We’re looking into ditching Anyconnect and moving to the built in VPN of Windows 10 (IKEv2).
We can’t use the Start Before Logon module of Anyconnect for various reasons and having the Anyconnect client is just a pain because quite a few users never bother connecting to the VPN
Has anyone set this up? From what I can tell you need NPS servers (which we already have) but I’m unclear on whether you need the VPN role installed on servers or whether the ASA can handle that
u/HDClown linked a great post written by u/Motavar. The caveat to it though is the ASA needs to be running ASA code for it to be the terminating point. Everything I’ve read with ASAs running FTD code, including the builtin documentation, the VPN only functions with the AnyConnect client.
To further drive that home, when you create a new VPN connection using the Firepower manager it requires you to upload an AnyConnect image and profile. I will say that I haven’t gone down the road to implement all this to test the connection with the Windows BuiltIn VPN client.
With all that preface, I have setup AOVPN to terminate at Windows server behind the ASA and behind a load balancer. Not fun. Be prepared to battle obscure and ambiguous errors with just as obscure documentation.
Richard Hicks will become your best and only friend
A big thing I will recommend is testing with a fresh build on your laptop. I spent a lot of time testing with my laptop that I’ve tested all kinds of software only to find that things worked as expected with a fresh image.
These links are my references from the build:
https://www.thewindowsclub.com/vpn-error-13801-on-windows
https://4sysops.com/archives/configuring-and-deploying-always-on-vpn-device-tunnels/
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config
http://blog.tofte-it.dk/tutorial-deploy-always-on-vpn/
https://4sysops.com/archives/active-directory-group-policy-and-certificates-for-always-on-vpn/
https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/
https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/
https://www.thewindowsclub.com/vpn-error-codes-troubleshooting
https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
https://directaccess.richardhicks.com/2019/08/05/always-on-vpn-dns-registration-update-available/
https://support.microsoft.com/en-gb/help/4507466/windows-10-update-kb4507466
https://david-obrien.net/2013/12/configmgr-powershell-application-detection-methods/
https://directaccess.richardhicks.com/2018/05/29/always-on-vpn-client-dns-server-configuration/
https://docs.umbrella.com/deployment-umbrella/docs/appx-d-internal-domains#section-the-umbrella-dashboard-domain-management https://docs.umbrella.com/deployment-umbrella/docs/manage-domains
https://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/enabling-use-source-ip-mode.html
https://www.carlstalhood.com/netscaler-essential-concepts-part-1#sourceip
https://forsenergy.com/en-us/rras/html/6282013d-7daa-437d-918d-a4588cff86ee.htm
https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/13847.htm
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure
https://directaccess.richardhicks.com/2017/04/13/uninstalling-and-removing-directaccess/
Good luck and may the Gods have mercy on your soul
See here: https://www.reddit.com/r/networking/comments/gf6w1h/cisco_firepower_2130_wasa_code_and_microsoft/
Since this post is based on ASA code in FTD it will be the same for you using an ASA.
Always on VPN device tunnels (needed for pre-logon connect) require Win 10 enterprise or education SKU so hopefully you have that. If you don’t need pre-logon as a hard requirement you can still have a user tunnel auto connect after login.
Not sure what you’re really asking (Anyconnect SBL experiences or how to migrate to Windows /Ikev2 VPN)?
We’ve been using SBL for 5+ years now, starting with Anyconnect 3.1 and Windows 7, all the way to Anyconnect 4.x and Windows 10.
Some clients include 4G, others are “normal”.
Has worked out fine for us so far. Anything specific you want to know?
Thanks, I’ll take a look. We are using Windows 10 Enterprise so no issue there
How to use it and use Fast User Switching as well? As I understand it, it’s not possible but it’s a requirement for our help desk staff
Ultimately though, we’d prefer to use the native Win 10 VPN client with the ASA devices
It’s indeed mutually exclusive. On the other hand, we’ve seen a drastic decline in helpdesk staff needing to actually log on to client devices. Things like RDP and it’s cousin Remote Assistance, combined with the magic of Powershell generally take care of this.
I guess it is technically possible to combine Windows 10 VPN with thr ASA appliances. Wouldn’t recommend it though as inter-vendor compatibility for these kind of Frankenstein solutions is in my experience almost always iffy and hell to troubleshoot. I’d suggest to go all in on Microsoft then :Tutorial - Set up infrastructure for Always On VPN | Microsoft Learn
I’m trying to convert our help desk staff to using Quick Assist as the support tool and they’re pleasantly surprised by it.