and I see nothing from the connection attempt in the ASA log. If I try to connect to an IF that does not go through the load balancer the VPN works fine.

Is there a way force the AnyConnect client to connect using IPsec?

Or has anyone had a similar problem and found a solution?

1 Accepted Solution

Accepted Solutions

Hi,

Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.

 

To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.

 

HTH

View solution in original post

10 Replies 10

Hi,

Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.

 

To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.

 

HTH

No, IPsec is not blocked. We know it works as the IPsec VPN client works.

Edit: We are working on fixing the loadbalancer but right now we would like to have a working VPN that does not break with every Windows update.

Muhammad Awais Khan
Cisco Employee
Cisco Employee

Hi,

 

You can configure your ASA to use ikev1 or like v2 instead of SSL. The config document is old but good for reference purpose:

 

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html

Yes, I can do that but how can that fix the problem as AnyConnect never reaches the ASA? Shouldn't AnyConnect try IPsec if SSL fails? But maybe not if it fails due to a timeout...

No, like I said.... "You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL".

AnyConnect will never connect using IPSec unless you define a profile and select IPSec.

Ah, thanks, got it. However, I can't find any option to limit the connection method when I create a new profile. Can you tell me where it is?

Change the primary protocol from SSL to IPSec in the drop-down list under "Server List"

 

3.PNG

Thank you, found it.

Do I need to redownload and reinstall AnyConnect?

I tried it with my currently installed AnyConnect (to the IF that works), the VPN client did some updating but still connects through SSL.

No you don't need to re-install AnyConnect.
Once you created the new profile, copy the file to the correct location and restart the AnyConnect services. The new connection should appear in the drop down list.

Okay thanks. I'll try it out later.

We managed to get the loadbalancer to cooperate so now we can use SSL anyway.

Thanks for helping though!