Cisco Anyconnect Hardware



Jadyr Pavao and I have the same issue. Update: It looks like AnyConnect and the nacl-development-environment plugin may have a conflict. Following Pete's recommendation, I removed the nacl-development-environment plugin, removed and reinstalled AnyConnect, and vpn is working again. Cisco AnyConnect natively supports smartcard integrations. The VPN server (Cisco VPN ASA) sends a request that is signed with the user's private key and also includes the certificate on the YubiKey. The ASA service first checks to see if the certificate has been revoked by checking with the Certificate Revocation List (CRL) service or the. The information in this document is based on these software and hardware versions: ASA 5510 that runs software version 8.2(2) and ASDM version 6.4(9) Anyconnect client software version 3.0 (It will work the same for versions prior to 8.3) Microsoft. Just came across this recently and figured I'd share my discovery. When deploying a VPN solution using the Cisco AnyConnect Client over SSL, using JUST the SSL tunnel makes things painfully slow - in the neighborhood of 1-2 Mb per sec, even if bandwidth is adequate on both ends.

Introduction
Recommendations for Cryptographic Algorithms
Introduction to Cryptography
Next Generation Encryption
NGE Background Information
Categories of Cryptographic Algorithms
Symmetric Key
Public Key
Elliptic Curve
Hash
Security Levels
Cryptographic Algorithm Configuration Guidelines
IPsec VPN with Encapsulating Security Payload
Internet Key Exchange in VPN Technologies
Transport Layer Security and Cipher Suites
Acknowledgments
References
Appendix A: Minimum Cryptography Recommendations



Over the years, numerous cryptographic algorithms have been developed and used in many different protocols and functions. Cryptography is by no means static. Steady advances in computing and the science of cryptanalysis have made it necessary to adopt newer, stronger algorithms and larger key sizes. Older algorithms are supported in current products to ensure backward compatibility and interoperability. However, some older algorithms and key sizes no longer provide adequate protection from modern threats and should be replaced. This paper summarizes the security of cryptographic algorithms and parameters, gives concrete recommendations regarding which cryptography should be used and which cryptography should be replaced, and describes alternatives and mitigations.

The following table can help customers migrate from legacy ciphers to current or more secure ciphers. The table explains each cryptographic algorithm that is available, the operations that each algorithm supports, and whether an algorithm is Cisco's best recommendation. Customers should pay particular attention to algorithms designated as Avoid or Legacy. The status labels are explained following the table.

Table 1. Recommendations for Cryptographic Algorithms

AlgorithmOperationStatusAlternativeQCR1Mitigation
DESEncryptionAvoidAES
3DESEncryptionLegacyAESShort key lifetime
RC4EncryptionAvoidAES

AES-CBC mode

AES-GCM mode

Encryption

Authenticated encryption

Acceptable

NGE2

AES-GCM

✓ (256-bit)

✓ (256-bit)

DH-768, -1024

RSA-768, -1024

DSA-768, -1024

Key exchange

Encryption

Authentication

Avoid

DH-3072 (Group 15)

RSA-3072

DSA-3072

DH-2048

RSA-2048

DSA-2048

Key exchange

Encryption

Authentication

Acceptable

ECDH-256

ECDSA-256

DH-3072

RSA-3072

DSA-3072

Key exchange

Encryption

Authentication

Acceptable

ECDH-256

ECDSA-256

MD5IntegrityAvoidSHA-256

SHA-1

Integrity

Legacy

SHA-256

SHA-256

SHA-384

SHA-512

Integrity

NGE

SHA-384

HMAC-MD5IntegrityLegacyHMAC-SHA-256Short key lifetime
HMAC-SHA-1IntegrityAcceptableHMAC-SHA-256
HMAC-SHA-256IntegrityNGE

ECDH-256

ECDSA-256

Key exchange

Authentication

Acceptable

ECDH-384

ECDSA-384

ECDH-384

ECDSA-384

Key exchange

Authentication

NGE

1. QCR = quantum computer resistant.

2. NGE = next generation encryption.

Avoid: Algorithms that are marked as Avoid do not provide adequate security against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.

Legacy: Legacy algorithms provide a marginal but acceptable security level. They should be used only when no better alternatives are available, such as when interoperating with legacy equipment. It is recommended that these legacy algorithms be phased out and replaced with stronger algorithms.

Acceptable: Acceptable algorithms provide adequate security.

Next generation encryption (NGE): NGE algorithms are expected to meet the security and scalability requirements of the next two decades. For more information, see Next Generation Encryption.

