Question

Windows Vista/7 VPN

Asked by: tsprks

Can anyone tell me first it it's possible, then how to actually configure the built-in VPN capabilities of Windows to connect to an Cisco VPN Concentrator 3000 using IPSEC?

Thanks.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-11 at 05:39:37ID24724306
Tags

windows vpn cisco

Topics

PHP Scripting Language

,

Windows 7

,

Windows Vista

Participating Experts
3
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPsec VPN
    I wonder if there is a free or cheap stable IPsec based VPN that has the following characteristicas: -It supports Linux and Windows XP -It can be configured to connect directly host to host -There exist high-end VPN concentrator hardware that can handle requests on the serve...
  2. Cisco 3000 Concentrator and VPN client question
    We are planning on deploying a Cisco 3005 VPN concentrator on our network for remote access VPN a. I was planning on using the Cisco VPN client but have been asked why we shouldn't use the built-in Windows client. Should we use the buit-in VPN clients on XP/2000 workstations...
  3. cisco vpn concentrator
    I am new to Cisco and would like to know : when useing windows if cisco vpn concentrator is installed on the PC or on the Cisco firewall box? if both vpn software and firewall software are installed on the pc ? thanks
  4. VPN Concentrator
    Hi, 1) Could somebody explain a little bit related to VPN Concentrator? (Function, a server or a workstation or special device, etc ...) 2) Thank you Tjie

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ikalmarPosted on 2009-09-11 at 08:17:26ID: 25310412

You can import your Cisco VPN client settings to this client.  It's not freeware, but it solves the x64 Vista compatibility issue.

NCP Secure Entry Client: http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html

or use l2tp it is working on all windows:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949da.shtml

Best regards,
Istvan


 

by: tsprksPosted on 2009-09-11 at 11:11:49ID: 25312033

I went through the example link for the l2tp, but couldn't get it to work, is there something that I should be checking?

 

by: Fatal_ExceptionPosted on 2009-09-11 at 12:38:02ID: 25312803

Windows 7 / Vista will run the Cisco Client, as long as your OS is not 64 bit..   Just wanted to point that out in case anyone else comes to this page looking for info..

FE

 

by: tsprksPosted on 2009-09-11 at 12:39:22ID: 25312814

You're right I forgot to mention that I am running x64.

 

by: ikalmarPosted on 2009-09-11 at 13:37:28ID: 25313283

the link is working...

Document ID: 14101

Contents

    Introduction
    Prerequisites
          Requirements
          Components Used
          Network Diagram
          Conventions
    Configure the VPN 3000 Concentrator with Local Authentication
    Microsoft PPTP Client Configuration
          Windows 98 - Install and Configure the PPTP Feature
          Windows 2000 - Configuring the PPTP Feature
          Windows NT
          Windows Vista
    Add MPPE (Encryption)
    Verify
          Verify the VPN Concentrator
          Verify the PC
    Debug
    VPN 3000 Debug - Good Authentication
    Troubleshoot
          Possible Microsoft Issues to Troubleshoot
    NetPro Discussion Forums - Featured Conversations
    Related Information

Introduction

The Cisco VPN 3000 Concentrator supports the Point-to-Point Tunnel Protocol (PPTP) tunneling method for native Windows clients. There is 40-bit and 128-bit encryption support available on these VPN Concentrators for a secured reliable connection.

Refer to Configuring the VPN 3000 Concentrator PPTP With Cisco Secure ACS for Windows RADIUS Authentication in order to configure the VPN Concentrator for PPTP users with extended authentication using the Cisco Secure Access Control Server (ACS).
Prerequisites
Requirements

Ensure that you meet the prerequisites mentioned in When is PPTP Encryption Supported on a Cisco VPN 3000 Concentrator? before you attempt this configuration.
Components Used

The information in this document is based on these software and hardware versions:

    *

      VPN 3015 Concentrator with version 4.0.4.A
    *

      Windows PC with PPTP client

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Network Diagram

This document uses this network setup:

altigapptp-diag.gif
Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure the VPN 3000 Concentrator with Local Authentication

Complete these steps to configure the VPN 3000 Concentrator with Local Authentication.

   1.

      Configure the respective IP addresses in the VPN Concentrator and ensure that you have connectivity.
   2.

      Ensure that PAP authentication is selected in the Configuration > User Management > Base Group PPTP/L2TP tab.

      altigapptp-1.gif
   3.

