Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
6
Release Notes for Cisco AnyConnect Secure Mobility Client 3.0.x for Android Mobile Devices
New Features in AnyConnect 3.0.09073
•
EAP methods: GTC, MD5, and MSCHAPv2
•
IKEv2 methods: RSA
On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect client, you
specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile.
specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile.
On the mobile device, the user chooses Connect with IPsec when adding a VPN connection.
System Requirements for IPsec IKEv2
• ASA running version 9.0 or later
• ASDM 7.0.1 or later
• AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license
FIPS and Suite B Cryptography
AnyConnect 3.0 for mobile devices incorporates Cisco Common Cryptographic Module (C3M), the
Cisco SSL implementation which includes FIPS 140-2 compliant cryptography modules and NSA Suite
B cryptography as part of its Next Generation Encryption (NGE) algorithms.
Cisco SSL implementation which includes FIPS 140-2 compliant cryptography modules and NSA Suite
B cryptography as part of its Next Generation Encryption (NGE) algorithms.
In AnyConnect 3.0 for mobile devices, Suite B cryptography is available for IPsec VPNs only;
FIPS-compliant cryptography is available for both IPsec and SSL VPNs.
FIPS-compliant cryptography is available for both IPsec and SSL VPNs.
Use of cryptography algorithms is negotiated with the headend while connecting. Negotiation is
dependent on the capabilities of both ends of the VPN connection. Therefore, the secure gateway must
also support FIPS-compliant and Suite B cryptography.
dependent on the capabilities of both ends of the VPN connection. Therefore, the secure gateway must
also support FIPS-compliant and Suite B cryptography.
The user configures AnyConnect to accept only NGE algorithms during negotiation by enabling FIPS
Mode in the AnyConnect settings. When FIPS Mode is disabled, AnyConnect also accepts non-FIPS
cryptography algorithms for VPN connections.
Mode in the AnyConnect settings. When FIPS Mode is disabled, AnyConnect also accepts non-FIPS
cryptography algorithms for VPN connections.
AnyConnect 3.0 for mobile devices includes the following Suite B algorithms:
•
AES-GCM support (128-, 192-, and 256-bit keys) for symmetric encryption and integrity
–
IKEv2 payload encryption and authentication (AES-GCM only)
–
ESP packet encryption and authentication
•
SHA-2 (SHA with 256/384/512 bits) support for hashing
–
IKEv2 payload authentication
–
ESP packet authentication
•
ECDH support for key exchange
–
Groups 19, 20, and 21 IKEv2 key exchange and IKEv2 PFS
•
ECDSA support (256-, 384-, 512-bit elliptic curves) for digital signature, asymmetric encryption,
and authentication
and authentication
–
IKEv2 user authentication and server certificate verification
•
Other cipher suite dependencies between algorithms promote support for the following:
–
Diffie-Hellman Groups 14 and 24 for IKEv2
–
RSA certificates with 4096 bit keys for DTLS and IKEv2