cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3702
Views
0
Helpful
4
Replies

VPN Client : support IPSEC IKev1 & IKev2 simultaneously

FREDERIC FABRE
Level 1
Level 1

Hello,

My purpose is to have a VPN configuration working for IPSEC IKEv1 and IKEV2 Client (VPN Cisco client & Cisco Anyconnect Secure Mobility Client).

Is it possible to connect our Anyconnect client with a pre-shared key without using Webvpn or an SSL certificate? In the same way as I do with the VPN Cisco client ?

Note : I don't want my firewall to be visible from the internet and my Cisco client VPN works well with IKEv1.

Thanking you in advance.

Romain

1 Accepted Solution

Accepted Solutions

In order to close the web portal for all tunnels, you could use:

webvpn

 keepout "your message"

The page will still be accessible, but unusable. 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/jk.html

View solution in original post

4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

Hi Romain,

Unfortunately anyconnect does not support pre-shared key configuration.

There are other options available for anyconnect like 2 factor authentication, if security is a concern.

You could have 2 vpn tunnels one for anyconnect and one for vpn client, in order to maintain the old vpn client.

 

I am not sure what you mean by: "I don't want my firewall to be visible from the internet", maybe you can explain.

 

HTH

Bogdan

Hi Bogdan,

Thanks for your response.

Yes, I want to maintain the old vpn client and the L2TP client.

To be more precise, when I've implemented IPSEC Ikev1 and L2TP on my ASA, I didn't have to used the SSL protocol or a certificate to authenticate my user. I just needed to create crypto / groups / tunnels / local users and set up my VPN clients.

Now I try to do the same thing namely implement the Cisco Anyconnect Secure Mobility Client with IPSEC IKEv2 for a local user. But I don't want a WEB portal or certificate to be available when I try to contact my firewall from the outside. I don't want to be able to type https://mon_asa and reach it, I want to set up my Cisco Anyconnect Client and connect on my firewall directly. Is that possible with IKEv2?

I hope to be quite specific. Thanks.

 

Romain

In order to close the web portal for all tunnels, you could use:

webvpn

 keepout "your message"

The page will still be accessible, but unusable. 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/jk.html

Hello,

 

Thank you Bogdan, your post helped me..

 

Romain.