      Select Configuration > System > Tunneling Protocols > PPTP and ensure that Enabled is checked.

      altigapptp-2.gif
   4.

      Select Configuration > User Management > Groups > Add, and configure a PPTP group. In this example, the group name is "pptpgroup" and the password (and verify password) is "cisco123".

      altigapptp-3.gif
   5.

      Under the group's General tab, make certain that the PPTP option is enabled in authentication protocols.

      altigapptp-4a.gif

      altigapptp-4b.gif
   6.

      Under the PPTP/L2TP tab, enable PAP authentication, and disable encryption (encryption can be enabled at any time in the future).

      altigapptp-5.gif
   7.

      Select Configuration > User Management > Users > Add, and configure a local user (called "pptpuser") with the password cisco123 for PPTP authentication. Put the user in the previously defined "pptpgroup":

      altigapptp-6.gif
   8.

      Under the General tab for the user, make sure that the PPTP option is enabled in tunneling protocols.

      altigapptp-7.gif
   9.

      Select Configuration > System > Address Management > Pools to define an address pool for address management.

      altigapptp-8.gif
  10.

      Select Configuration > System > Address Management > Assignment and direct the VPN Concentrator to use the address pool.

      altigapptp-9.gif

Microsoft PPTP Client Configuration

Note: None of the information available here on configuring Microsoft software comes with any warranty or support for Microsoft software. Support for Microsoft software is available from Microsoft leavingcisco.com.
Windows 98 - Install and Configure the PPTP Feature
Install

Complete these steps to install the PPTP feature.

   1.

      Select Start > Settings > Control Panel > Add New Hardware (Next) > Select from List > Network Adapter (Next).
   2.

      Select Microsoft in the left panel and Microsoft VPN Adapter on the right panel.

Configure

Complete these steps to configure the PPTP feature.

   1.

      Select Start > Programs > Accessories > Communications > Dial Up Networking > Make new connection.
   2.

      Connect using the Microsoft VPN Adapter at the Select a device prompt. The VPN Server IP is the 3000 tunnel endpoint.

The Windows 98 default authentication uses password encryption (for example, CHAP or MSCHAP). In order to initially disable this encryption, select Properties > Server types, and uncheck the Encrypted Password and Require Data Encryption boxes.
Windows 2000 - Configuring the PPTP Feature

Complete these steps to configure the PPTP feature.

   1.

      Select Start > Programs > Accessories > Communications > Network and Dialup connections > Make new connection.
   2.

      Click Next, and select Connect to a private network through the Internet > Dial a connection prior (do not select this if you use a LAN).
   3.

      Click Next again, and enter the Hostname or IP of the tunnel endpoint, which is the outside interface of the VPN 3000 Concentrator. In this example the IP address is 161.44.17.1.

Select Properties > Security for the connection > Advanced to add a password type as PAP. The default is MSCHAP and MSCHAPv2, not CHAP or PAP.

Data encryption is configurable in this area. You can disable it initially.
Windows NT

You can access information about setting up Windows NT clients for PPTP at Microsoft's website leavingcisco.com.
Windows Vista

Complete these steps to configure the PPTP feature.

   1.

      From the Start button, choose Connect To.
   2.

      Choose Set up a connection or network.
   3.

      Choose Connect to a workplace and click Next.
   4.

      Choose Use my Internet Connection (VPN).

      Note: If prompted for "Do you want to use a connection that you already have," choose No, create a new connection and click Next.
   5.

      In the Internet Address field, type pptp.vpn.univ.edu, for example.
   6.

      In the Destination Name field, type UNIVVPN, for example.
   7.

      In the User Name field, type your UNIV Logon ID. Your UNIV Logon ID is the part of your email address before @univ.edu.
   8.

      In the Password field, type your UNIV Logon ID password.
   9.

      Click the Create button and then click the Close button.
  10.

      In order to connect to the VPN server after you create the VPN connection, click Start, and then Connect to.
  11.

      Choose the VPN connection in the window and click Connect.

