Solved

Connecting to ASA 5510 via windows 8 IPSec VPN

Posted on 2013-01-25
8
3,848 Views
Last Modified: 2013-06-12
I have a user with a windows 8 computer. Since the Cisco VPN client is no longer supported on windows 8, I need to setup the VPN connection using the windows VPN client. I did so but I am unable to get the VPN connection established to my ASA 5510. I entered the IP address and PSK that are in the Cisco VPN profile into the settings on the windows 8 computer. I did not see a place to put the name that also goes along with the PSK. I am thinking that is the issue. How do I establish the VPN connection from the windows 8 computer to my ASA using the information in the Cisco VPN profile I have?

Thanks,

Justin
0
Comment
Question by:JustinGSEIWI
8 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
You would have to configure either SSL VPN or L2TP IPSEC to use the Windows native client (as far as I'm aware). If you only have the one user with Windows 8, I would go the SSL route since the ASA comes with a 2 user SSL VPN license by default.
0
 

Author Comment

by:JustinGSEIWI
Comment Utility
SSL isn't an option since I need a permanent solution and eventually, I will have many more users with windows 8. I did try setting up the L2TP IPSEC connection but it will not connect. I entered the public IP and the PSK. I must be missing something since it still won't connect.

Thanks,

Justin
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Can you post a scrubbed config? It is likely that a small detail for L2TP isn't set right. I remember the first time I set it up took me a couple days over a single missing config line.
0
 

Author Comment

by:JustinGSEIWI
Comment Utility
Would that still be necessary if I let you know we have been using this VPN with the same config for many years? It works today as long as I use the Cisco VPN client. I just can't get it to work with the windows VPN.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
The IPSEC VPN Still works?

Windows 8 and Cisco (IPSEC) VPN Client


Pete
0
 

Author Comment

by:JustinGSEIWI
Comment Utility
The IPSec VPN still works on windows 7 computers just fine. There is no issue with the firewall or config that I know of.

I did fin the solution you just pointed out. That is sort of unofficial and it is a pain to make that change on every windows 8 PC once we roll out windows 8.

That will work fine for this one PC but once I roll out windows 8 further, I will need the windows 8 VPN to work so I can push those settings out with GP.

I still need to figure out why the VPN won't work with windows native VPN client.

Thanks,

Justin
0
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
Here are my notes I had when I first setup an ASA for android native vpn which is the same for native windows clients. The two easy to miss parts are that the transform set must be in transport mode, and the passwords use mschap for encryption.

!!!!!
!Standard parts for any RA VPN setup. Define nat exemptions, local pools, and split tunnel acl’s
!!!!!
 
object-group network VPNUSERS
description VPN USER IP POOLS
network-object 192.168.255.0 255.255.255.0
 
object-group network ALLPRIVATESUBNETS
description ALL CONFIGURED PRIVATE IP SUBNETS
network-object 192.168.230.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
 
access-list VPNUSERS_TO_PRIVATEIPSUBNETS extended permit ip object-group VPNUSERS object-group ALLPRIVATESUBNETS
access-list VPNUSERS_TO_PRIVATEIPSUBNETS extended permit ip object-group ALLPRIVATESUBNETS object-group VPNUSERS
 
ip local pool sales_addresses 192.168.255.10-192.168.255.50
 
nat (inside,outside) source static obj-192.168.230.0 obj-192.168.230.0 destination static obj-192.168.255.0 obj-192.168.255.0
 
!!!!
!Standard radius setup. I tested again in the test lab and found that I was indeed missing the “mschap v2” checkbox for allowed encryption methods on my vpn policy. Once enabled, I was able to authenticate a domain account.
!If using a local database, ensure that the keyword “mschap” is put after the username (username test password test mschap)
!!!!
 
aaa-server ASAAUTH protocol radius
aaa-server ASAAUTH (inside) host 192.168.230.30
key ****
 
!!!!
!Define Phase 2 transform sets. Use 3des sha, and it MUST be in transport mode.Ensure that the new transform set is included in the dynamic map (highlighted). Do not enable pfs. Reverse route is an option
!!!!
 
