We help IT Professionals succeed at work.

Cisco VPN Use Windows Client / Not Cisco Client ???

584 Views
Last Modified: 2012-05-08
Experts,

Just a quick question that searching google and forums hasn't netted any results for me.

Is it possible to configure my Cisco router to accept vpn client connections from the built-in Windows VPN Client, versus the Cisco VPN client.

The reasoning simply because I wouldn't be licensed to distribute the CiscoVPN client.

If it is possible, would somebody have an example configuration, or point me to where I could find out more?

Thanks.
Comment
Watch Question

Ove

Commented:
i can recommend Shrew VPN Client (FREE):
http://www.shrew.net/software

Look under "Support" to find configuration guides
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Hi,

The Cisco VPN client is free, if you have cisco products.... it is downloadable from cco!

It is possible to use windows native vpn client, mut the cisco vpn gives you more security...

What type of firewall do you have?

Best regards,
Istvan

Author

Commented:
Not much of a stateful packet inspector, but here's the firewall I have:

http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS336G.aspx

Unfortunately, from what I saw with the Cisco VPN clients, is that you can download it direct from Cisco, like you mentioned, however - in order to support any 64bit platform, you need the latest and greatest "AnyConnect VPN Client" which requires a SmartNet contract with them in order to download it.


---------------------------------------

To download this software, you must do all of the following:

Register

    * Due to United States export compliance regulations, you must be registered on Cisco.com to download this software. If you do not have a Cisco.com username and password, please register now. Registration is free. If you have already registered, please log in to proceed.
    * This information will not be used for marketing or sales purposes of any kind. Failure to provide correct information may result in a denial of service, thank you for your cooperation.


Log In

    * Log in now
    * If you have forgotten your password, use the Cisco.com Password Management tool to reset it.


Have a valid Technical Support Services Agreement

    * Contact your Cisco Account team if you have a Direct Purchase Agreement.
    * Contact a Cisco Partner or Reseller to purchase a service agreement.
    * Use the Profile Manager to update your Cisco.com profile and request association to service agreement.
    * Learn more about Technical Service Agreements and Software Downloads


Note: If you want to see what software is available before purchasing a service agreement, you may consult the release notes.

---------------------------------------

Of which, I have everything - except the valid Technical Support Services Agreement.

Which is yet another reason to try to get it working under another client.

Thanks for the suggestion 'Ove' - that Shrew VPN client might be a feasable option.  If possible though, I really would like to keep this to the standard windows one though, as it would mean that all of my clients wouldn't have to download / install any additional software.

ikalmar, would you happen to know any references on how I can configure the router to accept the other client?

Thanks again for helping everyone.
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Please download the netgear vpn client:
http://kb.netgear.com/app/answers/detail/a_id/50

Author

Commented:
Thank you for the suggestion on that one, but please see that with my current network topology, what I'm trying to do, is actually vpn into one of the WAN segments.

Server Farm --->  Netgear Firewall --->  Cisco Router --->  ISP

The network I need to have my users VPN into is actually between the netgear and cisco router.  I have an entire subnet dedicated for work related items.

So the netgear won't be my VPN solution.  That Prosafe was a purchase, so the server farm could have redundant connections to the rest of the network.

My question is still - basically give the cisco device the ability to use the built-in windows vpn client.

Thanks for helping so far.  Any more assistance you might have on this topic would be appreciated.
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
Hey Istvan...  does the Netgear client connect to Cisco ISRs configured for IPsec access VPNs?  If so, I need to give that a try.
Network Architect
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
hi,

I am tired:)

I asked what kind of cisco firewall do you have...?

if you ha router please use jodylemoine comments

Author

Commented:
Thank you for the config build.

I implemented it, but unfortunately the authentication never takes place when I try to come in through a windows client vpn.

The original VPN connection still works like a champ though.  Do I need to disable that one, as I have the crypto map applied to the interface.

Also, the Virtual-Tempalte will be ip unnumbered to my external interface, correct?

Sorry to be such a bother - but thank you very much for helping me with this.
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
It should be unnumbered to your *internal* interface, not your external.  PPTP doesn't use IPsec for its VPN, so the crypto settings won't interfere with it at all, so can leave those in place.  Have you permitted 1723/tcp and GRE inbound through your outside interface's access list?

Author

Commented:
Oh and Ikalmar - it's a 1841 router.

Author

Commented:
I don't have an access list defined on my outside / inbound interface...

I'll go ahead and throw one together...
Jody LemoineNetwork Architect
CERTIFIED EXPERT

Commented:
If you don't have one, traffic is permitted by default... so let's run with what we have before adding complexity.
Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
could you show us the whole config?