Add MPPE (Encryption)

Make sure that the PPTP connection works without encryption before you add encryption. For example, click the Connect button on the PPTP client to make sure that the connection completes. If you decide to require encryption, MSCHAP authentication must be used. On the VPN 3000, select Configuration > User Management > Groups. Then, under the PPTP/L2TP tab for the group, uncheck PAP, check MSCHAPv1, and check Required for PPTP Encryption.

altigapptp-10.gif

The PPTP client should be reconfigured for optional or required data encrytption and MSCHAPv1 (if it is an option).
Verify

This section provides information you can use to confirm your configuration is working properly.
Verify the VPN Concentrator

You can start the PPTP session by dialing form the PPTP client created earlier in the Microsoft PPTP Client Configuration section.

Use the Administration >Administer Sessions window on the VPN Concentrator to view the parameters and statistics for all active PPTP sessions.
Verify the PC

Issue the ipconfig command in the command mode of the PC to see that the PC has two IP addresses. One is its own IP address and the other is assigned by the VPN Concentrator from the pool of IP address. In this example the IP address 172.16.1.10 is the IP address assigned by the VPN Concentrator.

altigapptp-15.gif
Debug

If the connection does not work, the PPTP event class debug can be added to the VPN Concentrator. Select Configuration > System > Events > Classes > Modify or Add (shown here). PPTPDBG and PPTPDECODE event classes are also available, but might provide too much information.

altigapptp-11.gif

The event log can be retrieved from Monitoring > Filterable Event Log.

altigapptp-12.gif
VPN 3000 Debug - Good Authentication

    1 09/28/2004 21:36:52.800 SEV=4 PPTP/47 RPT=29 171.69.89.129
       Tunnel to peer 171.69.89.129 established

    2 09/28/2004 21:36:52.800 SEV=4 PPTP/42 RPT=29 171.69.89.129
       Session started on tunnel 171.69.89.129

    3 09/28/2004 21:36:55.910 SEV=5 PPP/8 RPT=22 171.69.89.129
       User [pptpuser]
       Authenticated successfully with MSCHAP-V1

    4 09/28/2004 21:36:59.840 SEV=4 AUTH/22 RPT=22
       User [pptpuser] Group [Base Group] connected, Session Type: PPTP

Click on the PPTP user status Details window to check the parameters on the Windows PC.

altigapptp-16.gif
Troubleshoot

These are possible errors you can encounter:

    *

      Bad username or password

      VPN 3000 Concentrator debug output:

          1 09/28/2004 22:08:23.210 SEV=4 PPTP/47 RPT=44 171.69.89.129
             Tunnel to peer 171.69.89.129 established

          2 09/28/2004 22:08:23.220 SEV=4 PPTP/42 RPT=44 171.69.89.129
             Session started on tunnel 171.69.89.129

          3 09/28/2004 22:08:26.330 SEV=3 AUTH/5 RPT=11 171.69.89.129
             Authentication rejected: Reason = User was not found
             handle = 44, server = (none), user = pptpusers, domain = <not specified>

          5 09/28/2004 22:08:26.330 SEV=5 PPP/9 RPT=11 171.69.89.129
             User [pptpusers]
             disconnected.. failed authentication ( MSCHAP-V1 )

          6 09/28/2004 22:08:26.340 SEV=4 PPTP/35 RPT=44 171.69.89.129
             Session closed on tunnel 171.69.89.129 (peer 32768, local 22712, serial 40761),    
             reason: Error (No additional info)

          8 09/28/2004 22:08:26.450 SEV=4 PPTP/34 RPT=44 171.69.89.129
             Tunnel to peer 171.69.89.129 closed, reason: None (No additional info)

      The message that the user sees ( from Windows 98):

          Error 691: The computer you have dialed in to has denied access
          because the username and/or password is invalid on the domain.

      The message that the user sees ( from Windows 2000):

          Error 691: Access was denied because the username and/or
          password was invalid on the domain.

    *

      "Encryption Required" is selected on the PC, but not on the VPN Concentrator

      The message that the user sees (from Windows 98):

          Error 742: The computer you're dialing in to does not support the data
          encryption requirements specified.
          Please check your encryption settings in the properties of the connection.
          If the problem persists, contact your network administrator.

      The message that the user sees (from Windows 2000):

          Error 742: The remote computer does not support
          the required data encryption type

    *

      "Encryption Required" (128-bit) is selected on the VPN Concentrator with a PC that only supports 40-bit encryption

      VPN 3000 Concentrator debug output:

          4 12/05/2000 10:02:15.400 SEV=4 PPP/6 RPT=7 171.69.89.129 User [ pptpuser ] disconnected.
          PPTP Encryption configured as REQUIRED.. remote client not supporting it.

