Cisco has ceased development on the IPSec VPN client, and shifted to pushing the SSL VPN client for remote VPN access for both IOS and ASA platforms. But that costs up to USD$125 per VPN client. Is that good for customers ? Or are we being shafted to increase revenue ? The Cisco VPN Client that uses IPSec as a dynamic remote access method to IOS, ASA, PIX and C6500 VPN modules is basically dead. From the Cisco Web site:
“The Cisco VPN client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). For x64 (64-bit) Windows support, you must utilize Cisco’s next-generation Cisco AnyConnect VPN Client.” – Link Here
And from the Product Q&A’s
“Cisco VPN Client Version 5 is available for 32-bit Windows Vista. There are no current plans to provide 64-bit support for the Cisco VPN Client but 64-bit support is available for the Cisco AnyConnect VPN Client.”
There doesn’t seem to be any End of Life or End of Support notices, so the current version must still be getting support, but there is no future for it.
You can choose any technology, so long as it is SSL VPN
A quick look at Cisco AnyConnect will confirm that this is an SSL VPN technology only. So this leads me to a few conclusions:
- Cisco isn’t planning on continuing the Cisco VPN Client
- Cisco doesn’t like IPSec as a dynamic secure remote access method.
- You must choose SSL VPN for remote access, because Cisco says so
- I need to start planning to replace the Cisco VPN client in the next year or two. On several thousand desktops.
- Which is going to be great
- and replace it with a technology that isn’t nearly so lovely, simple and well understood
- This looks like it’s saving Cisco money – they don’t have to develop and maintain two clients
- But is going to cost us a shedload of cash
Which would be fine, I suppose, if I could find a good reason why changing from IPsec to SSL would be a goodthing(gm).
What’s good about SSL VPN then ?
I was reading through some notes from Networkers and made the following list:
- SSL VPN’s have three modes – clientless, thin client and full client.
- Clientless VPN’s allow you to create a portal, which you can customise.
- allow for application translation – e.g. show CIFS Drive Shares appear in a web page (for clientless mode)
- For thin client mode, you can deliver Java plugins that let you access certain services such as Citrix, ssh, telnet, RDP without having the client programs on your PC
- Thick client acts the same as IPSec VPN client, but can be installed (initiated) from the web browser (sort of)
- The SSL VPN client is NOT FREE (not so good)
Did I mention that the SSL VPN Client option is not FREE….
So the IPSec VPN, which most of us are very happy with and used to, is free for an unlimited amount of users. But the replacement requires a license for every user past two.
And you will be forced to upgrade since the VPN Client doesn’t work on modern systems1.
Yeah, I’ve got the same feeling as you.
I am going to pay for SSL VPN technology that Cisco is forcing you to move towards.
They have chosen to do that. Now that is customer focussed.
How much ?
Here are the USD list prices for the SSL licenses:
IOS SSL VPN Licences
| FL-WEBVPN-10-K9 | Feature License IOS SSL VPN Up To 10 Users (Incremental) | $300 |
| FL-WEBVPN-25-K9 | Feature License IOS SSL VPN Up To 25 Users (Incremental) | $750 |
| FL-WEBVPN-100-K9 | Feature License IOS SSL VPN Up To 100 Users (Incremental) | $3,000 |
ASA SSL VPN Licences
| ASA5500-SSL-10 | ASA 5500 SSL VPN 10 Premium User License | $1,250 |
| ASA5500-SSL-25 | ASA 5500 SSL VPN 25 Premium User License | $3,095 |
| ASA5500-SSL-50 | ASA 5500 SSL VPN 50 Premium User License | $3,995 |
| ASA5500-SSL-100 | ASA 5500 SSL VPN 100 Premium User License | $7,995 |
| ASA5500-SSL-250 | ASA 5500 SSL VPN 250 Premium User License | $19,995 |
| ASA5500-SSL-500 | ASA 5500 SSL VPN 500 Premium User License | $29,995 |
| ASA-SSL-10-25= | ASA 5500 SSL VPN 10 to 25 Premium User Upgrade License | $1,895 |
| ASA-SSL-25-50= | ASA 5500 SSL VPN 25 to 50 Premium User Upgrade License | $1,995 |
| ASA-SSL-50-100= | ASA 5500 SSL VPN 50 to 100 Premium User Upgrade License | $3,995 |
Rule of Thumb
So an IOS SSL VPN connection is going to cost about USD$30 per concurrent connection.