Quantum computer resistant (QCR): In recent years, there has been attention on quantum computers (QCs) and their potential impact on current cryptography standards. Although practical QCs would pose a threat to crypto standards for public-key infrastructure (PKI) key exchange and encryption, no one has demonstrated a practical quantum computer yet. It is an area of active research and growing interest. Although it is possible, it can't be said with certainty whether practical QCs will be built in the future. An algorithm that would be secure even after a QC is built is said to have postquantum security or be quantum computer resistant (QCR). AES-256, SHA-384, and SHA-512 are believed to have postquantum security. There are public key algorithms that are believed to have postquantum security too, but there are no standards for their use in Internet protocols yet.

Cisco anyconnect hardware support

Cisco is committed to providing the best cryptographic standards to our customers. NGE still includes the best standards that one can implement today to meet the security and scalability requirements for network security in the years to come or to interoperate with the cryptography that will be deployed in that time frame. The biggest threat to crypto nowadays is another high-impact implementation issue, not a QC. So while we need to get smart about postquantum crypto, we need to do it in a way that doesn't create more complexity and less robustness. Cisco will remain actively involved in quantum resistant cryptography and will provide updates as postquantum secure algorithms are standardized.

Short key lifetime: Use of a short key lifetime improves the security of legacy ciphers that are used on high-speed connections. In IPsec, a 24-hour lifetime is typical. A 30-minute lifetime improves the security of legacy algorithms and is recommended.

Cryptography can provide confidentiality, integrity, authentication, and nonrepudiation for communications in public networks, storage, and more. Some real-world applications include protocols and technologies such as VPN networks, HTTPS web transactions, and management through SSH.

Over the years, some cryptographic algorithms have been deprecated, 'broken,' attacked, or proven to be insecure. There have been research publications that compromise or affect the perceived security of almost all algorithms by using reduced step attacks or others such as known plaintext, bit flip, and more. Additionally, advances in computing reduce the cost of information processing and data storage to retain effective security. Because of Moore's law and a similar empirical law for storage costs, symmetric cryptographic keys must grow by 1 bit every 18 months. For an encryption system to have a useful shelf life and securely interoperate with other devices throughout its life span, the system should provide security for 10 or more years into the future. The use of good cryptography is more important now than ever before because of the very real threat of well-funded and knowledgeable attackers.

Cryptographic algorithms, in general, are divided into the following categories:

Cisco
  • Symmetric key algorithms: These algorithms share the same key for encryption and decryption. Examples include Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES).
  • Public key algorithms: These algorithms use different, mathematically related keys for encryption and decryption. Examples include Digital Signature Algorithm (DSA) and the Rivest-Shamir-Adleman (RSA) algorithm.
  • Elliptic curve algorithms: These algorithms function over points that belong to elliptic curves. Examples include Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA).
  • Hash: These algorithms provide a constant-sized output for any input and their most important property is irreversibility.

The following section presents the recommended algorithms and key sizes for each category.

Next generation encryption (NGE) technologies satisfy the security requirements described in the preceding sections while using cryptographic algorithms that scale better. This document presents algorithms that are considered secure at present, the status of algorithms that are no longer considered secure, the key sizes that provide adequate security levels, and next generation cryptographic algorithms.

NGE Background Information

NGE offers the best technologies for future-proof cryptography and it is setting the industry trend. These are the best standards that one can implement today to meet the security and scalability requirements for years to come and to interoperate with the cryptography that will be deployed in that time frame.

The algorithms that comprise NGE are the result of more than 30 years of global advancement and evolution in cryptography. Each constituent component of NGE has its own history, depicting the diverse history of the NGE algorithms as well as their long-standing academic and community review. For instance, AES was named by the U.S. National Institute of Standards and Technology (NIST) but AES was not created by NIST. AES was originally called Rijndael and was created by two Belgian cryptographers. Additionally, ECDSA and ECDH have had fundamental contributions by cryptographers from around the world, including Japan, Canada, and the United States. In the end, NGE is composed of globally created, globally reviewed, and publicly available algorithms.

The following sections discuss the NGE algorithms in more detail.

Categories of Cryptographic Algorithms

There are four groups of cryptographic algorithms.

Symmetric Key

Symmetric key algorithms use the same key for encryption and decryption. Examples include 3DES and AES. 3DES, which consists of three sequential Data Encryption Standard (DES) encryption-decryptions, is a legacy algorithm. This designation means that 3DES provides a marginal but acceptable security level, but its keys should be renewed relatively often. Because of its small key size, DES is no longer secure and should be avoided. RC4 should be avoided too.

