Instead of answering your question, I'm going to ignore it and ramble.
We've already moved most of our clients to Cisco Secure Client/Anyconnect.
We have small clients with five people to very large clients. One of the "issues" is that the minimum purchase quantity for Secure Client is 25 licences.
I like the Secure Client cloud management platform. I like being able to push out client updates. I like being able to push out config changes. Are you replacing a VPN head end and want everyone to connect to a different FQDN, no problem. I like that you can create profiles, like "Production" and "Pilot", and dynamically move machines between them to test changes before rolling them out. I like that you can push out new modules, like Umbrella, with just a few mouse clicks. I like the inventory data and reporting that comes back.
And I like that this platform is free. I don't like that it is hard to get it set up for a new client.
https://secure-client.apjc.security.cisco.com/
My world was good. Then SecureConnect came along.
SecureConnect on the "Cisco Secure Connect Complete Essentials" plans gives you access to ipsec "Tunnels". I have not tested this feature yet to a public cloud provider.
You can build IPSec tunnels to clouds like AWS and Azure. This means you don't need to use a VMX, or pay the cloud hosting fee.
I'm currently conducting a pricing exercise. If you could obtain SecureConnect for the same price or less than two VMX (and their associated cloud hosting costs) - would you? This path sounds simpler.
https://docs.umbrella.com/umbrella-user-guide/docs/manage-tunnels
Delving sideways; it was pre-pade wizards to help you create site to site IPSec VPNs to lots of different kinds of devices. The MX platform is not great with its site to site IPSec support.

It has lots of documentation showing how to create the config on the other end.
https://docs.umbrella.com/umbrella-user-guide/docs/tunnels

Also, as a bonus, you also get Umbrella with "Cisco Secure Connect Complete". If a customer is already using Umbrella, this makes migrating them into SecureConnect even more compelling.
The Secure Client management isn't as comprehensive as the Secure Client cloud management platform. The cloud management platform lets you update clients BEFORE they connect, or even run the client. A user can turn on their machine, and the cloud platform will update their software and settings automatically.
SecureConnect is based more on the traditional AnyConnect approach, where the client receives updates while connecting. Same as with an MX/ASA/Firepower/SecureFirewall.
However, it still allows you to perform many of the configuration tasks.
Another bonus with SecureConnect is that the minimum purchase quantity is (I believe) 1 - not 25. I have already sold one licence for 5 users.
SecureConnect also gets you access to global head ends. Do you have users who travel around the world? SecureConnect (by default, unless you change it) connects them to the nearest head end (in Cisco's cloud).
If you use SecureConnect to connect up your public clouds and your users, you can then use the cloud firewall built in to control who can talk to what. It also has excellent logging and auditing. You can see every single flow. If you make sure all your users have SecureClient installed, you can even great rules based on username or group rather than IP address.
Did I mention it can also integrate with your users in Entra ID/Active Directory?
Did I mention that it can also perform posture assessments?
So my torture I keep thinking about;
- If a client wants a remote access client VPN, and access to servers in a public cloud, when does it become cheaper to sell them SecureConnect (as opposed to VMX+cloud hosting cost)? Forget all the other features.
- Even if a client just wants access to their public clouds, is SecureConnect a better solution to provide that connectivity using it's network tunnel support, especially with regard to HA.
- Currently, I use a virtual appliance (like a vASA or StrongSwan) for customers with complex IPSec site-to-site VPNs. Would this be an alternative solution?
- With SecureConnect having native EntraID support - is this a better fit for my customers that are 100% cloud native.
- Creating firewall rules for customers using a VMX in a public cloud is a bit of a pain. Do you do them in the public cloud? Do you use the Meraki organisation VPN rules? The SecureConnect cloud firewall would be a great place to centralise those rules, and the logging and auditing are amazing. And being able to create rules based on username or group is fabulous. Should I just be moving across to this approach because of the awesome visibility and capabilities?
So I take your question about L2TP and I raise you an entirely different approach.