An ASA SSL VPN is going to cost USD$125 per concurrent connection.
OUCH!
Remember that a lot of companies use VPNs as a DR feature and that is the peak load condition when say, 40% of users might connect from home. This means that SSL VPN licenses are not good value for money since they are only used in exceptional circumstances.
Where’s the WIN then
To be frank, I’m not sure. For most people, choosing IPSec is the default choice. Its simple, well known, easy to do and doesn’t cost anything.
SSL VPN is a bewildering array for policies for inheritance and self configuration. It has all the features of the IPSec client for AAA and maintenace, plus some fancy clientless modes. But it costs quite a bit.
Lack of Competition
The IPSec VPN client was made free when all the firewall vendors had VPN capability. But the current lack of competition in SSL VPNs means that prices aren’t likely to reduce. For example, F5 and Juniper needs volume licensing on their SSL VPN products to make any money at all. CheckPoint always charges for for everything until they lose market share. So there isn’t much motivation for Cisco to remove volume licensing on SSL.
And by discontinuing the IPSec VPN Client you are being forced to pay the license fee.
So Help Me out….
Is there any features or special powers that the SSL VPN has that I can pitch to justify the migration ? Is there some justification that SSL has inherent magical powers or is this a cynical revenue grab ?
Sound off in the comments. I’d love to find out.
Footnotes
- not straightaway, one day Microsoft will get a version of the Windows to replace Windows XP [back]
About Greg Ferro
MS ships an ipsec client in everything since Win2k, will this not work with Cisco hardware? I haven’t touched it in years but remember it only being a mild pain to get working with Linux IPSec servers.
The Windows client doesn’t support split tunneling, routing or have any debugging features. It also doesn’t have much integration with desktop security products. I can’t imagine that Microsoft made it any better.
I’ve been playing with SSL VPN’s for a while now as I have a lot of customers with Windows Vista x64 clients, and they have been saying since 2006ish that they have no plans to support x64 bit windows systems using the IPSec client, of course at the time IOS did not support Anyconnect, and Anyconnect did not yet support vista x64!
I have many users who have been using the IPSec client, and are going to be very upset when they find out that they have to pay for each user going forward!
Cisco’s made my life harder as I often pitch VPN as a DR access method, now I have to come up with another solution.
I think this is the start of lots of licensing on IOS platforms, we are going to see more gouging of loyal customers going forward from the 800lb network gorilla.
The IPSec Client is a solid product from Cisco, we’ve been sitting on 4.8.02 for a number of years – no plan to change bar a movement to 5.x if at some stage Windows 7 becomes part of our SOE.
Interesting to note the (from memory) that the built-in MS Windows IPSec Client is Cisco licenced – re-call problems with Zone Alarm and the Cisco.dll’s that MS uses.
The SSL client isn’t bad, anyconnect was a huge improvement, it does have it’s advantages, yet also some major disadvantages – cost being one. We primarily use SSL vpn as a backup to IPSec VPN.
Perhaps a key part of the issue is Cisco need to be able to virtualise their VPN capabilities to keep up with the market, easier with SSL? Whatever the case I don’t see this as a wise move, although with the they already have killed off PPTP support. Is Cisco getting too big for it’s own shoes?
I agree that killing off the IPSec client is a mistake, but I wanted to add that for DR purposes there is a ICE (In Case of Emergency) licensing option that allows you to burst licenses for short periods instead of having to have them permanently.
This is another decision which is taken by the idea “we are big, popular and we can afford to force people into some expensive technology”. I agree that at one point is time for a change in the product line, but why the new one has to be so expensive?
The licensing of ssl vpn client has changed with Cisco 8.2 release, there is now 2 types of SSL VPN client and the one being license is the one that does posture assesment. So you can still have the same as ipsec fonctionnality with Cisco AnyConnect Essentials…
It seems like your article here has information several months old, and the fact you don’t understand the new client shows. It’s better in almost every way.
