JustinGSEIWI
asked on
Connecting to ASA 5510 via windows 8 IPSec VPN
I have a user with a windows 8 computer. Since the Cisco VPN client is no longer supported on windows 8, I need to setup the VPN connection using the windows VPN client. I did so but I am unable to get the VPN connection established to my ASA 5510. I entered the IP address and PSK that are in the Cisco VPN profile into the settings on the windows 8 computer. I did not see a place to put the name that also goes along with the PSK. I am thinking that is the issue. How do I establish the VPN connection from the windows 8 computer to my ASA using the information in the Cisco VPN profile I have?
Thanks,
Justin
Thanks,
Justin
You would have to configure either SSL VPN or L2TP IPSEC to use the Windows native client (as far as I'm aware). If you only have the one user with Windows 8, I would go the SSL route since the ASA comes with a 2 user SSL VPN license by default.
ASKER
SSL isn't an option since I need a permanent solution and eventually, I will have many more users with windows 8. I did try setting up the L2TP IPSEC connection but it will not connect. I entered the public IP and the PSK. I must be missing something since it still won't connect.
Thanks,
Justin
Thanks,
Justin
Can you post a scrubbed config? It is likely that a small detail for L2TP isn't set right. I remember the first time I set it up took me a couple days over a single missing config line.
ASKER
Would that still be necessary if I let you know we have been using this VPN with the same config for many years? It works today as long as I use the Cisco VPN client. I just can't get it to work with the windows VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The IPSec VPN still works on windows 7 computers just fine. There is no issue with the firewall or config that I know of.
I did fin the solution you just pointed out. That is sort of unofficial and it is a pain to make that change on every windows 8 PC once we roll out windows 8.
That will work fine for this one PC but once I roll out windows 8 further, I will need the windows 8 VPN to work so I can push those settings out with GP.
I still need to figure out why the VPN won't work with windows native VPN client.
Thanks,
Justin
I did fin the solution you just pointed out. That is sort of unofficial and it is a pain to make that change on every windows 8 PC once we roll out windows 8.
That will work fine for this one PC but once I roll out windows 8 further, I will need the windows 8 VPN to work so I can push those settings out with GP.
I still need to figure out why the VPN won't work with windows native VPN client.
Thanks,
Justin
Here are my notes I had when I first setup an ASA for android native vpn which is the same for native windows clients. The two easy to miss parts are that the transform set must be in transport mode, and the passwords use mschap for encryption.
!!!!!
!Standard parts for any RA VPN setup. Define nat exemptions, local pools, and split tunnel acl’s
!!!!!
object-group network VPNUSERS
description VPN USER IP POOLS
network-object 192.168.255.0 255.255.255.0
object-group network ALLPRIVATESUBNETS
description ALL CONFIGURED PRIVATE IP SUBNETS
network-object 192.168.230.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
access-list VPNUSERS_TO_PRIVATEIPSUBNE TS extended permit ip object-group VPNUSERS object-group ALLPRIVATESUBNETS
access-list VPNUSERS_TO_PRIVATEIPSUBNE TS extended permit ip object-group ALLPRIVATESUBNETS object-group VPNUSERS
ip local pool sales_addresses 192.168.255.10-192.168.255 .50
nat (inside,outside) source static obj-192.168.230.0 obj-192.168.230.0 destination static obj-192.168.255.0 obj-192.168.255.0
!!!!
!Standard radius setup. I tested again in the test lab and found that I was indeed missing the “mschap v2” checkbox for allowed encryption methods on my vpn policy. Once enabled, I was able to authenticate a domain account.
!If using a local database, ensure that the keyword “mschap” is put after the username (username test password test mschap)
!!!!
aaa-server ASAAUTH protocol radius
aaa-server ASAAUTH (inside) host 192.168.230.30
key ****
!!!!
!Define Phase 2 transform sets. Use 3des sha, and it MUST be in transport mode.Ensure that the new transform set is included in the dynamic map (highlighted). Do not enable pfs. Reverse route is an option
!!!!
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 65535 set ikev1 transform-set my-transform-set-ikev1
crypto dynamic-map dyno 65535 set reverse-route
crypto map vpn 20 ipsec-isakmp dynamic dyno
!!!!
!Enable the crypto map and isakmp/ikev1 on the appropriate interface
!!!!
crypto map vpn interface outside
crypto ikev1 enable outside
!!!!
!Define Phase 1 isakmp/ikev1 policy. In at lease one of the policies the encryption should match phase 2.
!!!!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!!!!
!The real meat-and-potatoes of the config. All group policies and tunnel groups must use the built in DefaultRAGroup.
!You must specify the “vpn-tunnel-protocol l2tp-ipsec” and “ikev1 pre-shared-key XXXXX” or the connection will never happen.
!All other lines are technically optional, but without them you might not be able to do anything with the vpn connection
!!!!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.230.30
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_TO_PRIVATEIPSUBNE TS
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
authentication-server-grou p ASAAUTH
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 12345678
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!!!!!
!Standard parts for any RA VPN setup. Define nat exemptions, local pools, and split tunnel acl’s
!!!!!
object-group network VPNUSERS
description VPN USER IP POOLS
network-object 192.168.255.0 255.255.255.0
object-group network ALLPRIVATESUBNETS
description ALL CONFIGURED PRIVATE IP SUBNETS
network-object 192.168.230.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
access-list VPNUSERS_TO_PRIVATEIPSUBNE
access-list VPNUSERS_TO_PRIVATEIPSUBNE
ip local pool sales_addresses 192.168.255.10-192.168.255
nat (inside,outside) source static obj-192.168.230.0 obj-192.168.230.0 destination static obj-192.168.255.0 obj-192.168.255.0
!!!!
!Standard radius setup. I tested again in the test lab and found that I was indeed missing the “mschap v2” checkbox for allowed encryption methods on my vpn policy. Once enabled, I was able to authenticate a domain account.
!If using a local database, ensure that the keyword “mschap” is put after the username (username test password test mschap)
!!!!
aaa-server ASAAUTH protocol radius
aaa-server ASAAUTH (inside) host 192.168.230.30
key ****
!!!!
!Define Phase 2 transform sets. Use 3des sha, and it MUST be in transport mode.Ensure that the new transform set is included in the dynamic map (highlighted). Do not enable pfs. Reverse route is an option
!!!!
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 65535 set ikev1 transform-set my-transform-set-ikev1
crypto dynamic-map dyno 65535 set reverse-route
crypto map vpn 20 ipsec-isakmp dynamic dyno
!!!!
!Enable the crypto map and isakmp/ikev1 on the appropriate interface
!!!!
crypto map vpn interface outside
crypto ikev1 enable outside
!!!!
!Define Phase 1 isakmp/ikev1 policy. In at lease one of the policies the encryption should match phase 2.
!!!!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!!!!
!The real meat-and-potatoes of the config. All group policies and tunnel groups must use the built in DefaultRAGroup.
!You must specify the “vpn-tunnel-protocol l2tp-ipsec” and “ikev1 pre-shared-key XXXXX” or the connection will never happen.
