Oracle Cisco Anyconnect

admin



Windows

He has been training Cisco courses for over 15 years and has delivered instructor led courses in various countries around the world covering a wide range of Cisco topics from CCNA to CCIE. David is very active on social media and has over 250,000 YouTube subscribers and has posted over 1,000 free videos. Duo + AnyConnect. Once integrated with your Cisco ASA VPN, Duo’s two-factor authentication (2FA) verifies the identity of your users and checks the security health of their devices before they access your applications. Cisco AnyConnect VPN is available for download via the Related Downloads box to the right on this page, or you can install it from the Windows Software Center. Managed Computer (On MESA) Unmanaged Computer (Not on MESA) If Your Computer is on MESA Step 1. Open Software Center by clicking the Start Button All Programs Microsoft System Center.

This topic provides a route-based configuration for a Cisco IOS device. The configuration was validated using a Cisco 2921 running IOS version 15.4(3)M3.

Cisco Important

Oracle Cisco Anyconnect Vpn


Oracle provides configuration instructions for a set of vendors and devices. Make sure to use the configuration for the correct vendor.

If the device or software version that Oracle used to verify the configuration does not exactly match your device or software, the configuration might still work for you. Consult your vendor's documentation and make any necessary adjustments.

If your device is for a vendor not in the list of verified vendors and devices, or if you're already familiar with configuring your device for IPSec, see the list of supported IPSec parameters and consult your vendor's documentation for assistance.

VPN Connect is the IPSec VPN that Oracle Cloud Infrastructure offers for connecting your on-premises network to a virtual cloud network (VCN).

The following diagram shows a basic IPSec connection to Oracle Cloud Infrastructure with redundant tunnels. IP addresses used in this diagram are for example purposes only.

Best Practices

This section covers general best practices and considerations for using VPN Connect.

Configure All Tunnels for Every IPSec Connection

Oracle deploys two IPSec headends for each of your connections to provide high availability for your mission-critical workloads. On the Oracle side, these two headends are on different routers for redundancy purposes. Oracle recommends configuring all available tunnels for maximum redundancy. This is a key part of the 'Design for Failure' philosophy.

Have Redundant CPEs in Your On-Premises Network Locations

Each of your sites that connects with IPSec to Oracle Cloud Infrastructure should have redundant edge devices (also known as customer-premises equipment (CPE)). You add each CPE to the Oracle Console and create a separate IPSec connection between your dynamic routing gateway (DRG) and each CPE. For each IPSec connection, Oracle provisions two tunnels on geographically redundant IPSec headends. For more information, see the Connectivity Redundancy Guide (PDF).

Routing Protocol Considerations

When you create an IPSec VPN, it has two redundant IPSec tunnels. Oracle encourages you to configure your CPE to use both tunnels (if your CPE supports it). Note that in the past, Oracle created IPSec VPNs that had up to four IPSec tunnels.

The following two routing types are available, and you choose the routing type separately for each tunnel in the IPSec VPN:

  • BGP dynamic routing: The available routes are learned dynamically through BGP. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets.
  • Static routing: When you set up the IPSec connection to the DRG, you specify the particular routes to your on-premises network that you want the VCN to know about. You also must configure your CPE device with static routes to the VCN's subnets. These routes are not learned dynamically.
  • Policy-based routing: When you set up the IPSec connection to the DRG, you specify the particular routes to your on-premises network that you want the VCN to know about. You also must configure your CPE device with static routes to the VCN's subnets. These routes are not learned dynamically.
Cisco

For more information about routing with VPN Connect, including Oracle recommendations on how to manipulate the BGP best path selection algorithm, see Routing for the Oracle IPSec VPN.

Other Important CPE Configurations

Ensure access lists on your CPE are configured correctly to not block necessary traffic from or to Oracle Cloud Infrastructure.

If you have multiple tunnels up simultaneously, you may experience asymmetric routing. To allow for asymmetric routing, ensure that your CPE is configured to handle traffic coming from your VCN on any of the tunnels. For example, you need to disable ICMP inspection, configure TCP state bypass, and so on. For more details about the appropriate configuration, contact your CPE vendor's support. To configure routing to be symmetric, refer to Routing for the Oracle IPSec VPN.

Installing the VPN Client

  1. Download the AnyConnect VPN client for Windows. Note: If you're using Microsoft Edge, the program will download as a 'sys_attachment.do' file. You will need to rename the file to 'sys_attachment.msi'
    • If you have the Windows Surface Pro X tablet with an ARM-based processor, you should download the AnyConnect VPN client for ARM64.
  2. Click Run on the Open File – Security Warning dialog box.
  3. Click Next in the Cisco AnyConnect Secure Mobility Client Setup dialog box, then follow the steps to complete the installation. NOTE: We recommend you un-check everything (Web Security, Umbrella, etc) except for the VPN and the Diagnostic and Reporting Tool (DART). This will give you a minimal install. The other features are not supported so there's no need to install them.

Starting the VPN Client

Cisco Anyconnect Software

  1. Go to Start->Programs->Cisco->Cisco AnyConnect Secure Mobility Client to launch the program.
  2. Enter vpn.uci.edu in the Ready toConnect to field, then press the Connect button.
  3. Select your desired connection profile from the Group drop-down menu:
    • UCIFULL – Route all traffic through the UCI VPN.
      • IMPORTANT: Use UCIFULL when accessing Library resources.
    • UCI – Route only campus traffic through the UCI VPN. All other traffic goes through your normal Internet provider.
  4. Enter your UCInetID and password, then click OK.
  5. A banner window will appear. Click Accept to close that window. You are now connected!

Disconnecting the VPN Client

Cisco Anyconnect Client Download

When you are finished using the VPN, remember to disconnect.

  1. Right-click the AnyConnect client icon located in the system tray near the bottom right corner of your screen.
  2. Select Quit.