One of the reasons Cisco is doing away with its traditional IPSEC client is because it’s long in the tooth. It was developed by Altiga over 10 years ago and you can only do so much with that code. Also, IPSEC was never designed to be a user VPN solution, which is why *any* vendor’s XAUTH mechanism (phase 1.5 if you will) is pretty much a hack. Of course, if anyone has to deal with multiple VPN clients, it’s a pain because of where IPSEC is inserted into the stack. It’s pretty much a ring-0/kernel driver, and competing IPSEC clients don’t play well with others for that same reason. That’s also why it’s difficult to keep up with 64-bit Windows since Microsoft has much stricter rules for driver development. Could they have done it? Yes, but that was the last straw that made it easier to develop a new client. I don’t know why anyone is upset that they are dumping a 10 year old technology for something better. Should we all still be running Windows 98 and PPTP too?
The new AnyConnect client is based on OpenVPN and can run on most major platforms, including 64-bit. This is much easier to develop since it runs in user space and will no longer conflict with any other VPN client. Juniper also has an SSL-based VPN client and other vendors are going this way – don’t just blame Cisco. One of the benefits of this client is you can have multiple VPN’s coming from the same box under different users, like from a MS Terminal server, and they will work fine! The routes and encryption are processed in user space, not at the system level, so this is possible. (That’s my favorite “cool” new feature). I heard that Cisco will be adding IPSEC back to this client in the future, for those who want to use it, although I don’t know why. The SSL based protocols like DTLS work so much better without having to deal with IPSEC/NAT hacks.
Anyway….. licensing. The “old” AnyConnect licensing (old meaning just last month) is now called AnyConnect Premium and does indeed cost an arm-and-a-leg. Most people do not need this as it includes both the web based SSL and AnyConnect VPN client, shared licenses between ASA’s and other things. The basic AnyConnect VPN client is now the AnyConnect Essentials license, and it’s one license PER ASA BOX, for a nominal fee. It ain’t much. This is much more inline with other vendors now. This is new as of firmware 8.2.
We are currently using a free, third-part IPSec client (www.shrew.net) for our 64-bit and Windows 7 systems, so as long as the support stays in the ASA software, we can continue to use IPSec without any major problems. But we do not have thousands of users.
I’ve been working on shrew.net for quite a few years now. Even helped with the development for Sidewinder and the linux client.
Great stuff and easy to work with.
Hmm…
“The new AnyConnect client is based on OpenVPN and can run on most major platforms, including 64-bit.”
Thanks for confirming our decision to save a ‘shedload’ and just use openvpn. I don’t think anyone is saying the new client isn’t better, just that it is a big step to go from free to $60+ a user.
I found this piece interesting and wonder if the author has configured SSL VPN or if his conclusions are just a response ot the literature. The Essentials license costs a one time fee of 150 per box and there are other interesting licensing capabilities that have been introduced with the Premium version including flex and shared licenses.
For this section:
“I need to start planning to replace the Cisco VPN client in the next year or two. On several thousand desktops. Which is going to be great and replace it with a technology that isn’t nearly so lovely, simple and well understood”
I think one of the benefits to the ASA SSL VPN solution is that it is a no touch deployment. Your enduser opens a web page and logs in. If their connection profile requires use of the SSL VPN client then it get installed the first time and can be stored locally to get launched the next from the startup menu or by accessing the portal again.
Depending on what you need to do you can make secure authenticated access for your end users a no brainer, but if you just want to extend your network to your end users machines the Essentials license can do everything you do today without needing a VPN profile configured for each site that needs to be added to each IPSec VPN installation.
Every client that I demo the SSL VPN solution to buys into it, and some have rolled out deployments in excess of 1K users whithout having to touch each machine and only talk to a handful of users that had issues that would need to have be addressed with the IPSec VPN solution also.
Thanks for presenting a forum for discussing this new technology.
-t
At time of writing, I wasn’t aware of the Essentials license. That said, it’s still a ripoff to have to pay for VPN when it was free before.
I find the no client SSL VPN to be worthless. It only suits certain specific software, its painful to configure and even worse to train staff so they know how to support it. Using ACS to set the parameters is a complete nightmare.
IPSec is simple to use, has limited choices which makes it easy to support. It used very widely and worth keeping.
The Cisco AnyConnect client is far superior to the crappy IPSec client. From my testing on Vista the client is faster when running DTLS than the IPSec one. The new essenstials license makes this a no brainer.
