Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1273
Views
0
Helpful
2
Replies

Ubuntu 20.04 to Cisco ASA 5525 VPN

vpandey
Level 1
Level 1

‎10-05-2021 01:00 PM

Hello,

 

We have a client with a Cisco ASA 5525.

 

Is it possible to connect to it from an Ubuntu 20.04 GNU/Linux machine on an Amazon EC2 instance and establish a VPN tunnel?

 

If yes, would the Cisco Anyconnect VPN client for Linux work for doing that?

 

Moreover, the ASA 5525 has the following requirements for the VPN:

 

Netsmart Minimum Standard IKE (ISAKMP Phase 1) Settings:

 

Authentication Algorithm: IKEv2
Encryption Algorithm: AES 256
Integrity: SHA-256 or SHA-512
Lifetime: 86400 seconds
Diffie Hellman Group: Group 14 or higher
Authentication Mode: Pre-shared Key

 

Netsmart Minimum Standard IPSec (Phase 2) Settings:

 

Encryption Algorithm: AES 256
Integrity: SHA256 or SHA512
Lifetime: 28800 seconds
Negotiation Mode: Main
PFS: Disabled

 

Moreover:

 

Disable IKE keep-alives
Disable VPN idle timeouts
Disable DPD (Dead Peer Detection)

 

Would the Cisco Anyconnect VPN client for Linux support these settings?

 

If no, what would be the best way to go about it?

 

Thanks and regards,

 

- V

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎10-05-2021 01:14 PM

@vpandey 

Yes you can you use Ubuntu 20.04 with AnyConnect VPN client, use the latest version 4.10

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html

 

The AnyConnect VPN client does not support Pre-Shared Authentication (PSK), only certificate or username/password (RADIUS, LDAP or Local). PSK would be supported if you are setting up a Site-to-Site VPN between two firewalls or router, not a software VPN client.

 

The other IKEv2/IPSec algorithms/settings will be supported.

 

0 Helpful

vpandey
Level 1
Level 1
In response to Rob Ingram

‎10-07-2021 07:44 AM

Thank you Rob!

 

However, we can't change things at the ASA end (due to policy reasons), so I need to stick to PSK..

 

So, I would need to setup a site to site VPN, I am thinking of putting up a Strong Swan on my Ubuntu box and then establishing the VPN connection. Could that be a good option?

 

I came up with the idea after seeing:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/215884-configure-a-site-to-site-vpn-tunnel-with.html

 

Best regards,

 

- V

0 Helpful
Customers Also Viewed These Support Documents