Install cisco anyconnect vpn

AES with 128-bit keys provides adequate protection for sensitive information. AES with 256-bit keys is required to protect classified information of higher importance.

Public Key

Public key algorithms use different keys for encryption and decryption. These keys are usually called the private key, which is secret, and the public key, which is publicly available. The private and public keys are cryptographically related. The private key cannot be derived from the public key. The private key can be used only by its owner and the public key can be used by third parties to perform operations with the key owner.

The RSA algorithms for encryption and digital signatures are less efficient at higher security levels, as is the integer-based Diffie-Hellman (DH) algorithm. There are subexponential attacks that can be used against these algorithms. To compensate, their key sizes must be substantially increased. In practice, this means that RSA and DH are becoming less efficient every year. DH, DSA, and RSA can be used with a 3072-bit modulus to protect sensitive information. Smaller DH, DSA, and RSA key sizes, such as 768 or 1024, should be avoided.

Elliptic Curve

Elliptic Curve Cryptography (ECC) is a newer alternative to public key cryptography. ECC operates on elliptic curves over finite fields. The main advantage of elliptic curves is their efficiency. They can offer the same level of security for modular arithmetic operations over much smaller prime fields. Thus, the relative performance of ECC algorithms is significantly better than traditional public key cryptography.

ECDH is a method for key exchange and ECDSA is used for digital signatures. ECDH and ECDSA using 256-bit prime modulus secure elliptic curves provide adequate protection for sensitive information. ECDH and ECDSA over 384-bit prime modulus secure elliptic curves are required to protect classified information of higher importance.

Hash

Token

Hash algorithms are also called digital fingerprinting algorithms. They are irreversible functions that provide a fixed-size hash based on various inputs. Irreversibility and collision resistance are necessary attributes for successful hash functions. Examples of hash functions are Secure Hash Algorithm 1 (SHA-1) and SHA-256.

Message Digest 5 (MD5) is a hash function that is insecure and should be avoided. SHA-1 is a legacy algorithm and thus is NOT adequately secure. SHA-256 provides adequate protection for sensitive information. On the other hand, SHA-384 is required to protect classified information of higher importance.

Hashed Message Authentication Code (HMAC) is a construction that uses a secret key and a hash function to provide a message authentication code (MAC) for a message. HMAC is used for integrity verification. HMAC-MD5, which uses MD5 as its hash function, is a legacy algorithm. Note that MD5 as a hash function itself is not secure. It provides adequate security today but its keys should be renewed relatively often. Alternatively, we recommend HMAC-SHA-256. HMAC-SHA-1 is also acceptable.

Security Levels

The following table shows the relative security level provided by the recommended and NGE algorithms. The security level is the relative strength of an algorithm. An algorithm with a security level of x bits is stronger than one of y bits if x > y. If an algorithm has a security level of x bits, the relative effort it would take to 'beat' the algorithm is of the same magnitude of breaking a secure x-bit symmetric key algorithm (without reduction or other attacks). The 128-bit security level is for sensitive information and the 192-bit level is for information of higher importance.

Table 2. Security Strength by Algorithm

AlgorithmSecurity Level

AES-128

DH, DSA, RSA-3072

SHA-256

ECDH, ECDSA-256
128 bits

AES-192

SHA-384

ECDH, ECDSA-384
192 bits

AES-256

SHA-512

ECDH, ECDSA-521

256 bits

After the review of NGE algorithms and recommendations on choosing cryptographic algorithms, it is worthwhile to review specific guidelines for security technology configuration. The guidelines in this section are by no means all inclusive. Cryptography is widely deployed in almost every technology; thus, it is impossible to provide exhaustive guidelines for every technology that employs cryptography.

IPsec VPN with Encapsulating Security Payload

Use the following guidelines when configuring IPsec VPN encryption with Encapsulating Security Payload (ESP):

  • Do not use NULL encryption (esp-null).
  • Use both an authentication algorithm (esp-sha256-hmac is recommended) and an encryption algorithm (esp-aes is recommended).

The following example shows a Cisco IOS Software or Cisco Adaptive Security Appliance (ASA) transform set configuration that uses 256-bit AES encryption and HMAC-SHA-256 authentication for ESP IPsec in tunnel mode:


Internet Key Exchange in VPN Technologies

Use the following guidelines when configuring Internet Key Exchange (IKE) in VPN technologies:

  • Avoid IKE Groups 1, 2, and 5.
  • Use IKE Group 15 or 16 and employ 3072-bit and 4096-bit DH, respectively.
  • When possible, use IKE Group 19 or 20. They are the 256-bit and 384-bit ECDH groups, respectively.
  • Use AES for encryption.