You are correct that the AnyConnect client is a complete rewrite. My question is why doesn’t Cisco rewrite the IPSec client ? Why force us to use SSL only by stopping the IPSec client ?
I want choice or, at least, an explanation. Why should we not use IPSec when it has worked so well for the last five years ?
You do have a choice: Pay cisco for the SSL upgrade (if your device supports it), or pay for a new client…
http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html
Not much of a choice is it. Why pay for it when I had it for free before ?
(Yes, I know the answer is: Because the competition is charging for it, so can we. It’s a rhetorical question.)
I just tried this free Shrew IPsec VPN client, it works well in vista x64 and win 7 RC x64. I was also able to import a cisco .pcf directly into shrew. Just select the pcf file and import.
http://www.shrew.net/software
Shrew has supports for windows, linux and BSD
There is no need to buy NCP VPN client or TheGreenBow VPN client.
Thankyou. Confirmation wis good to know. I can use this in my own networks knowing that other people have tested it.
Reading from the top (article first, then all the comments), the problem here is not one or two disgruntled IPSec users being abandoned by Cisco that can use a free-ware client …. this is a painful enterprise issue now.
YES, there is cause for both IPSec and SSL to coexist. For IPSec use, you need central policy control / management / NAC ‘patdowns’ over ALL clients, including 64-bit VPN clients. With Cisco out of the picture, the market is free for focused and mature providers to step in, like Andrew mentioned, NCP is the one I am familiar with. More info here:
http://vpnhaus.wordpress.com/
You are really assuming a lot that Cisco is not going to support IPSec in Anyconnect in the near future. A bigger font doesn’t make your assumption any more true.
IPSec support in Anyconnect has not been needed when there has been a perfectly functional IPSec client available. IPSec isn’t just going to disappear and Cisco engineers and TME’s aren’t stupid. *cough*
First off, if you check out CDW for AnyConnect licenses, you will notice that a 25 concurrent user connection license is $69.99 and the 10,000 concurrent user connection license is $333.99. Not quite $125 per user.
But on a more important note, not all is lost for the IPSec client, we have posted a BETA Cisco VPN Client “IPSec” for Windows 7, Version 5.0.06.0100 can now be gotten from cisco.com.
If you have any problems, email cvc-beta(at)cisco(dot)com and let us know.
Can you name another company other than cisco who gives away (Yes FREE) a vpn client and then provides 24 x 7 techincal support?
So since when does it make sense for a company to sink all that money into developing a client that not only are they not getting paid to develop but also losing even more money in the support of the client that they keep doing development work on?
Cisco ANYConnect Essentials VPN Client is not the same as Cisco SSL VPN Premium, it is an IPSEC / SSL client that costs less. We implemented it a few week ago and it cost less than $200 for up to 250 users.
The following link explains the differences: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
We may be a corner-case in the marketing strategy, but we support a hundred different customers over inexpensive 8xx series devices (couple different models.) We also have other VPN’s for support and access but the customer support network is the primary problem with the effective end-of-life of the Cisco VPN Client.
What has not been mentioned in this dialogue to this point is that the router performance capabilities using the Cisco VPN Client can be a factor of 5 . The 871 will support 10 VPN tunnels. It will support only 2 SSL VPN tunnels. The 1800 supports 50 IPsec or 25 SSL. The relationship carries through the entire product line.
We have a fully-functional, multi-point VPN architecture deployed and in use by well over 1000 support staff. How could how incurring the costs of design, licensing, hardware, deployment, support and maintenance be justified?
To make the situation worse, Cisco has not been open with their plans despite two years of asking about 64 bit windows support in the existing VPN client. Our parent company already wanted us to dump the Cisco solution. Unfortunately, I’m out of good answers as to why we should not just do so. Cisco had gotten pretty good about sufficient end-of-life announcements. They really blew this one though.
The irony is that Cisco had one of the most flexible IPSEC implementations available but they apparently are going to abandon it to become a 3rd rate SSL VPN vendor.
See: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html
So is there any alternative beside using the cisco vpn anyconnect ? Just wondering since cisco vpn anyconnect is based on openvpn, so can openvpn be used to connect ?