Windows 7 and VPN

I want to create a VPN connection from a Windows 7 computer to a Cisco ASA 5505 using the IPSec client in Windows 7. I want to be able to connect to the VPN server before logging into Windows so I am logging into the Windows domain. How do I do this? I need to know both Window 7 settings and Cisco ASA 5505 settings. The main points of this problem are that I want to get a Windows domain login and I need to use the Cisco ASA. I understand the Cisco VPN client software for Windows 7 does not support connecting before login.
kduggerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
as you named out , the vpn you using are at-call vpn (means you only establish when you required)

you wont able to get it don't easily.

there is 1 method by login using switching user, but it not support feature.


If you have windows 2008 r2, you might want to have a look around Windows Direct Acess technology will able to do what you want. (even deploy group policy)


http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx
0
RPPreacherCommented:
You can't do this with Windows 7.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kduggerAuthor Commented:
I cannot use the IPSec protocol in Windows 7 to connect to the Cisco ASA 5505 before login?
Is there another 3rd party product besides cisco that supports this?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

RPPreacherCommented:
Not with Windows 7
0
Phal44Commented:
Unless the Cisco was somehow able to receive PPTP/SSTP connections then I cant see you being able to setup a VPN before logging in :(  much less an IPSEC tunnel.
0
Jian An LimSolutions ArchitectCommented:
Yes, there is some products able to do it.


Juniper has a product range call secure access or SSLVPN -   SA2500


What this product do is it able to use SSL VPN. (at-call) and it call netconnect
further, this product has developGINA that addon to msgina.dll and authenticate to both when you put in your username or password.


However, It is not as good as the microsoft's Direct Access. As this method do not even need to call a VPN. this "VPN" is always on once you got your IP Address (and matching the certificate)


the requirement for Direct access as below

http://technet.microsoft.com/en-us/library/dd637797%28WS.10%29.aspx
0
RPPreacherCommented:
Windows 7 does not have GINA.  Thus the issue...

You can't do this with Windows 7.  Period.
0
decoleurCommented:
RPPreacher-

I was just looking at the anyconnect client on a windows 7 workstation and it looked like you could get it to establish a connection before the logon prompt like the old IPSEC client does, is that not the case because of "GINA"? I will try to look that up because I havn't heard of it before.

-t
0
RPPreacherCommented:
Windows xp used Gina.  Vista and later does not.  Feel free to research it.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Confirmed - GINA is not longer available since Vista. Any GINA replacement will hence not work.

W7 IPSec VPN uses IKEv2. Cisco does not support that, AFAIK, only IKE (IKEv1). PPTP and L2TP is also not supported on Cisco devices.

The common way to get around the restriction to have been logged in already is to used cached profiles. They allow to login even without having contact to the domain controller, and after login you can start your VPN connection. Besides the profiles are not sync'd (which is needless in most cases anyway), there should be no restriction in using this method. However, I must admit I do not know what happens about password changes.
0
Phal44Commented:
A silly idea but...

A regular workgroup machine that lets you log on first then you can setup whatever VPN you want and then you use a VM machine on there which is joined to the domain?

Not very practical!
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
It would be sufficient to have a workgroup the same as the domain. Most actions work for that scenario, but not those which require administrative access to the domain (AD admin, for example).
0
RPPreacherCommented:
OK... since we have established that I'm right (I have any easier time with my wife and kids...)

The only effective way to do this is get the user(s) a cheap PIX 501, put up a L2L VPN and treat them like a remote office.

Anything else is... well... a poorly rigged up, problematic, waste of time to be honest...
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Using a "branch" type VPN router is indeed the most reliable solution. You can use almost any router meanwhile for establishing a VPN connection, if you are loosening the restrictions on the ASA side somewhat. You should not use lowest-cost VPN routers, however; they are not worth the effort you have to put in to get them to work.
0
kduggerAuthor Commented:
Why does Microsoft allow a remote connection VPN adapter to be created and accessed before login if it cannot be used? Could I setup a Microsoft VPN on Windows 2003 server service pack 2 with a public IP address that a Window 7 client could connect to?

Rant: I feel like Microsoft and Cisco are like two little kids who won't play nice together and are preventing the rest of us from using the sand box while they have their tantrums.
0
RPPreacherCommented:
I agree with your rant.  Anything else before closing this question?
0
kduggerAuthor Commented:
Thanks for all your comments. I think RPPreacher gave the most accurate answers of the situation, but liked that Qlemo gave further technical details and others gave some suggestions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.