Solved: Make AnyConnect use IPsec instead of SSL

NazgulNr5 · ‎01-28-2020

We are currently switching from the old IPsec client to AnyConnect. Unfortunately we can't get AnyConnect to connect to our ASA. The ASA is behind a Peplink loadbalancer and we think the Peplink is blocking/not forwarding correctly the SSL traffic. AnyConnect always times out as there is no reply and I see nothing from the connection attempt in the ASA log. If I try to connect to an IF that does not go through the load balancer the VPN works fine.

Is there a way force the AnyConnect client to connect using IPsec?

Or has anyone had a similar problem and found a solution?

Rob Ingram · ‎01-28-2020

Hi,

Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.

To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.

HTH

View solution in original post

Rob Ingram · ‎01-28-2020

Hi,

Can you not get someone to troubleshoot the load balancer? IPSec might also be blocked too.

To enable IKEv2/IPSec - you'll need to define ikev2 policy, transform set, crypto map, enable IKEv2/IPSec etc on the outside interface. Example here. You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL. Ensure ESP, UDP/500 and 4500 are not blocked.

HTH

NazgulNr5 · ‎01-28-2020

No, IPsec is not blocked. We know it works as the IPsec VPN client works.

Edit: We are working on fixing the loadbalancer but right now we would like to have a working VPN that does not break with every Windows update.

Muhammad Awais Khan · ‎01-28-2020

Hi,

You can configure your ASA to use ikev1 or like v2 instead of SSL. The config document is old but good for reference purpose:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-technote-anyconnect-00.html

NazgulNr5 · ‎01-28-2020

Yes, I can do that but how can that fix the problem as AnyConnect never reaches the ASA? Shouldn't AnyConnect try IPsec if SSL fails? But maybe not if it fails due to a timeout...

Rob Ingram · ‎01-28-2020

No, like I said.... "You will also need to define an AnyConnect profile and select IPSec, as by default and without the profile AnyConnect will connect using SSL".

AnyConnect will never connect using IPSec unless you define a profile and select IPSec.

NazgulNr5 · ‎01-28-2020

Ah, thanks, got it. However, I can't find any option to limit the connection method when I create a new profile. Can you tell me where it is?

Rob Ingram · ‎01-28-2020

Change the primary protocol from SSL to IPSec in the drop-down list under "Server List"

NazgulNr5 · ‎01-28-2020

Thank you, found it.

Do I need to redownload and reinstall AnyConnect?

I tried it with my currently installed AnyConnect (to the IF that works), the VPN client did some updating but still connects through SSL.

Rob Ingram · ‎01-28-2020

No you don't need to re-install AnyConnect.
Once you created the new profile, copy the file to the correct location and restart the AnyConnect services. The new connection should appear in the drop down list.

NazgulNr5 · ‎01-29-2020

Okay thanks. I'll try it out later.

We managed to get the loadbalancer to cooperate so now we can use SSL anyway.

Thanks for helping though!