L3VPN and IPsec

I have to ask if someone have the full documentation on how to do L3VPN and use IPsec to encrypt traffic between the terminal nodes L3VPN.

Thank you.

Petar

Petar,

For THIS what we usually recommend GETVPN, IPsec with GDOI for control plan. He is crypt not the IP header, but it retains the original header.

Empty:

http://www.Cisco.com/c/dam/en/us/products/collateral/security/group-encr...

Slide 9.

Tags: Cisco Security

Similar Questions

Difference between webVPN, SSL vpn and ipsec client

Hello

We just bought an ASA5510 and I am trying to understand the difference of the possibilities mentioned VPN. Can anyone describe the differences and use scenarios of all types of remote access vpn of the asa?

Thanks in advance.

Rgds,

Rasmus

Hi Rasmus,

They use different SSH and IPSEC protocols, and there is also of course in terms of security.

SSL is easy to deploy than ipsec. Imagine that you have 200 + users and to connect to the vpn, you must give them the pcf file and client software, which is not required in the case of SSL.

Kind regards

~ JG

Please note if assistance

SSL VPN and ipsec

For CISCO1841-SEC/K9, ssl and ipsec vpn connection vpn how, we can make and? The datasheet is not any specific number.

Thank you.

Dijoux

With the PIX and ASA, the number of peers is specified in the license and limited to the number specified in the license (so in support of peers, you must update the license). From my experience of the IOS application does not bind the number of peers for what anyone in the license. So, if you buy a feature set for IOS router supports IPSec/SSL VPN, then this is your license for IPSec and SSL peering (no separate license is required).

HTH

Rick

The GRE and IPSec

We currently have several sites with ISAKMP/IPSec tunnels between routers 2800 and we need some of them migrate to the GRE with IPSec tunnels. Are there problems with endpoint tunnels GRE and IPsec on the same router and interface?

I didn't know all the problems - apart from the router doing the encryption/decryption & GRE encapsulation/decapsulation, just be respect for traffic through the put.

I have noted problems with traffic GRE and MTU problems. Cisco recommends a MTU of 1440 at Discretion, I would say that set 1400.

HTH

Claire ISAKMP and IPSec in PIX Security Association

Hello

How do you delete the ISAKMP and IPSec security associations in a PIX? (As you do in the IOS using the commands 'clear' crypto..)

Thank you------Naman

The type of config mode:

Claire ipsec his

Claire isakmp his

I hope this helps.

Cody Rowland

Infrastructure engineer

DMVPN/IPSEC, GRE and IPSEC Multi Point

Hi all

I have a project of construction of 50 locations connectivity to my data center 2. Each location has Internet with router 877 with image dry.

my DC has 1900 router. Now I want what tunnel I go with. DMVPN IPSEC or IPSEC GRE.

The data will come from DC locations only. No inter connections location. I want to know the pros and cons as well as any change of required equipment.

Kind regards

Satya.M

Given your criteria, I would say THAT DMVPN would be best suited

Cisco - Configuration dynamic Multipoint Virtual Private Networks DMVPN

Implementation in DMVPN GDOI

Pete

Access-list group policy and IPSec tunnel.

I have an IPSec Site to Site VPN tunnel that ends on the external interface of the firewall. My ftp server is located in a demilitarized zone. The DMZ has an access list applied to the interface. When I created the Group of the tunnel for the Site to Site, I create a group of tunnel with group policy and manage the policy with filters. The filter looks like an access list. Are the filter and the ACL interface work together? The one replace the other? How they work together.

Once traffic ipsec, acl interface is not used until you have enabled "sysopt conn allowed-/ ipsec vpn. When you add a vpn-filter, it is what will filter the ipsec traffic.

Policy Nat and IPSec tunnel

Hello

I have a Cisco IOS router and you want to configure an IPSec tunnel between myself and the client. Unfortunately, we have two overlapping of 10 network IP addresses.

Is it possible for me to just Nat addresses IP on my side or should the customer Nat as well?

I have configured NAT on the inside of the interface for 10.134.206.1 to 192.168.156.6 so that Nat happens before that packages are encrypted in the tunnel, however tunnel is not coming. The client uses a sonic firewall and allowed their 10.91.0.0/16 network 192.168.156.0/24.

See attachment

Kind regards

They are wrong to installation. Remote local networks are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.

VTI transform whole NAME and ipsec profile NAME must match?

Just a quick question.
Establishing a VTI between two end points and I want to know best practices.