Author

Commented:
No problem.  I just posted it over on my other open question as well...

https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24899609.html#a25821351

Thanks guys for taking a look.
Current configuration : 7983 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret xxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius xxxxxxxxxx
 server xxxxxxxxxx auth-port 1645 acct-port 1646
!
aaa authentication login xxxxxxxxxx group xxxxxxxxxx local
aaa authentication ppp xxxxxxxxxx group xxxxxxxxxx local
aaa authorization exec default group xxxxxxxxxx local
aaa authorization network xxxxxxxxxx local
aaa authorization network mppe group xxxxxxxxxx local
!
!
aaa session-id common
!
dot11 ssid xxxxxxxxxx
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii xxxxxxxxxx
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.15.0 192.168.15.20
ip dhcp excluded-address 192.168.20.0 192.168.20.20
!
ip dhcp pool xxxxxxxxxx
   network xxxxxxxxxx xxxxxxxxxx
   default-router xxxxxxxxxx
   dns-server xxxxxxxxxx xxxxxxxxxx
   lease 0 8
!
!
ip domain name xxxxxxxxxx
ip name-server xxxxxxxxxx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
async-bootp subnet-mask xxxxxxxxxx
async-bootp gateway xxxxxxxxxx
async-bootp dns-server xxxxxxxxxx xxxxxxxxxx
async-bootp nbns-server xxxxxxxxxx xxxxxxxxxx
vpdn enable
!
vpdn-group xxxxxxxxxx
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel receive-window 1024
!
!
crypto pki trustpoint xxxxxxxxxx
 certificate xxxxxxxxxx
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        quit
!
!
username xxxxxxxxxx privilege 15 secret xxxxxxxxxx
username xxxxxxxxxx secret 5 xxxxxxxxxx
username xxxxxxxxxx privilege 15 secret xxxxxxxxxx
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxxxxxxxx
 key xxxxxxxxxx
 dns xxxxxxxxxx xxxxxxxxxx
 wins xxxxxxxxxx xxxxxxxxxx
 domain xxxxxxxxxx
 pool xxxxxxxxxx
 acl xxxxxxxxxx
 save-password
 include-local-lan
 split-dns xxxxxxxxxx
 max-users 15
 netmask 255.255.255.0
!
!
crypto ipsec transform-set xxxxxxxxxx esp-3des esp-md5-hmac
!
crypto dynamic-map xxxxxxxxxx
 set security-association lifetime seconds 86400
 set transform-set xxxxxxxxxx
 reverse-route
!
!
crypto map xxxxxxxxxx client authentication list xxxxxxxxxx
crypto map xxxxxxxxxx isakmp authorization list xxxxxxxxxx
crypto map xxxxxxxxxx client configuration address respond
crypto map xxxxxxxxxx 1 ipsec-isakmp dynamic xxxxxxxxxx
!
!
!
bridge irb
!
!
!
interface FastEthernet0/0
 description xxxxxxxxxx
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 description xxxxxxxxxx
 ip address 192.168.23.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map xxxxxxxxxx
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface Dot11Radio0/1/0
 ip address xxxxxxxxxx xxxxxxxxxx
 ip nat inside
 ip virtual-reassembly
 !
 encryption mode ciphers aes-ccm
 !
 ssid xxxxxxxxxx
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio0/1/1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool xxxxxxxxxx
 compress mppc
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2 ms-chap xxxxxxxxxx
 ppp authorization mppe
!
ip local pool xxxxxxxxxx 192.168.20.1 192.168.20.254
ip local pool xxxxxxxxxx 192.168.21.1 192.168.21.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.23.1
!
!
ip http server
ip http secure-server
ip dns server
ip nat inside source static tcp xxxxxxxxxx 25 interface FastEthernet0/1 25
ip nat inside source static tcp xxxxxxxxxx 110 interface FastEthernet0/1 110
ip nat inside source static tcp xxxxxxxxxx 80 interface FastEthernet0/1 80
!
ip access-list extended xxxxxxxxxx
 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.21.0 0.0.0.255
 deny   ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255
 deny   ip 192.168.15.0 0.0.0.255 192.168.21.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.10.0 0.0.0.255 any
 permit ip 192.168.15.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 192.168.21.0 0.0.0.255 any
ip access-list extended Oki_1841_SplitTunnel
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.15.0 0.0.0.255 any
!
ip radius source-interface FastEthernet0/0
!
!
!
!
!
!
radius-server host xxxxxxxxxx auth-port 1645 acct-port 1646 key xxxxxxxxxx
!
control-plane
!
!
banner motd ^C
 
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
 
  Access to this system is for the use of authorized
  personel only.
 
  You are hereby advised that all actions performed are
  subject to monitoring and are being recorded.  In the
  event of any possible criminal activity, evidence will
  be turned over to proper Law Enforcement personnel,
  and offenders will be prosecuted!
 
  You have accessed:  $(hostname).$(domain)
 
*************************************************************
************  Unauthorized Access is Prohibited  ************
*************************************************************
^C
!
line con 0
 logging synchronous
 login authentication xxxxxxxxxx
line aux 0
 logging synchronous
 login authentication xxxxxxxxxx
line vty 0 4
 logging synchronous
 login authentication xxxxxxxxxx
line vty 5 807
 logging synchronous
 login authentication xxxxxxxxxx
!
scheduler allocate 20000 1000
end

Open in new window

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
it seems that you use same address for lan?

Author

Commented:
Thank you very much for the assistance here.

Please refer to https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24899609.html

on more troubleshooting.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.