Cisco killing off IPsec VPN Client, forcing even more licensing fees

July 2nd, 2009 by Chris Buechler

Doesn’t come as a surprise to me given that the client is still flaky on Vista and Windows 7 to this day, there is still no version compatible with 64 bit Windows (and never will be), but Cisco has ceased development of their IPsec VPN client. They’re forcing users to their SSL VPN product, which comes along with per-user licensing fees – something that did not apply to the IPsec VPN client. Cisco customers are paying an arm and a leg for the ASA and/or IOS hardware, and ought to have continued to be able to use any VPN without additional licensing fees on top of that.

But thanks Cisco, from a Cisco certified professional now making a good chunk of his living off replacing Cisco hardware with pfSense. I’m sure you’ve just driven a lot of folks to look at lower cost options, especially open source.

Can’t say I really care for the Cisco VPN Client anyway, it has blue screened Windows on me more in the past couple years than everything else combined (though the Mac version has never caused me any trouble).

Shrew Soft IPsec client is a nice, free alternative that’s proven to be more stable in my experience.

22 Responses to “Cisco killing off IPsec VPN Client, forcing even more licensing fees”

  1. Ted Says:

    Interestingly enough, I was just having a discussion about this very thing the other day with a friend who now installs pfSense boxes for all of his clients (after he saw *my* production units).

    He was confused that he recently lost a few installs to Cisco ASA boxes, even though his pfSense-embedded boxes are hundreds (even thousands) of dollars cheaper than the Cisco “equivalent”. Cisco is now making his job even easier!

    I’ve been running pfSense since the early alphas – and I’ve replaced all but a handful of Cisco edge devices with pfSense. I have dozens of laptops connecting via VPN daily and I’d hate to have to use the buggy Cisco client to accomplish that.

  2. Steven Says:

    I am in the same boat as you. Replacing Cisco with PFSense is now an obsession. I’ve been using Shrew vpn client as well, and I am quite happy with it. Its reliable and free. Same goes for PFSense, although there is quite a bit more value there. I am amazed at how well it all works together, even with “beta” pfsense. I haven’t had any issues running site to site in a hub/spoke fashion with Sonicwall, Linksys (RV) and Cisco routers. It just works, and was trivial to get going. I am spreading the gospel of pfsense – hopefully others will find it as great as I do. Keep up the great work!

  3. Stefan Sczekalla Says:

    The mentioned VPN-Client looks promising.

    It would be nice if you could write a short howto for the non GURU type users. And publish this in tht shrew-soft support forum.

    Kind regards, Stefan

  4. Mark Says:

    I used to be a dyed-in-the-wool Cisco guy, but now I use pfsense firewalls and ebay HP procurve switches. I can set up networks for pennies on the dollar of what I used to have to pay for Cisco.

  5. John Dunsire Says:

    Thanks for the link to Shrew VPN client – I’ve spent all afternoon playing with it on Windows 7 RC x64. I spent ages searching for a Cisco VPN Client replacement for Windows x64 and only found 1 good one that was crazy expensive. Shrew VPN works a treat connceting to all the Cisco PIX’s I support unles your using SDI to SecurID server for auth.

    However with the ASA 8.2 software release Cisco have introduced AnyConnect Essentials License, basic tunnel support for a fixed price per firewall allowing to the devices maximum number of supported connections eg ASA5510 = 250 The Essentials license is cheap too about $200 AUD.

    However it’s still not as cheap as using pfSense. pfSense is creeping in to so many of our client’s networks these days. We use it heavily in ESX servers for firewalling hosted virtual servers for our clients.

  6. jim-p Says:

    Stefan,

    We have a how-to available on the Documentation Wiki already:

    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

  7. Robert Says:

    Wow, lot of misinformation here. I’m sorry about your troubles with the Cisco IPSEC client, but I have it installed (both 4.8x and 5.0x) for over 1000 users and have no issues.