Transformation set NAME match? My tests show that it's OK to not have the same name on each end as the works of large tunnel.

The NAME ipsec profile must match? Again my tests shows that it is OK to not have the same name on each end as the large tunnel works.

Is this OK for the number of policy isakmp to not be the same on both ends. Tests show that it's OK as well.

While I know have different NAMES on each side work, I would like to know if its safe for production in that its does not cause me issues down the line.

The reason why I ask, I've read that both sides match, but only what settings, or is it the settings and names?

Hello

Only the parameters must be mapped on the ends and not the names. ISAKMP policy numbers and names are locally important and so it does not need to match both sides. Let me know if you have further questions.

HTH,

Khaldi

access list for traffic crossing and IPSEC

Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.

I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.

Thank you

David

I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.

!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
address of examplekey key crypto isakmp 2.3.4.5
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
tunnel mode
!
cust_map 10 ipsec-isakmp crypto map
defined peer 2.3.4.5
game of transformation-AES256SHA
match the address crypto_acl
!
interface GigabitEthernet8
cust_map card crypto
!
crypto_acl extended IP access list
host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
!

HTH

Rick

1841 can route between tunnel GRE and IPSEC tunnel?

Hello everyone!

See the image below.

Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

Is there the way to establish the connection between the third and the main office through cisco 1841?

Is it possible to perform routing, perhaps with NAT?

In fact we need connection with a single server in the main office.

Thank you

Hello

It is possible to build this configuration.

the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

Steps to follow:

Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

Please rate if this helped.

Kind regards

Daniel

UC500 and IPsec VPN client - disconnects

Just throw a question out there.
I have a UC560 running uc500-advipservicesk9 - mz.151 - 2.T2 site HQ. Remote users, about 8 of them, attempt to connect via IPsec VPN (v5.0.07.0440) HQ clients to access files, etc.. The behavior I see is 5 users to connect successfully, but only 5. As soon as more users trying to connect, they have either:
1. connect with success for a minutes, then unmold
2. get a 412, remote peer is not responding
3. connect, but someone of another session kickoff.
Users use the same VPN profile, but with names of single user and passwords.

Here are some of the CPU configs for VPN clients
Configuration group customer crypto isakmp USER01
key *.
DNS 192.168.0.110
pool USER01_POOL
ACL USER01_ACL

local RAUTHEN AAA authentication login
permission of AAA local RAUTHOR network authenticated by FIS

Crypto isakmp USER01_PROF profile
match of group identity USER01
list of authentication of client RAUTHEN
RAUTHOR of ISAKMP authorization list.
client configuration address respond

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
lifetime 28800
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
life 3600
crypto ISAKMP policy 1000
BA 3des
preshared authentication
Group 2

I enabled debugging
Debug crypto ISAKMP
Debug crypto ipsec

Here are some of the things that I see on him debugs
604899: 16:41:13.333 Aug 21: ISAKMP: (2073): HASH payload processing. Message ID = 284724149
604900: 16:41:13.333 Aug 21: ISAKMP: (2073): treatment protocol NOTIFY DPD/R_U_THERE 1
0, message ID SPI = 284724149, a = 0x8E7C6E68
604901: 16:41:13.333 Aug 21: ISAKMP: (2073): error suppression node 284724149 FALSE reason 'informational (en) State 1.
604902: 16:41:13.333 Aug 21: ISAKMP: (2073): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: 16:41:13.333 Aug 21: ISAKMP: (2073): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

581504: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node-1455244451
581505: 16:59:12.805 Aug 20: ISAKMP: (2147): purge the node 840814618
581506: 16:59:13.933 Aug 20: ISAKMP (2147): received 201.195.231.162 packet dport 4500 sport 37897 Global (R) QM_IDLE
581507: 16:59:13.933 Aug 20: ISAKMP: node set 801982813 to QM_IDLE
581508: 20 August 16:59:13.933: ISAKMP: (2147): HASH payload processing. Message ID = 801982813
581509: 16:59:13.933 Aug 20: ISAKMP: receives the payload type 18
581510: 16:59:13.933 Aug 20: ISAKMP: (2147): treatment remove with load useful reason
581511: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the doi = 0
581512: 16:59:13.933 Aug 20: ISAKMP: (2147): remove Protocol id = 1
581513: 16:59:13.933 Aug 20: ISAKMP: (2147): remove spi_size = 16
581514: 16:59:13.933 Aug 20: ISAKMP: (2147): remove the spis num = 1
581515: 16:59:13.933 Aug 20: ISAKMP: (2147): delete_reason = 2
581516: 20 August 16:59:13.933: ISAKMP: (2147): load DELETE_WITH_REASON, processing of message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581518: 16:59:13.933 Aug 20: ISAKMP: (2147): peer does not paranoid KeepAlive.