Caution: Administrators are advised to use caution regarding processing load when they choose IKE groups. Load depends on platform limitations. Some platforms may not support Group 15 or 16 in hardware, and handling them in the CPU could add significant load to the processor in lower-end products or multiple simultaneous IKE negotiation scenarios.

For Cisco ASA 5500 Series models, administrators are strongly advised to enable hardware processing instead of software processing for large modulus operations, such as 3072-bit certificates. Initially enabling hardware processing by using the crypto engine large-mod-accel command, which was introduced in ASA version 8.3(2), during a low-use or maintenance period will minimize a temporary packet loss that can occur during the transition of processing from software to hardware. For the Cisco ASA 5540 and ASA 5550 using SSL VPN, administrators may want to continue to use software processing for large keys in specific load conditions. If VPN sessions are added very slowly and the ASA device runs at capacity, the negative impact to data throughput is larger than the positive impact for session establishment.

The following example shows a Cisco IOS Software IKE configuration that uses 128-bit AES for encryption, pre-shared key authentication, and 256-bit ECDH (Group 19):

The following example shows a Cisco IOS Software IKEv2 proposal configuration that uses 256-bit CBC-mode AES for encryption, SHA-256 for the hash, and 3072-bit DH (Group 15):

Not all product versions support SHA-256 or IKE Group 14, 19, 20, or 24. Recent releases of Cisco IOS Software and some other product version releases have incorporated support for some of these features.

Transport Layer Security and Cipher Suites

Many products are managed through a web interface using HTTPS. HTTPS uses SSL/Transport Layer Security (TLS) to encrypt communications. TLS is the successor of SSL and provides encryption, authentication, and integrity for web communications. TLS 1.2 is the current version. Where possible, TLS 1.2 is preferred over SSL 3.0, TLS 1.0, and TLS 1.1. TLS is also used in various Cisco products to provide VPN services.

Cipher suites are combinations of security algorithms that are used in TLS. When configuring products that support TLS, administrators are advised to use secure algorithms in the cipher suites of the TLS negotiation when possible. Some recommendations are as follows:

  • Use 3072-bit certificates with cipher suites that include TLS_RSA_.
  • Use 3072-bit DH or 256-bit or 384-bit ECDH and ECDSA with cipher suites that include:
    • TLS_DH_
    • TLS_ECDH_
    • TLS_ECDH_ECDSA or TLS_RSA_ECDSA
  • Configure the negotiated TLS cipher suites to include AES-128 or AES-256 GCM as the encryption algorithms and SHA-256 or SHA-384 for the hashes. The negotiated cipher suites should include:
    • WITH_AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384
    • WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384
      Alternatives are:
    • WITH_AES_128_CBC_SHA256
    • WITH_AES_256_CBC_SHA256

Browsers should support the preceding cipher suites, as should the HTTP server or SSL VPN concentrator. However, not all product versions support the preceding cipher suites. Support is progressively added.

Panos Kampanakis (pkampana[at]cisco[dot]com)
Security Intelligence Operations

David McGrew (mcgrew[at]cisco[dot]com)
Cisco Fellow, Corporate Security Programs Office (CSPO)

Jay Young-Taylor (jyoungta[at]cisco[dot]com)
Escalation Support Engineer, Cisco Services

Cisco Anyconnect Hardware

Wen Zhang (wzhang[at]cisco[dot]com)
Escalation Support Engineering, Cisco Services

Lonnie Harris (lonnieh[at]cisco[dot]com)
Test Engineer, Global Government Solutions Group (GGSG)

NIST SP 800-131A, B, and C
http://csrc.nist.gov/publications/PubsSPs.html

NIST Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (SP800-131A)
http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

IANA Transport Layer Security (TLS) Parameters
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

IANA Internet Key Exchange (IKE) Attributes
http://www.iana.org/assignments/ipsec-registry

The following table lists recommended cryptographic algorithms that satisfy minimum security requirements for technology as of October 2020.

Table 3. Recommended Minimum Security Algorithms

OperationRecommended Minimum Security Algorithms
EncryptionAES-128-GCM mode
AuthenticationRSA-3072, DSA-3072
IntegritySHA-256
Key exchangeDH Group 15 (3072-bit)

First Published: April 2012

Last Updated: October 2020

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Objective

The objective of this document is to show you how to configure AnyConnect VPN connectivity on the RV34x Series Router.