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 65535 set ikev1 transform-set my-transform-set-ikev1
crypto dynamic-map dyno 65535 set reverse-route
crypto map vpn 20 ipsec-isakmp dynamic dyno
 
!!!!
!Enable the crypto map and isakmp/ikev1 on the appropriate interface
!!!!
 
crypto map vpn interface outside
crypto ikev1 enable outside
 
!!!!
!Define Phase 1 isakmp/ikev1 policy. In at lease one of the policies the encryption should match phase 2.
!!!!
 
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
 
!!!!
!The real meat-and-potatoes of the config. All group policies and tunnel groups must use the built in DefaultRAGroup.
!You must specify the “vpn-tunnel-protocol l2tp-ipsec” and “ikev1 pre-shared-key XXXXX” or the connection will never happen.
!All other lines are technically optional, but without them you might not be able to do anything with the vpn connection
!!!!
 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.230.30
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_TO_PRIVATEIPSUBNETS
 
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
authentication-server-group ASAAUTH
default-group-policy DefaultRAGroup
 
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 12345678
 
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
0
 

Expert Comment

by:p_per
Comment Utility
MIID8jCCAtoCAQAwdTEWMBQGA1UEAwwNbWFpbC51cGFydC5hdDEOMAwGA1UECwwF
dXBhcnQxFTATBgNVBAoMDFdlcmJlYWdlbnR1cjENMAsGA1UEBwwETGluejEYMBYG
A1UECAwPT2JlcsO2c3RlcnJlaWNoMQswCQYDVQQGEwJBVDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJ42k0YOf3yNulmsVclJgu8oaJlqgBy0dEqdRU7s
6Ib6zq1IpgW5+OV9yK6ZJ4+KaAuaBaHaGcGIR21Muhr3LsffWJjgrhcXbTd2V9UC
9+H9E7urzXBQLQpUkeqXAaS7eMv1ZKd4VNxYqTkpdoybksA1AnHSKUbe+QRViw0m
ahAkRHDzLeRclgBn5fwJvbuvnaCXUggcVQU0Ppb8ByOyydB8yp56Zyy51VzkCBh1
6KvNd3u9dB33Awc0vuyboCeGgD4P6nq9+m0TLcNjm5l0yGm4S4IrhNTe/Rd5tDa3
yXyCey4NEKTK6sOsppDOD551uHYWvO2Ze2Wr33YPDZ5nZY0CAwEAAaCCATYwGgYK
KwYBBAGCNw0CAzEMFgo2LjIuOTIwMC4yMEwGCSqGSIb3DQEJDjE/MD0wDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAXXXOEeDKsmuSE7vHIP
jm/l3yfmMFYGCSsGAQQBgjcVFDFJMEcCAQUMD1NNWFMwMS51cGFydC5hdAwNVVBB
UlRcU01YUzAxJAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIb3N0LmV4ZTBy
BgorBgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEA
IABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAA
UAByAG8AdgBpAGQAZQByAwEAMA0GCSqGSIb3DQEBBQUAA4IBAQCJtWtgZZYiwbt/
U/Ti6FQ1LfKrvKWffVwNUo6TsCepyn2DnrwNxQq8Aevt5PiTw5+LZOz/Gm/m5Hfh
JUmLB2fMuKdvDL8iWQEtFckObPsuFWjpBizxyqF42LwCEO8ujgHp9Gdm67qyMwAo
LpfDl4y5Z0qVF5+I9Vi00LnOW41TMDCY/XojvdIW18w+qOcQJPDJfM9Tg5XQWx/Z
IudSjFbdOK5uK9LNg0E9XEAhZ0sabaleGYAuWIbDS7VJ5SU208HQjWDZscYMnW12
1UlY1pqnJsOOuqi9vZMDh67TuP2x8qU2iHL15L60ew1nIaW3A+15sLyufEXvA0K6
itnZea0o
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now