    One of the reasons Cisco is doing away with its traditional IPSEC client is because it’s long in the tooth. It was developed by Altiga over 10 years ago and you can only do so much with that code. Also, IPSEC was never originally intended to be a user VPN solution, which is why *any* vendor’s XAUTH mechanism (phase 1.5 if you will) is pretty much a hack. Of course, if anyone has to deal with multiple VPN clients, it’s a pain because of where IPSEC is inserted into the stack. It’s pretty much a ring-0/kernel driver, and competing IPSEC clients don’t play well with others for that same reason. That’s also why it’s difficult to keep up with 64-bit Windows since Microsoft has much stricter rules for driver development. Could they have done it? Yes, but that was the last straw that made it easier to develop a new client.

    The new AnyConnect client is based on OpenVPN and can run on most major platforms, including 64-bit. This is much easier to develop since it runs in user space and will no longer conflict with any other VPN client. Juniper also has an SSL-based VPN client and other vendors are going this way – don’t just blame Cisco. One of the benefits of this client is you can have multiple VPN’s coming from the same box under different users, like from a MS Terminal server, and they will work fine! The routes and encryption are processed in user space, not at the system level, so this is possible. (That’s my favorite “cool” new feature). I heard that Cisco will be adding IPSEC back to this client in the future, for those who want to use it, although I don’t know why. The SSL based protocols like DTLS work so much better without having to deal with IPSEC/NAT hacks.

    Anyway….. licensing. The “old” AnyConnect licensing (old meaning just last month) is now called AnyConnect Premium and does indeed cost an arm-and-a-leg. Most people do not need this as it includes both the web based SSL and AnyConnect VPN client, shared licenses between ASA’s and other things. The basic AnyConnect VPN client is now the AnyConnect Essentials license, and it’s one license PER ASA BOX, for a nominal fee. It ain’t much. This is much more inline with other vendors now. This is new as of firmware 8.2.

  8. Chris Buechler Says:

    Robert: I fully agree OpenVPN is a better solution – pfSense has supported it for years. The fact that they’re changing away from IPsec in and of itself doesn’t bother me in the least, the fact that they’re now charging even more is ridiculous.

    The point still stands, it’s not misinformation – they’re charging extra for functionality that used to be included for no additional cost.

  9. Robert Says:

    Yes, but the info in that blog was wrong. I’d just chock it up to the cost of the ASA in the first place. It’s not much, like $60-$80 extra for an ASA5505. They could have easily just added it to the price of the ASA and not given a choice. What if OpenVPN had a license fee for commercial use- would that be okay?

  10. John Dunsire Says:

    Considering SSL VPN was free in early ASA software releases it’s a bit rude to still cahrge a fee for the AnyConnect Essentials license – shoud be free. Cisco have not announced EOL for Cisco VPN Client yet. I suspect we will see that soon though – PIX end of software maintenance releases and support contract attachment is the end of this month. Complete end of support for PIX is July 2013.

  11. Chris K. Says:

    If IPSEC had been pushed and become a widely implemented standard we would not have so much dependence on specific vendor implemented solutions. Ideally an INTEROPERABLE ipsec driver is build into every operating system. I know there was one built into Windows 2000 and XP (I think) but I’ve not tried newer versions of Windows.

  12. darklogic Says:

    I agree with most all post about Cisco. I feel that first a company needs to make money to maintain a product for consumer grade, but I also see the giant slowly falling due to pricing and open source options. I really am some what partial to cisco having my CCNA, but lets be honest, Cisco really never had open source competition in the past. Cisco has ASA’s and open source has pfSense, Cisco has IronPort and open source has Untangle, Cisco has Catalyst switches and routers and open source has Vyatta.

    With open source on the rise, Cisco is not the only giant that will be affected.

    I have used pfSense since the alpha days. I would stack pfsense up against any firewall solution. CheckPoint, barracuda, WatchGuard, Sonicwall wow Sonicwall, we all remember what happened a few months ago with them, Cisco ect…

    Plus the annual service charges for anti-spam, web filtering, and anti-virus gateway filtering rainging from $7,000 – $17,000 per year. Give me a flippen break. Who do you think you are!!!