581519: 16:59:13.933 Aug 20: ISAKMP: (2147): removal of State of SA reason 'Order BY user' (R) QM_IDLE (post 201.195.231.162)
581520: 16:59:13.933 Aug 20: ISAKMP: (2147): error suppression node 801982813 FALSE reason 'informational (en) State 1.
581521: 16:59:13.933 Aug 20: ISAKMP: node set-878597687 to QM_IDLE
581522: 20 August 16:59:13.937: ISAKMP: (2147): lot of 201.195.231.162 sending peer_port my_port 4500 37897 (R) QM_IDLE
581523: 16:59:13.937 Aug 20: ISAKMP: (2147): sending a packet IPv4 IKE.
581524: 16:59:13.937 Aug 20: ISAKMP: (2147): purge the node-878597687
581525: 16:59:13.937 Aug 20: ISAKMP: (2147): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: 16:59:13.937 Aug 20: ISAKMP: (2147): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

I opened a case with TAC on this and they do not understand what is the cause. For them, it looks like a bug without papers. And their recommendation is to reboot, upgrade or try configuring L2TP for remote users.

Thank you

JP

JP,

An update of IOS is worth it, even if him debugs seems to indicate that there is a problem with the client. If possible, I always suggest test with another client to see if it is unique to the Cisco VPN Client on Win7. Regarding the limit of 20 tunnel, it is very probably the number of IPsec security associations. If you issue a 'show crypto eli', this example displays the number of Sessions that are currently active IPSec.

HTH,

Frank

GRE and IPSEC VPN tunnel over the same interface

My client is currently connected to a service provider of call through a GRE Tunnel over IPSEC. They chose to move all connections to a VPN site-to-site traditional behind a firewall, here, to your corp office. As the questions says, is possible for me to put in place the VPN site to site on the same router? Interface Tunnelx both ethernet have the same encryption card assigned to the destination router. I thought that traffic could divide by identification of traffic 'interesting '. Thanks for all the ideas, suggestions

Ray

Ray

Thanks for the additional information. It takes so that the existing entries in ACL 101 remain so the existing tunnel will still work. And you have to add entries that will allow the new tunnel. Editing an ACL that is actively filtering traffic can get complicated. Here is a technique that I use sometimes.

-create a new access list (perhaps ACL 102 assuming that 102 is not already in use).

-Copy the entries of ACL 101 to 102 and add additional entries you need in places appropriate in the ACL.

-Once the new version of the ACL is complete in the config, then go tho the interface and change the ip access-group to point to the new ACL.

This provides a transition that does not affect traffic. And he made it back to the original easy - especially if something does not work as expected in the new ACL.

If the encryption of the remote card has an entry for GRE and a separate entrance for the IPSec which is a good thing and should work. I guess card crypto for GRE entry specifies an access list that allows the GRE traffic and for IPSec crypto map entry points to a different access list that identifies the IP traffic is encrypted through the IPSec tunnel.

HTH

Rick

DMVPN and IPsec CLIENT?

Hello

I was wondering if it was possible to use CRYPTOGRAPHY even for both: DMVPN and CLIENT IPsec?

To make it work, I have to use 1 crypto for the DMVPN and 1 crypto for IPsec, both systems operate on the same router, my router TALK can connect to my HUB router and my computer can connect to the router "HUB" via an IPsec tunnel.

Is their any way to make it easier, instead of doing configs in a single router for more or less the same work?

My stitching question may be stupid, sorry for that, I'm still learning, and I love it

Here below the full work DMVPN + IPsec:

Best regards

Didier

ROUTER1841 #sh run

Building configuration...

Current configuration: 9037 bytes

!

! Last configuration change to 21:51:39 gmt + 1 Monday February 7, 2011 by admin

! NVRAM config last updated at 21:53:07 gmt + 1 Monday February 7, 2011 by admin

!

version 12.4

horodateurs service debug datetime localtime

Log service timestamps datetime msec

encryption password service

!

hostname ROUTER1841

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096 notifications

enable password 7 05080F1C2243

!

AAA new-model

!

!

