Monday, April 4, 2011

Which Cisco VPN client should I go with?


A discussion about IPSEC and Anyconnect VPN clients

Cisco has two main options when it comes to vpn clients, IPSEC or anyconnect.
IPSEC has been there for a while, since the vpn3000 days, and to date, it is probably the most known and used vpn client among Cisco customers. At some point when 64bit OS started to be popular there was no IPSEC client option and it almost eliminated this option, since it did not have 64bit support. Then, the 64bit support was added and that made it a viable client for today's Windows 7 based OS. Here is an IPSEC client screen shot:

Anyconnect has been there for about four years now, it gained user base during the no 64bit support of the IPSEC client but always had one main thing that stopped it from being the default client, price.
Anyconnect required additional license and that means higher price. Up to about a year ago, that price was significant but then a new licensing model was announced and it became a non-issue. With the anyconnect essential license, which provides anything needed for remote access vpn, it is almost free to add anyconnect license to an ASA. The other licensing level (premium) cost is still significant but is only required for functions like the secure desktop and those sort of things. Here is an anyconnect screen shot:
More on anyconnect and the different features per license can be found at:

With both products available and ready for use, on 32 and 64 bit versions of windows 7, IT departments are going to face a decision between the two, and many will go with IPSEC because they are used to it and its a little cheaper then anyconnect (essential license). This may be a mistake and I would like to point out two major reasons to go with anyconnect.

First, It has support for Windows 7 Start Before Login (SBL) and second its better at working with broadband cellular cards.

The first issue is significant if you need your users to automatically run a login script that maps network drives or apply a computer account policy download and those sorts of things that will not work with cached login. IPSEC client does not currently support that on windows 7. A software-based workaround can be made by manually executing the required batch/script files after the vpn connection is established.

As for the broadband card, that is even more painful since there is no software workaround, windows 7 is using a different NDIS model and the VPN client does not recognize those cards as a viable network adapter that it can bind to. In some cases you can create a serial modem version of the device and use the vpn over dial up emulation but that does not work with many of the built in broadband options. Since anyconnect runs over https/ssl (tcp 443), it does not bind at the OS level and has no dependency on drivers support.
I cannot say much about whether Cisco will continue to maintain both versions or will they develop an NDIS support for windows 7, simply because I don't have that info, but at this time, anyconnect seems like the preffered option to go with.
Post a Comment