There's a mobile version of our website.
With Jay Young-Taylor
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about FlexVPN and IKEv2 with Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about FlexVPN and IKEv2 with Jay Young-Taylor. Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions. . Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions.
Remember to use the rating system to let Jay know if you have received an adequate response.
Jay might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community VPN discussion forum shortly after the event. This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
A multi-part answer:
a) The IPsec client (EZVPN) desktop client is indeed being phased out. AnyConnect is it's replacement.
i) Anyconnect has multiple connection types (SSL or IKEv2)
ii) Anyconnect can connect to an IOS headend or an ASA headend with either
iii) FlexVPN is the configuration method to support Anyconnect (or native Windows 7 IKEv2 client) IKEv2 connections to IOS headends.
b) EZVPN client on IOS devices (called EZVPN remote) is still available but this type of configuration can be supported by FlexVPN.
Hope that helps.
concerning to AnyConnect:
- are there benefits or recommendations to change from SSL to IKEv2 ?
- is IKEv2 as simple in use as SSL (e.g. communication over Proxy) ?
- is vpn session with IKEv2 more secure than vpn via SSL ?
There are pro's and con's for both technologies (SSL and IKEv2). One isn't 'more' secure than the other, just different ways of establishing and carrying data in a secure fashion. In general unless you have a requirement to use IPsec (and along with it IKE) I would generally recommend using Anyconnect with SSL. For enterprise deployments the SSL client works very well and has some advantages over IKEv2 (software updating, connecting through proxies, work through firewalls that block everything but http and https [hotels/airports]). There are some features with IKEv2 that SSL doesn't have (Suite-B encryption, able to use the native Windows 7 client, OpenSWAN client, able to use ASR1000 as a headend).
Hope that helps.
Is there any good documentation on how to troubleshoot Ikve2? On the routers, the debugs for Ikev1 were really easy to read. On the ASA, the logs pretty much told you where was the issue, are there similar methods to troubleshoot in Ikev2?
Sorry for the delay in getting back to you here. Currently we are building some documents that clearly describe line by line (well, paragraph by paragraph) what is occurring in the finite state machine and what information is exchanged in the protocol. The articles have been writtne and are going through internal review before posting to cisco.com. We should have them out shortly.
You can enable "debug crypto ikev2", "debug crypto ikev2 packet", and/or "debug crypto ikev2 error" and follow the packet flow. The debugs themselves have been re-written a couple of times to make the action/work flow more human readable and in plain english. It should be easier to understand with the later 15.1 - 15.2 code versions.
The debugs are broken up based on us sending a packet (look for "Tx Packet") and recieving a packet (loof for "Rx Packet"). In addition you can keep track of a single session by looking at the initator and responder (IKEv2) spi. Those values will never change during the session life time.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion