I have noticed and tested that Cisco IPSEC VPN IKEV1 works well through an IPSEC tunnel. However cisco IPSEC IKEV2 with AnyConnect fails to establish when passing through an IPSEC tunnel. What are the differences in protocols and port numbers which makes them different. In Cisco release notes I have read that we have to set the MTU to 1200 for IKEV2. I have done this and still no luck.
To clarify I explain a little bit about the scenario: (Please see the attached diagram)
Users in location A, need to VPN to the ASA VPN concentrator in location B. Connection from location A to location B is through internet and there is already an IPSEC tunnel established via edge routers between location A and location B. users have two VPN clients. One is the cisco VPN client configured for IKEV1 and the other is Cisco AnyConnect client which is configured for IPSEC IKEV2. At this time all the tests are about IPSEC. SSL VPN is NOT the goal at this stage. Here is what is happening:
a. Users trying with cisco vpn client and IPsec IKEV1 are successfully connecting.
b. Users trying with Cisco AnyConnect client and IPsec IKEV2 fail to even receive the prompt for credentials. The connection fails in IKE_SA_INIT stage.
c. If the same user with Cisco AnyConnect client, tries from home to connect to ASA VPN concentrator at location B, all is good and successful. (probably because there is no extra IPSEC tunnel in the inetenet for the AnyConnect to pass through, but why cisco VPN client can establish an ipsec tunnel through an ipsec tunnel, but Anyconnect fails to establish an ipsec tunnel through an ipsec tunnel. The only difference I know is that the cisco VPN client is using IKEV1 and Cisco AnyConnect is using IKEV2, but does this make any difference in terms of ports and protocols across network?) Please see attached diagram.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...