Showing posts from December, 2016

AnyConnect VPN DTLS vs TLS

DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based DTLS is supported for AnyConnect VPN not in IKEv2
How it works?
SSL−Tunnel is the TCP tunnel that is first created to the ASAWhen it is fully established, the client will then try to negotiate a UDP DTLS−TunnelDuring DTLS negotiation, traffic will be passing over TLS tunnelWhen the DTLS−Tunnel is fully established, all data now moves to the DTLS−tunnel and the SSL−tunnel is only used for occasional control channel trafficIn case of failures in establishing DTLS Tunnel, traffic will continue passing over TLS tunnelAfter establishing DTLS, in the event of failure in DTLS Tunnel, traffic will pass over TLS tunnel until DTLS tunnel is reestablished
How Data is Forwarded?
For each packet there is a part in AnyConnect client code which decides whether to send the packet over TLS or DTLSIf the DTLS tunnel is established, …

The Importance of Understanding MTU value in AnyConnect VPN

Why do we need it?
During encryption, additional overhead will be added to the packets made by new headers and features. This means that the actual size of the unencrypted TCP segment or UDP datagram which holds the application will be reduced because the MTU of the adapter is still same.
For example with Ethernet and MTU of 1500-bytes, the unencrypted TCP segment can't be more than 1460-bytes. With encryption, for Ethernet and MTU of 1500, the unencrypted TCP segment can't be more 1380 (can be different value). The 80-bytes difference are utilized by encryption overhead.
Now the value of unencrypted TCP segment can be more which leads to MTU more than 1500-bytes but this will cause the networking devices to fragment the packet which is bad and should be avoided.
AnyConnect client builds Virtual Adapter (VA) during installation on the clients machine. This VA will receive unencrypted traffic and emulates Ethernet to forward traffic after encryption. The actual traffic then g…