!All other lines are technically optional, but without them you might not be able to do anything with the vpn connection
!!!!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.230.30
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_TO_PRIVATEIPSUBNE
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
authentication-server-grou
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 12345678
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
MIID8jCCAtoCAQAwdTEWMBQGA1 UEAwwNbWFp bC51cGFydC 5hdDEOMAwG A1UECwwF
dXBhcnQxFTATBgNVBAoMDFdlcm JlYWdlbnR1 cjENMAsGA1 UEBwwETGlu ejEYMBYG
A1UECAwPT2JlcsO2c3RlcnJlaW NoMQswCQYD VQQGEwJBVD CCASIwDQYJ KoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJ 42k0YOf3yN ulmsVclJgu 8oaJlqgBy0 dEqdRU7s
6Ib6zq1IpgW5+OV9yK6ZJ4+KaA uaBaHaGcGI R21Muhr3Ls ffWJjgrhcX bTd2V9UC
9+H9E7urzXBQLQpUkeqXAaS7eM v1ZKd4VNxY qTkpdoybks A1AnHSKUbe +QRViw0m
ahAkRHDzLeRclgBn5fwJvbuvna CXUggcVQU0 Ppb8ByOyyd B8yp56Zyy5 1VzkCBh1
6KvNd3u9dB33Awc0vuyboCeGgD 4P6nq9+m0T LcNjm5l0yG m4S4IrhNTe /Rd5tDa3
yXyCey4NEKTK6sOsppDOD551uH YWvO2Ze2Wr 33YPDZ5nZY 0CAwEAAaCC ATYwGgYK
KwYBBAGCNw0CAzEMFgo2LjIuOT IwMC4yMEwG CSqGSIb3DQ EJDjE/MD0w DgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/w QCMAAwHQYD VR0OBBYEFA XXXOEeDKsm uSE7vHIP
jm/l3yfmMFYGCSsGAQQBgjcVFD FJMEcCAQUM D1NNWFMwMS 51cGFydC5h dAwNVVBB
UlRcU01YUzAxJAwiTWljcm9zb2 Z0LkV4Y2hh bmdlLlNlcn ZpY2VIb3N0 LmV4ZTBy
BgorBgEEAYI3DQICMWQwYgIBAR 5aAE0AaQBj AHIAbwBzAG 8AZgB0ACAA UgBTAEEA
IABTAEMAaABhAG4AbgBlAGwAIA BDAHIAeQBw AHQAbwBnAH IAYQBwAGgA aQBjACAA
UAByAG8AdgBpAGQAZQByAwEAMA 0GCSqGSIb3 DQEBBQUAA4 IBAQCJtWtg ZZYiwbt/
U/Ti6FQ1LfKrvKWffVwNUo6TsC epyn2DnrwN xQq8Aevt5P iTw5+LZOz/ Gm/m5Hfh
JUmLB2fMuKdvDL8iWQEtFckObP suFWjpBizx yqF42LwCEO 8ujgHp9Gdm 67qyMwAo
LpfDl4y5Z0qVF5+I9Vi00LnOW4 1TMDCY/Xoj vdIW18w+qO cQJPDJfM9T g5XQWx/Z
IudSjFbdOK5uK9LNg0E9XEAhZ0 sabaleGYAu WIbDS7VJ5S U208HQjWDZ scYMnW12
1UlY1pqnJsOOuqi9vZMDh67TuP 2x8qU2iHL1 5L60ew1nIa W3A+15sLyu fEXvA0K6
itnZea0o
dXBhcnQxFTATBgNVBAoMDFdlcm
A1UECAwPT2JlcsO2c3RlcnJlaW
AQEBBQADggEPADCCAQoCggEBAJ
6Ib6zq1IpgW5+OV9yK6ZJ4+KaA
9+H9E7urzXBQLQpUkeqXAaS7eM
ahAkRHDzLeRclgBn5fwJvbuvna
6KvNd3u9dB33Awc0vuyboCeGgD
yXyCey4NEKTK6sOsppDOD551uH
KwYBBAGCNw0CAzEMFgo2LjIuOT
AQH/BAQDAgWgMAwGA1UdEwEB/w
jm/l3yfmMFYGCSsGAQQBgjcVFD
UlRcU01YUzAxJAwiTWljcm9zb2
BgorBgEEAYI3DQICMWQwYgIBAR
IABTAEMAaABhAG4AbgBlAGwAIA
UAByAG8AdgBpAGQAZQByAwEAMA
U/Ti6FQ1LfKrvKWffVwNUo6TsC
JUmLB2fMuKdvDL8iWQEtFckObP
LpfDl4y5Z0qVF5+I9Vi00LnOW4
IudSjFbdOK5uK9LNg0E9XEAhZ0
1UlY1pqnJsOOuqi9vZMDh67TuP
itnZea0o