      The message that the user sees (from Windows 98):

          Error 742:  The remote computer does not support
          the required data encryption type.

      The message that the user sees (from Windows 2000):

          Error 645 Dial-Up Networking could not complete the connection to the server.  
          Check your configuration and try the connection again.

    *

      The VPN 3000 Concentrator is configured for MSCHAPv1 and the PC is configured for PAP, but they cannot agree on an authentication method

      VPN 3000 Concentrator debug output:

          8 04/22/2002 14:22:59.190 SEV=5 PPP/12 RPT=1 171.69.89.129

          User [pptpuser] disconnected. Authentication protocol not allowed.

      The message that the user sees (from Windows 2000):

          Error 691:  Access was denied because the username and/or password
          was invalid on the domain.

Possible Microsoft Issues to Troubleshoot

    *

      How to Keep RAS Connections Active After Logging Off

      When you log off from a Windows Remote Access Service (RAS) client, any RAS connections are automatically disconnected. Enable the KeepRasConnections key in the registry on the RAS client to remain connected after you log off. Refer to Microsoft Knowledge Base Article - 158909 leavingcisco.com for more information.
    *

      User Is Not Alerted When Logging On with Cached Credentials

      The symptoms of this issue are when you attempt to log on to a domain from a Windows-based workstation or member server and a domain controller cannot be located and no error message is displayed. Instead, you are logged on to the local computer using cached credentials. Refer to Microsoft Knowledge Base Article - 242536 leavingcisco.com for more information.
    *

      How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

      There can be instances when you experience name resolution issues on your TCP/IP network and you need to use LMHOSTS files to resolve NetBIOS names. This article discusses the proper method used to create an LMHOSTS file to aid in name resolution and domain validation. Refer to Microsoft Knowledge Base Article - 180094 leavingcisco.com for more information.

NetPro Discussion Forums - Featured Conversations
Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for VPN
Service Providers: VPN Service Architectures
Same Private IP space @ separate sites - Sep 11, 2009
Can L2L tunnels connect to the ASA Virtual Cluster Master? - Sep 10, 2009
vpdn - Sep 8, 2009
ATOM Interworking Ethernet to PPP - Sep 7, 2009
VPN Concentrator 3000 - ACS - different groups - Sep 1, 2009
Service Providers: Network Management
Urgent -- LMS 3.1 discovery - Sep 11, 2009
CM v5.2 user tracking - Sep 11, 2009
no syslog received on syslog.log - Sep 11, 2009
LMS 3.1 is not discovering IP phone. - Sep 11, 2009
IPM error in communicating with Group Administration Server - Sep 11, 2009
Virtual Private Networks: Security
Remote VPN issue - Sep 11, 2009
Easy vpn pix 506 ASA 5510 with only preshare key - Sep 11, 2009
Concentrator 3000: X.509 cert on Pub Interface... - Sep 11, 2009
asa as vpn concentrator - Sep 11, 2009
VPN L2L problem - Sep 11, 2009
Virtual Private Networks: General
dACL ASA and SSL VPN - Oct 27, 2008
Viewing/debugging VPN sessions on ASA 5520? - Oct 27, 2008
Syslog server for Monitoring Cisco devices - Oct 27, 2008
acl - Oct 27, 2008
ASA with Internet down - Oct 27, 2008
Related Information

    * RFC 2637: Point-to-Point Tunneling Protocol (PPTP) leavingcisco.com
    * Cisco Secure ACS for Windows Support Pages
    * When is PPTP Encryption Supported on a Cisco VPN 3000 Concentrator?
    * Configuring the VPN 3000 Concentrator and PPTP with Cisco Secure ACS for Windows RADIUS Authentication
    * Cisco VPN 3000 Concentrator Support Pages
    * Cisco VPN 3000 Client Support Pages
    * IP Security (IPSec) Product Support Pages
    * PPTP Product Support Pages
    * Technical Support & Documentation - Cisco Systems

 

by: bbrunningPosted on 2009-09-12 at 14:52:11ID: 25318038

 

by: ikalmarPosted on 2009-09-12 at 22:09:50ID: 25319022

anyconnect is not supported on Cisco VPN Concentrator 3000

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...