Advantages of using AnyConnect Secure Mobility Client:

  1. Secure and persistent connectivity
  2. Persistent security and policy enforcement
  3. Deployable from the Adaptive Security Appliance (ASA) or from Enterprise Software Deployment Systems
  4. Customizable and translatable
  5. Easily configured
  6. Supports both Internet Protocol Security (IPSec) and Secure Sockets Layer (SSL)
  7. Supports Internet Key Exchange version 2.0 (IKEv2.0) protocol

Introduction

A Virtual Private Network (VPN) connection allows users to access, send, and receive data to and from a private network by means of going through a public or shared network such as the Internet but still ensuring secure connections to an underlying network infrastructure to protect the private network and its resources.

A VPN client is software that is installed and ran on a computer that wishes to connect to the remote network. This client software must be set up with the same configuration as that of the VPN server such as the IP address and authentication information. This authentication information includes the username and the pre-shared key that will be used to encrypt the data. Depending on the physical location of the networks to be connected, a VPN client can also be a hardware device. This usually happens if the VPN connection is used to connect two networks that are in separate locations.

The Cisco AnyConnect Secure Mobility Client is a software application for connecting to a VPN that works on various operating systems and hardware configurations. This software application makes it possible for remote resources of another network become accessible as if the user is directly connected to his network, but in a secure way. Cisco AnyConnect Secure Mobility Client provides an innovative new way to protect mobile users on computer-based or smart-phone platforms, providing a more seamless, always-protected experience for end users and comprehensive policy enforcement for IT administrator.

On the RV34x router, starting with firmware version 1.0.3.15 and moving forward, AnyConnect licensing is not necessary. There will be a charge for client licenses only.

For additional information on AnyConnect licensing on the RV340 series routers, please see the article on: AnyConnect Licensing for the RV340 Series Routers.

Applicable Devices | Firmware Version

  • Cisco AnyConnect Secure Mobility Client | 4.4 (Download latest)
  • RV34x Series | 1.0.03.15 (Download latest)

Configure AnyConnect VPN Connectivity on the RV34x

Configure SSL VPN on the RV34x

Step 1. Access the router web-based utility and choose VPN > SSL VPN.

Step 2. Click the On radio button to enable Cisco SSL VPN Server.

Mandatory Gateway Settings

The following configuration settings are mandatory:

Step 3. Choose the Gateway Interface from the drop-down list. This will be the port that will be used for passing traffic through the SSL VPN Tunnels. The options are:

  • WAN1
  • WAN2
  • USB1
  • USB2

Note: In this example, WAN1 is chosen.

Step 4. Enter the port number that is used for the SSL VPN gateway in the Gateway Port field ranging from 1 to 65535.

Note: In this example, 8443 is used as the port number.

Step 5. Choose the Certificate File from the drop-down list. This certificate authenticates users who attempt to access the network resource through the SSL VPN tunnels. The drop-down list contains a default certificate and the certificates that are imported.

Note: In this example, Default is chosen.

Step 6. Enter the IP address of the client address pool in the Client Address Pool field. This pool will be the range of IP addresses that will be allocated to remote VPN clients.

Note: Make sure that the IP address range does not overlap with any of the IP addresses on the local network.

Note: In this example, 192.168.0.0 is used.

Step 7. Choose the Client Netmask from the drop-down list.

Note: In this example, 255.255.255.128 is chosen.

Step 8. Enter the client domain name in the Client Domain field. This will be the domain name that should be pushed to SSL VPN clients.

Note: In this example, WideDomain.com is used as the client domain name.

Step 9. Enter the text that would appear as login banner in the Login Banner field. This will be the banner that will be displayed each time a client logs in.

Note: In this example, Welcome to Widedomain! is used as the Login Banner.

Optional Gateway Settings

The following configuration settings are optional:

Step 1. Enter a value in seconds for the Idle Timeout ranging from 60 to 86400. This will be the time duration that the SSL VPN session can remain idle.

Note: In this example, 3000 is used.

Step 2. Enter a value in seconds in the Session Timeout field. This is the time it takes for the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) session to time out after the specified idle time. The range is from 60 to 1209600.

Note: In this example, 60 is used.

Step 3. Enter a value in seconds in the ClientDPD Timeout field ranging from 0 to 3600. This value specifies the periodic sending of HELLO/ACK messages to check the status of the VPN tunnel.

