Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
6
Release Notes for Cisco AnyConnect Secure Mobility Client 3.0.x, for Apple iOS
New Features in AnyConnect 3.0.09097
On the mobile device, the user chooses Connect with IPsec when adding a VPN connection.
System Requirements for IPsec IKEv2
• ASA running version 9.0 or later
• ASDM 7.0.1 or later
• AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license
FIPS and Suite B Cryptography
AnyConnect 3.0 for mobile devices incorporates Cisco Common Cryptographic Module (C3M), the Cisco SSL implementation
which includes FIPS 140-2 compliant cryptography modules and NSA Suite B cryptography as part of its Next Generation
Encryption (NGE) algorithms.
which includes FIPS 140-2 compliant cryptography modules and NSA Suite B cryptography as part of its Next Generation
Encryption (NGE) algorithms.
In AnyConnect 3.0 for mobile devices, Suite B cryptography is available for IPsec VPNs only; FIPS-compliant cryptography
is available for both IPsec and SSL VPNs.
is available for both IPsec and SSL VPNs.
Use of cryptography algorithms is negotiated with the headend while connecting. Negotiation is dependent on the capabilities
of both ends of the VPN connection. Therefore, the secure gateway must also support FIPS-compliant and Suite B
cryptography.
of both ends of the VPN connection. Therefore, the secure gateway must also support FIPS-compliant and Suite B
cryptography.
The user configures AnyConnect to accept only NGE algorithms during negotiation by enabling FIPS Mode in the AnyConnect
settings. When FIPS Mode is disabled, AnyConnect also accepts non-FIPS cryptography algorithms for VPN connections.
settings. When FIPS Mode is disabled, AnyConnect also accepts non-FIPS cryptography algorithms for VPN connections.
AnyConnect 3.0 for mobile devices includes the following Suite B algorithms:
•
AES-GCM support (128-, 192-, and 256-bit keys) for symmetric encryption and integrity
–
IKEv2 payload encryption and authentication (AES-GCM only)
–
ESP packet encryption and authentication
•
SHA-2 (SHA with 256/384/512 bits) support for hashing
–
IKEv2 payload authentication
–
ESP packet authentication
•
ECDH support for key exchange
–
Groups 19, 20, and 21 IKEv2 key exchange and IKEv2 PFS
•
ECDSA support (256-, 384-, 512-bit elliptic curves) for digital signature, asymmetric encryption, and authentication
–
IKEv2 user authentication and server certificate verification
•
Other cipher suite dependencies between algorithms promote support for the following:
–
Diffie-Hellman Groups 14 and 24 for IKEv2
–
RSA certificates with 4096 bit keys for DTLS and IKEv2
Requirements
•
FIPS and/or Suite B support is required on the secure gateway. Cisco provides Suite B capability on the ASA version 9.0
and later, and FIPS capability on the ASA version 8.4.1 and later.
and later, and FIPS capability on the ASA version 8.4.1 and later.
•
An AnyConnect Premium license is required for FIPS or Suite B remote access connections to the ASA.