[Ach] Section on IOS-VPN

Karsten Iwen ki at iwen.de
Thu Jan 2 14:53:30 CET 2014

Am 02.01.2014 um 14:29 schrieb L. Aaron Kaplan <kaplan at cert.at>:

> Okay, so I guess also for remote access , we might see a lot of compatibility issues with different clients?

with remote-access there comes extra trouble:

The EOL-announced Cisco VPN-client is still often in use but only supports DH-Group2 by default. There are workarounds possible, but they need a modification on the client. And I think the same way the document doesn't really take care of Windows XP it shouldn't really take care about legacy clients.

The much more modern AnyConnect client is not widely used yet with routers as additional licenses are needed which are quite expensive. So for remote-access, using the ASA is the most common scenario.

Nevertheless a Remote-Access section for the AnyConnect crypto on IOS should be included. But that again needs two sections, one for SSL/TLS and one for IKEv2. But the IKEv2-section will look quite similar to the one used for site-to-site. I'll look into that.

regards, Karsten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/33f107af/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/33f107af/attachment.sig>

More information about the Ach mailing list