Note: This feature must be enabled on both ends of the VPN tunnel.

Note: In this example, 350 is used.

Step 4. Enter a value in seconds in the GatewayDPD Timeout field ranging from 0 to 3600. This value specifies the periodic sending of HELLO/ACK messages to check the status of the VPN tunnel.

Note: This feature must be enabled on both ends of the VPN tunnel.

Note: In this example, 360 is used.

Step 5. Enter a value in seconds in the Keep Alive field ranging from 0 to 600. This feature ensures that your router is always connected to the Internet. It will attempt to re-establish the VPN connection if it is dropped.

Note: In this example, 40 is used.

Step 6. Enter a value in seconds for the duration of the tunnel to be connected in the Lease Duration field. The range is from 600 to 1209600.

Note: In this example, 43500 is used.

Step 7. Enter the packet size in bytes that can be sent over the network. The range is from 576 to 1406.

Note: In this example, 1406 is used.

Step 8. Enter the relay interval time in the Rekey Interval field. The Rekey feature allows the SSL keys to renegotiate after the session has been established. The range is from 0 to 43200.

Note: In this example, 3600 is used.

Step 9. Click Apply.

Configure Group Policies

Step 1. Click the Group Policies tab.

Step 2. Click the Add button under the SSL VPN Group Table to add a group policy.

Note: The SSL VPN Group table will show the list of group policies on the device. You can also edit the first group policy on the list, which is named SSLVPNDefaultPolicy. This is the default policy supplied by the device.

Step 3. Enter your preferred policy name in the Policy Name field.

Note: In this example, Group 1 Policy is used.

Step 4. Enter the IP address of the Primary DNS in the field provided. By default, this IP address is already supplied.

Note: In this example, 192.168.1.1 is used.

Step 5. (Optional) Enter the IP address of the Secondary DNS in the field provided. This will serve as a backup in case the primary DNS failed.

Note: In this example, 192.168.1.2 is used.

Step 6. (Optional) Enter the IP address of the primary WINS in the field provided.

Note: In this example, 192.168.1.1 is used.

Step 7. (Optional) Enter the IP address of the secondary WINS in the field provided.

Note: In this example, 192.168.1.2 is used.

Step 8. (Optional) Enter a description of the policy in the Description field.

Note: In this example, Group Policy with split tunnel is used.

Step 9. (Optional) Click on a radio button to choose the IE Proxy Policy to enable Microsoft Internet Explorer (MSIE) proxy settings to establish VPN tunnel. The options are:

  • None - Allows the browser to use no proxy settings.
  • Auto - Allows the browser to automatically detect the proxy settings.
  • Bypass-local - Allows the browser to bypass the proxy settings that are configured on the remote user.
  • Disabled - Disables the MSIE proxy settings.

Note: In this example, Disabled is chosen. This is the default setting.

Step 10. (Optional) In the Split Tunneling Settings area, check the Enable Split Tunneling check box to allow Internet destined traffic to be sent unencrypted directly to the Internet. Full Tunneling sends all traffic to the end device where it is then routed to destination resources, eliminating the corporate network from the path for web access.

Step 11. (Optional) Click on a radio button to choose whether to include or exclude traffic when applying the split tunneling.

Note: In this example, Include Traffic is chosen.

Step 12. In the Split Network Table, click the Add button to add split Network exception.

Step 13. Enter the IP address of the network in the field provided.

Note: In this example, 192.168.1.0 is used.

Step 14. In the Split DNS Table, click the Add button to add split DNS exception.

Step 15. Enter the Domain name in the field provided and then click Apply.

Verify AnyConnect VPN Connectivity

Step 1. Click on the AnyConnect Secure Mobility Client icon.

Step 2. In the AnyConnect Secure Mobility Client window, enter the gateway IP address and the gateway port number separated by a colon (:), and then click Connect.

Note: In this example, 10.10.10.1:8443 is used. The software will now show that it is contacting the remote network.

Step 3. Enter your server username and password in the respective fields and then click OK.

Note: In this example, Group1 user is used as the Username.

Step 4. As soon as the connection is established, the Login Banner will appear. Click Accept.

The AnyConnect window should now indicate the successful VPN connection to the network.

Step 5. (Optional) To disconnect from the network, click Disconnect.

You should now have successfully configured AnyConnect VPN connectivity using an RV34x Series Router.

Cisco Anyconnect Hardware Requirements

View a video related to this article...