AAA authentication banner ^ C

THIS SYSTEM IS ONLY FOR THE USE OF AUTHORIZED FOR OFFICIAL USERS

^ C

AAA authentication login userauthen local

AAA authorization groupauthor LAN

!

!

AAA - the id of the joint session

clock time zone gmt + 1 1 schedule

clock daylight saving time gmt + 2 recurring last Sun Mar 02:00 last Sun Oct 03:00

dot11 syslog

no ip source route

!

!

No dhcp use connected vrf ip

DHCP excluded-address IP 192.168.10.1

DHCP excluded-address IP 192.168.20.1

DHCP excluded-address IP 192.168.30.1

DHCP excluded-address IP 192.168.100.1

IP dhcp excluded-address 192.168.1.250 192.168.1.254

!

IP dhcp pool vlan10

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.1

lease 5

!

IP dhcp pool vlan20

import all

network 192.168.20.0 255.255.255.0

router by default - 192.168.20.1

lease 5

!

IP dhcp pool vlan30

import all

network 192.168.30.0 255.255.255.0

default router 192.168.30.1

!

IP TEST dhcp pool

the host 192.168.100.20 255.255.255.0

0100.2241.353f.5e client identifier

!

internal IP dhcp pool

network 192.168.100.0 255.255.255.0

Server DNS 192.168.100.1

default router 192.168.100.1

!

IP dhcp pool vlan1

network 192.168.1.0 255.255.255.0

Server DNS 8.8.8.8

default router 192.168.1.1

lease 5

!

dhcp MAC IP pool

the host 192.168.10.50 255.255.255.0

0100.2312.1c0a.39 client identifier

!

IP PRINTER dhcp pool

the host 192.168.10.20 255.255.255.0

0100.242b.4d0c.5a client identifier

!

MLGW dhcp IP pool

the host 192.168.10.10 255.255.255.0

address material 0004.f301.58b3

!

pool of dhcp IP pc-vero

the host 192.168.10.68 255.255.255.0

0100.1d92.5982.24 client identifier

!

IP dhcp pool vlan245

import all

network 192.168.245.0 255.255.255.0

router by default - 192.168.245.1

!

dhcp VPN_ROUTER IP pool

0100.0f23.604d.a0 client identifier

!

dhcp QNAP_NAS IP pool

the host 192.168.10.100 255.255.255.0

0100.089b.ad17.8f client identifier

name of the client QNAP_NAS

!

!

IP cef

no ip bootp Server

IP domain name dri

host IP SW12 192.168.1.252

host IP SW24 192.168.1.251

IP host tftp 192.168.10.50

host IP of Router_A 192.168.10.5

host IP of Router_B 10.0.1.1

IP ddns update DynDNS method

HTTP

Add http://dri66: [email protected] / * *//nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=[email protected] / * //nic/update?system=dyndns&hostname=mlgw.dyndns.info&myip=

maximum interval 1 0 0 0

minimum interval 1 0 0 0

!

NTP 66.27.60.10 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Flow-Sampler-map mysampler1

Random mode one - out of 100

!

Crypto pki trustpoint TP-self-signed-2996752687

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 2996752687

revocation checking no

rsakeypair TP-self-signed-2996752687

!

!

VTP version 2

username Admin privilege 15 secret 5 $1$ gAFQ$ 2ecAHSYEU9g7b6WYuTY9G.

username cisco password 7 02050D 480809

Archives

The config log

hidekeys

!

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0

!

ISAKMP crypto client configuration group 3000client

key cisco123

DNS 8.8.8.8

dri.eu field

pool VPNpool

ACL 150

!

!

Crypto ipsec transform-set strong esp-3des esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Profile cisco ipsec crypto

define security-association life seconds 120

transformation-strong game

!

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

!

!

property intellectual ssh time 60

property intellectual ssh authentication-2 retries

IP port ssh 8096 Rotary 1

property intellectual ssh version 2

!

!

!

interface Loopback0

IP 192.66.66.66 255.255.255.0

!

interface Tunnel0

172.16.0.1 IP address 255.255.255.0

no ip redirection

IP mtu 1440

no ip next-hop-self eigrp 90

property intellectual PNDH authentication cisco123

dynamic multicast of IP PNDH map

PNDH network IP-1 id

No eigrp split horizon ip 90

source of tunnel FastEthernet0/0

multipoint gre tunnel mode

0 button on tunnel

Cisco ipsec protection tunnel profile

!

interface FastEthernet0/0

DMZ description

IP ddns update hostname mlgw.dyndns.info

IP ddns update DynDNS

DHCP IP address

no ip unreachable

no ip proxy-arp

NAT outside IP

IP virtual-reassembly

automatic duplex

automatic speed

clientmap card crypto

!

interface FastEthernet0/0,241

Description VLAN 241

encapsulation dot1Q 241

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/0.245

encapsulation dot1Q 245

DHCP IP address

IP access-group dri-acl-in in

NAT outside IP

IP virtual-reassembly

No cdp enable

!

interface FastEthernet0/1

Description INTERNAL ETH - LAN$

IP 192.168.100.1 address 255.255.255.0

no ip proxy-arp

IP nat inside

IP virtual-reassembly

Shutdown

automatic duplex

automatic speed

!

interface FastEthernet0/0/0

switchport access vlan 10

spanning tree portfast

!

interface FastEthernet0/0/1

switchport access vlan 245

spanning tree portfast

!

interface FastEthernet0/0/2

switchport access vlan 30

spanning tree portfast

!

interface FastEthernet0/0/3

switchport mode trunk

!

interface Vlan1

IP address 192.168.1.250 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan10

IP 192.168.10.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan20

address 192.168.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Vlan30 interface

192.168.30.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

!

interface Vlan245

IP 192.168.245.1 255.255.255.0

IP nat inside

IP virtual-reassembly

!

Router eigrp 90

network 172.16.0.0

network 192.168.10.0

No Auto-resume

!

IP pool local VPNpool 172.16.1.1 172.16.1.100

IP forward-Protocol ND

no ip address of the http server

local IP http authentication

IP http secure server

!

IP flow-cache timeout idle 130

IP flow-cache timeout active 20

cache IP flow-aggregation prefix

cache timeout idle 400

active cache expiration time 25

!

!

overload of IP nat inside source list 170 interface FastEthernet0/0

overload of IP nat inside source list interface FastEthernet0/0.245 NAT1

IP nat inside source static tcp 192.168.10.10 80 interface FastEthernet0/0 8095

!

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 170 refuse ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 170 permit ip 192.168.10.0 0.0.0.255 any

access-list 180 deny ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 180 permit ip 192.168.10.0 0.0.0.255 any

not run cdp

!

!

!

route NAT allowed 10 map

corresponds to the IP 180

!

!

!

control plan

!

exec banner ^ C

WELCOME YOU ARE NOW LOGED IN

^ C

connection of the banner ^ C

WARNING!

IF YOU ARE NOT:

Didier Ribbens

Please leave NOW!

YOUR IP and MAC address will be LOGGED.

^ C

!

Line con 0

Speed 115200

line to 0

line vty 0 4

access-class 5

privilege level 15

Rotary 1

transport input telnet ssh

line vty 5 15

access-class 5

Rotary 1

!

Scheduler allocate 20000 1000

end

Didier,

Some time ago, I wrote a bit on VT, you should be able to find information about the server ezvpn DVTI it.

https://supportforums.Cisco.com/community/NetPro/security/VPN/blog/2010/12/08/advantages-of-VTI-configuration-for-IPSec-tunnels

The configuartion you have right now is the way to strives for ezvpn, with the new way DMVPN (protection of tunnel).

If it is true for the most part, it is best to go on the learning curve Moose and go everythign new configuration.

With EZVPN you can always assign IP from the pool by group ezvpn or external authorization ;-)

Anyway let me know if you face any problems.

Marcin

AnyConnect and IPSec on ASA5505

Hello

ASA 5505 has only 2 peers of SSL VPN and 25 VPN peers. When we connect to our society through AnyConnect I see that these people use the IKEv2 IPsecOverNatT Protocol. It is suggested that they do not use SSL VPN. But when the third person trying to connect via AnyConnect, receives information about the connection failied.

is it possible to configure AnyConnect or ASA everyone who is set to ASA uses only IPsec, SSL VPN not?

I use

The ASA version: 9.1

The ASDM version: 7.1

Thanks for your help

Robert

For AnyConnect you need an additional license if you want to surpass two users competitor. It is also for IPSec.

You have two choices:

(1) purchase the L-ASA-AC-E-5505 = license is about $50)

(2) configure IKEv1 and use the traditional IPSec VPN Client (EOS/EOL is announced for the Cisco client, but there are many other clients)

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

L3VPN and IPsec

Similar Questions

Maybe you are looking for