we have an ASA 5505 base license 50 user v8.4(6) using classic IPsec VPN client. We have been told we need to upgrade the security of the VPN connection to support AES 256 bit encryption, and only accept this level of security, client is not allowed to connect if it is lower.
What do we need to do / buy for this? I have spent many hours looking and have only found a few pointers.
1. Upgrade the ASA software to the latest v9 (and ADSM too)
2. Move to Anyconnect client.
For the Anyconnect, I have found this URL which details that it can use 3DES or AES-256 but we need a strong encryption license.
Running Permanent Activation Key: 0xdd2feb61 0xc829523d 0x10d29548 0x8d6c2cfc 0xc835088e Configuration register is 0x1 Configuration last modified by enable_15 at 09:05:27.051 CEST Wed Jan 15 2014 ciscoasa(config)#
Do we need to buy Anyconnect Essentials or Premium? How can I configure the ASA to only allow AES 256 connections (is it even possible)? Finally, do we need to buy the Next Generation Encryption license to do this (I hope not - Cisco in not cheap).
To my understanding the only license required for you to use AES-256 is to have the 3DES/AES license which to my understanding can be aquired for free if you device is not licensed for it. Your device seems to be licensed for it.
You don't need to update the ASA software. You won't need to move to use AnyConnect either even though it would be suggestable in the long run as the Cisco VPN Client is not really supported anymore even though I think it still works even with never OS.
What I think you would need to do is simply remove all ISAKMP Policys and IPsec Transform Sets that use something DES or 3DES on your firewall or rearrange the configurations so that no DES/3DES ISAKMP Policys are at higher priority than the AES ones and you could remove the DES/3DES transform sets from the Dynamic Map configurations I suppose.
I have not had the opportunity configure AnyConnect/IKEv2 so I can't really comment on that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :