[Ach] Section on IOS-VPN
L. Aaron Kaplan
kaplan at cert.at
Thu Jan 2 15:01:03 CET 2014
On Jan 2, 2014, at 2:53 PM, Karsten Iwen <ki at iwen.de> wrote:
> Am 02.01.2014 um 14:29 schrieb L. Aaron Kaplan <kaplan at cert.at>:
>> Okay, so I guess also for remote access , we might see a lot of compatibility issues with different clients?
> with remote-access there comes extra trouble:
> The EOL-announced Cisco VPN-client is still often in use but only supports DH-Group2 by default. There are workarounds possible, but they need a modification on the client. And I think the same way the document doesn't really take care of Windows XP it shouldn't really take care about legacy clients.
Agreed. Otherwise we will end up with 500 pages ;)
> The much more modern AnyConnect client is not widely used yet with routers as additional licenses are needed which are quite expensive. So for remote-access, using the ASA is the most common scenario.
> Nevertheless a Remote-Access section for the AnyConnect crypto on IOS should be included. But that again needs two sections, one for SSL/TLS and one for IKEv2. But the IKEv2-section will look quite similar to the one used for site-to-site. I'll look into that.
> regards, Karsten
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Ach