JustinGSEIWI
asked on
Connecting to ASA 5510 via windows 8 IPSec VPN
I have a user with a windows 8 computer. Since the Cisco VPN client is no longer supported on windows 8, I need to setup the VPN connection using the windows VPN client. I did so but I am unable to get the VPN connection established to my ASA 5510. I entered the IP address and PSK that are in the Cisco VPN profile into the settings on the windows 8 computer. I did not see a place to put the name that also goes along with the PSK. I am thinking that is the issue. How do I establish the VPN connection from the windows 8 computer to my ASA using the information in the Cisco VPN profile I have?
Thanks,
Justin
Thanks,
Justin
rauenpc
You would have to configure either SSL VPN or L2TP IPSEC to use the Windows native client (as far as I'm aware). If you only have the one user with Windows 8, I would go the SSL route since the ASA comes with a 2 user SSL VPN license by default.
ASKER
SSL isn't an option since I need a permanent solution and eventually, I will have many more users with windows 8. I did try setting up the L2TP IPSEC connection but it will not connect. I entered the public IP and the PSK. I must be missing something since it still won't connect.
Thanks,
Justin
Thanks,
Justin
Can you post a scrubbed config? It is likely that a small detail for L2TP isn't set right. I remember the first time I set it up took me a couple days over a single missing config line.
ASKER
Would that still be necessary if I let you know we have been using this VPN with the same config for many years? It works today as long as I use the Cisco VPN client. I just can't get it to work with the windows VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The IPSec VPN still works on windows 7 computers just fine. There is no issue with the firewall or config that I know of.
I did fin the solution you just pointed out. That is sort of unofficial and it is a pain to make that change on every windows 8 PC once we roll out windows 8.
That will work fine for this one PC but once I roll out windows 8 further, I will need the windows 8 VPN to work so I can push those settings out with GP.
I still need to figure out why the VPN won't work with windows native VPN client.
Thanks,
Justin
I did fin the solution you just pointed out. That is sort of unofficial and it is a pain to make that change on every windows 8 PC once we roll out windows 8.
That will work fine for this one PC but once I roll out windows 8 further, I will need the windows 8 VPN to work so I can push those settings out with GP.
I still need to figure out why the VPN won't work with windows native VPN client.
Thanks,
Justin
Here are my notes I had when I first setup an ASA for android native vpn which is the same for native windows clients. The two easy to miss parts are that the transform set must be in transport mode, and the passwords use mschap for encryption.
!!!!!
!Standard parts for any RA VPN setup. Define nat exemptions, local pools, and split tunnel acl’s
!!!!!
object-group network VPNUSERS
description VPN USER IP POOLS
network-object 192.168.255.0 255.255.255.0
object-group network ALLPRIVATESUBNETS
description ALL CONFIGURED PRIVATE IP SUBNETS
network-object 192.168.230.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
access-list VPNUSERS_TO_PRIVATEIPSUBNE
access-list VPNUSERS_TO_PRIVATEIPSUBNE
ip local pool sales_addresses 192.168.255.10-192.168.255
nat (inside,outside) source static obj-192.168.230.0 obj-192.168.230.0 destination static obj-192.168.255.0 obj-192.168.255.0
!!!!
!Standard radius setup. I tested again in the test lab and found that I was indeed missing the “mschap v2” checkbox for allowed encryption methods on my vpn policy. Once enabled, I was able to authenticate a domain account.
!If using a local database, ensure that the keyword “mschap” is put after the username (username test password test mschap)
!!!!
aaa-server ASAAUTH protocol radius
aaa-server ASAAUTH (inside) host 192.168.230.30
key ****
!!!!
!Define Phase 2 transform sets. Use 3des sha, and it MUST be in transport mode.Ensure that the new transform set is included in the dynamic map (highlighted). Do not enable pfs. Reverse route is an option
!!!!
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 65535 set ikev1 transform-set my-transform-set-ikev1
crypto dynamic-map dyno 65535 set reverse-route
crypto map vpn 20 ipsec-isakmp dynamic dyno
!!!!
!Enable the crypto map and isakmp/ikev1 on the appropriate interface
!!!!
crypto map vpn interface outside
crypto ikev1 enable outside
!!!!
!Define Phase 1 isakmp/ikev1 policy. In at lease one of the policies the encryption should match phase 2.
!!!!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!!!!
!The real meat-and-potatoes of the config. All group policies and tunnel groups must use the built in DefaultRAGroup.
!You must specify the “vpn-tunnel-protocol l2tp-ipsec” and “ikev1 pre-shared-key XXXXX” or the connection will never happen.
!All other lines are technically optional, but without them you might not be able to do anything with the vpn connection
!!!!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.230.30
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_TO_PRIVATEIPSUBNE
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
authentication-server-grou
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 12345678
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!!!!!
!Standard parts for any RA VPN setup. Define nat exemptions, local pools, and split tunnel acl’s
!!!!!
object-group network VPNUSERS
description VPN USER IP POOLS
network-object 192.168.255.0 255.255.255.0
object-group network ALLPRIVATESUBNETS
description ALL CONFIGURED PRIVATE IP SUBNETS
network-object 192.168.230.0 255.255.255.0
network-object 192.168.255.0 255.255.255.0
access-list VPNUSERS_TO_PRIVATEIPSUBNE
access-list VPNUSERS_TO_PRIVATEIPSUBNE
ip local pool sales_addresses 192.168.255.10-192.168.255
nat (inside,outside) source static obj-192.168.230.0 obj-192.168.230.0 destination static obj-192.168.255.0 obj-192.168.255.0
!!!!
!Standard radius setup. I tested again in the test lab and found that I was indeed missing the “mschap v2” checkbox for allowed encryption methods on my vpn policy. Once enabled, I was able to authenticate a domain account.
!If using a local database, ensure that the keyword “mschap” is put after the username (username test password test mschap)
!!!!
aaa-server ASAAUTH protocol radius
aaa-server ASAAUTH (inside) host 192.168.230.30
key ****
!!!!
!Define Phase 2 transform sets. Use 3des sha, and it MUST be in transport mode.Ensure that the new transform set is included in the dynamic map (highlighted). Do not enable pfs. Reverse route is an option
!!!!
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 65535 set ikev1 transform-set my-transform-set-ikev1
crypto dynamic-map dyno 65535 set reverse-route
crypto map vpn 20 ipsec-isakmp dynamic dyno
!!!!
!Enable the crypto map and isakmp/ikev1 on the appropriate interface
!!!!
crypto map vpn interface outside
crypto ikev1 enable outside
!!!!
!Define Phase 1 isakmp/ikev1 policy. In at lease one of the policies the encryption should match phase 2.
!!!!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!!!!
!The real meat-and-potatoes of the config. All group policies and tunnel groups must use the built in DefaultRAGroup.
!You must specify the “vpn-tunnel-protocol l2tp-ipsec” and “ikev1 pre-shared-key XXXXX” or the connection will never happen.
!All other lines are technically optional, but without them you might not be able to do anything with the vpn connection
!!!!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.230.30
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNUSERS_TO_PRIVATEIPSUBNE
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
authentication-server-grou
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key 12345678
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
MIID8jCCAtoCAQAwdTEWMBQGA1
dXBhcnQxFTATBgNVBAoMDFdlcm
A1UECAwPT2JlcsO2c3RlcnJlaW
AQEBBQADggEPADCCAQoCggEBAJ
6Ib6zq1IpgW5+OV9yK6ZJ4+KaA
9+H9E7urzXBQLQpUkeqXAaS7eM
ahAkRHDzLeRclgBn5fwJvbuvna
6KvNd3u9dB33Awc0vuyboCeGgD
yXyCey4NEKTK6sOsppDOD551uH
KwYBBAGCNw0CAzEMFgo2LjIuOT
AQH/BAQDAgWgMAwGA1UdEwEB/w
jm/l3yfmMFYGCSsGAQQBgjcVFD
UlRcU01YUzAxJAwiTWljcm9zb2
BgorBgEEAYI3DQICMWQwYgIBAR
IABTAEMAaABhAG4AbgBlAGwAIA
UAByAG8AdgBpAGQAZQByAwEAMA
U/Ti6FQ1LfKrvKWffVwNUo6TsC
JUmLB2fMuKdvDL8iWQEtFckObP
LpfDl4y5Z0qVF5+I9Vi00LnOW4
IudSjFbdOK5uK9LNg0E9XEAhZ0
1UlY1pqnJsOOuqi9vZMDh67TuP
itnZea0o
dXBhcnQxFTATBgNVBAoMDFdlcm
A1UECAwPT2JlcsO2c3RlcnJlaW
AQEBBQADggEPADCCAQoCggEBAJ
6Ib6zq1IpgW5+OV9yK6ZJ4+KaA
9+H9E7urzXBQLQpUkeqXAaS7eM
ahAkRHDzLeRclgBn5fwJvbuvna
6KvNd3u9dB33Awc0vuyboCeGgD
yXyCey4NEKTK6sOsppDOD551uH
KwYBBAGCNw0CAzEMFgo2LjIuOT
AQH/BAQDAgWgMAwGA1UdEwEB/w
jm/l3yfmMFYGCSsGAQQBgjcVFD
UlRcU01YUzAxJAwiTWljcm9zb2
BgorBgEEAYI3DQICMWQwYgIBAR
IABTAEMAaABhAG4AbgBlAGwAIA
UAByAG8AdgBpAGQAZQByAwEAMA
U/Ti6FQ1LfKrvKWffVwNUo6TsC
JUmLB2fMuKdvDL8iWQEtFckObP
LpfDl4y5Z0qVF5+I9Vi00LnOW4
IudSjFbdOK5uK9LNg0E9XEAhZ0
1UlY1pqnJsOOuqi9vZMDh67TuP
itnZea0o