cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
0
Helpful
1
Replies

Remote Access VPN_SSL , Webvpn and IPsec _clarification

NDP
Level 1
Level 1

This may be strange question but this is confusing me ,

could someone help  me to understand what's the configuration and procedure difference between SSL vpn using Anyconnect and Ikev1 and Ikev2 VPNs

 

When I started working on ASA Firewalls in 2013-2014, I used to create remote access vpn profile on firewall and share pcf file along with pre-shared key to users, that was completely on IPsec protocols 

 

People were using Citrix based SSL VPNs. It required to download .ica file to establish connection to remote gateway. I understood this.

 

But,  After Cisco Anyconnect was introduced, We have been configuring SSL based VPNs by specifying TLS /SSL as the tunnel  protocol . I noticed that couple of tunnel-groups have both ikev1.ikev2 and ssl.

 

I would like to know :-

(1) tunnel-group configuration is required for both SSL and IPsec 

(2) what is the major change which changes the mode of VPN for remote users

(3) even if We specify Ike as tunnel-protocol, Cisco Anyconnect requires SSL ciphers on VPN gateway ?

 

Could someone help me with anydocument if available. Thank you in advance

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

It's the group-policy (also known as connection profile) where we set the protocol to be used. For AnyConnect clients the valid choices are ssl-client (technically using TLS) and ikev2.

Even if we want to use ikev2 (IPsec) we typically also use TLS for the initial session exchange of information, sync of the client profile etc. You can do it purely with ikev2 but very few organizations do so.

The best performance results from using DTLS 1.2 - requiring ssl-client as the protocol choice in the group-policy and ASA 9.10+ with AnyConnect 4.7+ releases.

View solution in original post

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

It's the group-policy (also known as connection profile) where we set the protocol to be used. For AnyConnect clients the valid choices are ssl-client (technically using TLS) and ikev2.

Even if we want to use ikev2 (IPsec) we typically also use TLS for the initial session exchange of information, sync of the client profile etc. You can do it purely with ikev2 but very few organizations do so.

The best performance results from using DTLS 1.2 - requiring ssl-client as the protocol choice in the group-policy and ASA 9.10+ with AnyConnect 4.7+ releases.