04-22-2014 12:46 AM
04-22-2014 08:18 AM
ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings
Disable everthing but DHE stuff. Test again.
04-22-2014 01:14 AM
Hi Br Herbert,
ASA supports PFS ( Perfect Forward Secrecy) for IPSEC using Diffie-Hellman (DH) groups 1,2,5 and 7.
TLS is generally used in SSL connections.
Vishnu
04-22-2014 01:24 AM
Hi,
the question was really does the ASA support FAST FORWARD SECRECY for TLS ?
the output after checking with
https://www.ssllabs.com/ssltest/analyze.html
of the ASA WebVPN solution
The server does not support Forward Secrecy with the reference browsers. MORE INFO »
br Herbert
04-22-2014 08:18 AM
ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings
Disable everthing but DHE stuff. Test again.
04-22-2014 08:34 AM
Thank you, that works with sslabs.com check.
After that the Anyconnect client does not work anymore.
Is that because of TLS 1.0 ?
04-22-2014 12:15 PM
Are you running AnyConnect 3.1?
04-23-2014 12:51 AM
yes
04-23-2014 12:57 AM
Hm, sorry, i checked the release notes for AnyConnect 3.0, theres stated that DHE is not supported for 3.0 and 2.5, so I guessed it's in 3.1, but the release notes [1] states:
Because the collective set of algorithms defined as National Security Agency (NSA) Suite B are becoming a standard, the AnyConnect IPsec VPN (IKEv2 only), PKI, 802.1X, and EAP now support them.
So, best practise would be to set DHE at the top and leave the other secure alg's for AnyConnect compat.
[1] http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html
04-23-2014 02:56 AM
Anyconnect seems to work with Internet Explorer libraries. All other Browsers work with DHE if configured first before other ciphers.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide