[Ach] Section on IOS-VPN

L. Aaron Kaplan kaplan at cert.at
Thu Jan 2 15:01:03 CET 2014

On Jan 2, 2014, at 2:53 PM, Karsten Iwen <ki at iwen.de> wrote:

> Am 02.01.2014 um 14:29 schrieb L. Aaron Kaplan <kaplan at cert.at>:
>> Okay, so I guess also for remote access , we might see a lot of compatibility issues with different clients?
> with remote-access there comes extra trouble:
> The EOL-announced Cisco VPN-client is still often in use but only supports DH-Group2 by default. There are workarounds possible, but they need a modification on the client. And I think the same way the document doesn't really take care of Windows XP it shouldn't really take care about legacy clients.

Agreed. Otherwise we will end up with 500 pages ;)

> The much more modern AnyConnect client is not widely used yet with routers as additional licenses are needed which are quite expensive. So for remote-access, using the ASA is the most common scenario.
> Nevertheless a Remote-Access section for the AnyConnect crypto on IOS should be included. But that again needs two sections, one for SSL/TLS and one for IKEv2. But the IKEv2-section will look quite similar to the one used for site-to-site. I'll look into that.

Thanks :)

> regards, Karsten

// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/35a20277/attachment.sig>

More information about the Ach mailing list