    I also wanted to note on maybe a more detailed howto and more info on the ShrewSoft VPN client with using hand-to-hand with pfSense. I used the walkthrough and it was straight forward, but I had some issues with getting it to connect. I was getting an error on the logs with something along the lines of not accepting aggresive mode on the pfSense box. I am using version 1.2.3RC2.

    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

  13. Robert Says:

    IPSEC is certainly robust enough, but it wasn’t made for NAT networks. The same is true of H.323 vs SIP. H.323 works great when it can, but is a hassle with NAT traversal. SIP was the answer.

    I don’t know why people are hung up on IPSEC….in regards to user VPN’s. It’s like holding onto GRE/PPTP and all it’s deficiencies.

  14. darklogic Says:

    Hi Robert,

    I understand your words in a better way to do things, but 3 years from now that will more and likely change as well.

    My primary point was I believe most everyone gets tiered of product changes and service fees being forced upon them by these big companies. Kind of like make the change to this new product otherwise support ends 2013 Cisco PIX, extened service begins for server 2003 on 2010, or 2012 for XP. Cisco is not the only one that does this, I mean heck look at Microsoft and Vista and now Windows 7, which kind of reminds me of XP Home and XP Pro if you look at the packaging.

    All in all, it is just simply nice to have an option like open source that can accomplish the same task if not do a better job. You said it yourself, OpenVPN, and the best part is it is free in most all open source firewall projects. To name a few, pfSense, Clarkconnect, Smoothwall, Endian, and Untangle. Again my point, it is nice to have options that will not break the wallet.

    pfSense is really a diamond in the rough.

  15. Dean Hamstead Says:

    Cisco are so diversified that they are making increasingly substandard products, draping the Golden Gate logo over it and falling all over themselves to tell you what *you* have done wrong when it all does horribly wrong.

    If your company or organization needs a VPN then OpenVPN is really the only sustainable solution with a guaranteed migration path and controllable growth costs.

    Since at the end of the day, you cant really have an OSS switch. You can save a lot and get that BSD fix buying the new ‘EX’ line of switches from Juniper. Our company has realized TCO savings well beyond the 25% saving Juniper promises.

  16. phil Says:

    the only thing that i can see that’s holding back pfsense vs a firewall like checkpoint is that with checkpoint you can centrally manage multiple firewalls. in a large company with say 50 to 100 firewalls it would be pain in the arss.

  17. Mike Says:

    Tried to install Shrew client on Windows 7 64bit.. Immediately got the blu screen of death.. It works GREAT with 32 bit XP and VIsta.. Anyone have success installing it on WIndows 7?

  18. Chris Buechler Says:

    Mike: Look closer at the downloads page on shrew.net. You installed a version that isn’t compatible with Windows 7. I’ve been using the 2.1.5 version on Windows 7 for several months, since the first beta came out, it works fine.

  19. Mike Says:

    Thanks Chris.. I missed that one.. Will post more experiences with the product but so far, it is working flawlessly..

  20. Stupots Says:

    @Robert

    >> This is much more inline with other vendors now. This is new as of firmware 8.2.

    Show me a build of 8.2 for Pix515e and I’ll entertain your argument

  21. Josh Says:

    Sorry, not buying into the SMB open source taking over what you bloggers are calling ‘the giant’. Open source has been saying this for years with M$, web serving, and in the past five+ years networking. Didn’t happen then and won’t happen here. Pipe dream….a good dream and I wish you were correct but I just don’t see it happening. Until the open source community can train via documentation, support and provide easy to use products, it simply will not happen, specifically in the enterprise.

  22. Chris Buechler Says:

    Josh: You’re way off on at least one point, web servers have always been dominated by open source.

    We have commercial support, a great book going to print soon, and a product that’s just as easy if not easier than Cisco products to work with.

    Will the “Enterprise”, which is vague but I would describe as the Fortune 500, jump ship from big name vendors to go with open source? No, not likely, they want a huge company’s neck to choke if something goes wrong. But that leaves a huge segment where open source options *are* taking a chunk away from the big name vendors.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply