Forcing Cisco VPN client to use NAT-T

Is there a way to force the VPN client to use NAT-T when the device isn't NATed but ESP is otherwise blocked?
My VPN client connects but tries to use ESP, even though IPSec over UDP is selected, after detecting that no NAT is taking place.

Thanks. Using Linux's 'vpnc' as the VPN client provides a "force-natt" option which does the trick so a little disappointed I can't do it with the Cisco client.
I also found references to a feature request #CSCdz58488 so I thought it may have been implemented in the current VPN client.

Similar Messages

  • Problems w/ VPN Server & Cisco VPN Client on same machine

    I really wish that I read about how the developer of the program iVPN no longer supports his work BEFORE I paid for it. It's a great, simple, GUI frontend to the existing Leopard VPN server built in to regular (non-server) OSX...
    Anyway, on my Mac that stays @ home:
    (1) - I have the iVPN server set up & running to allow me to connect (from my iphone or another computer on the road) to my Mac @ home using L2TP.
    (2) - When I'm @ home and need to connect to my company's network, I need to use the Cisco VPN Client (which uses IPSec etc).
    So, I found out that when I need to use my Mac to connect to work, I first have to open up the iVPN server to click "Stop Server" (which has me enter my password twice sometimes). Now I close iVPN until I'm done, then open up Activity Monitor for the purpose of finding the still-running process "racoon". I realized this not because it's published info, but because if I don't do this, and try to connect to work using the Cisco VPN Client, it simply will not connect. So, I quit the process "racoon" (which also has me enter my password because it's running as root yada yada). NOW, I can load Cisco VPN Client and successfully connect to my company's network. When I'm finished here, I disconnect the C.V.C., then reopen iVPN Server and restart my server (enter password again).
    Is there any way I can make the process "racoon" quit automatically when I turn off the iVPN server? I'd email the developer but I guess that's a lost cause now. It's a shame because he did a fabulous job making iVPN & gave the less computer-networking-literate-user the ability to create their own VPN server without using Terminal.
    I thought about the possibility of using iVPN to create a PPTP connection instead of L2TP - thinking that would allow me to keep my iVPN PPTP server running at all times, even when I wanted to use the CVC to connect OUT to work - but:
    (1) - I would like the increased security of L2TP.
    (2) - When I tried running a PPTP server, and connecting to it from iPhone or other computer, I was NOT able to access the other devices on my network, or the internet. I couldn't even open up a webpage to check whatismyip.com (while sending all traffic over VPN). And yes, the IP Address Range that I have iVPN handing out is within my normal home network's range.
    My end goal for all of this when using my Mac is to be able to leave my iVPN server running at all times, while still being able to run the Cisco VPN CLIENT to connect to my company's network.
    Or, at least not having to open up Activity Monitor to quit the process racoon... let alone having to enter my password 3 times after opening up iVPN, again to stop the server, again to quit the process racoon. Then a forth when I'm all done and need to start the iVPN server again.
    Am I going about this the wrong way? Is there an easier way to accomplish these secure connections? There is a slight possibility of me upgrading and running a dedicated Mac Mini server of some sort perhaps with the real OSX Server. But not right now. I think I'm over complicating this. I mean, my needs are pretty simple:
    (1) - Need to connect TO my Mac from IPhone / someone else's Mac or PC for: VNC over SSH, SSH/SFTP file level access, in the future shared network volumes (time capsule). I'd use Back To My Mac for all of this but I don't always connect FROM a Mac.
    (2) - Need to connect FROM my Mac to work VPN for: VNC to my work PC to access our company's Windows-only program (dual booting into boot camp or using a virtual machine is out of the question), using Mocha for AS400 access, thinking about using file sharing on work PC but not needed so far.
    So it's really just VNC and sometimes SFTP. The "S" being important to me. That's why I don't like the idea of doing away with my iVPN server and just forwarding the outside ports. I use the Vine VNC Server which when checked, only allows access over SSH. The only other remote-logins are used from my iphone using an app called BriefCase (SSH to browse files on remote machine), or using an SFTP client on a computer.
    Thank you for reading all of this, and in advance for any insight you can offer.

    If the two servers need the same ports, then hosting two different VPN packages on the same box usually won't work.
    A firewall-based VPN service can be an option; that external box can deal with NAT and routing and other such and can field incoming or LAN-to-LAN VPNs, and your internal Mac boxes located "behind" that box can be free to initiate outbound VPNs.

  • Problem accessing company resources remotely using Cisco VPN Client

    I connect to my company's network remotely using Cisco VPN client both from a PC (v 4.0.1) and from a MacBook Pro (v 4.9.00)(same configs), and use Remote Desktop to connect to my work computer, and now i'm able to use Citrix to run applications on the company server.
    The problem occurs on the Mac when I'm connecting from a location that uses the same private domain IP as our company's private domain. Our company's private domain is 192.168.1.x, so when I'm using the Mac on a WiFi router that happens to be set to 192.168.1.1, the Mac can connect using VPN but the remote desktop cannot connect to my work computer. Presumably, the Mac doesn't "know" that I'm trying to go through the VPN for the connection and not connect to something locally.
    This problem seems to be unique to the Mac. Every Windows machine with the same client installed has no problems no matter what WiFi I've tried. The Mac works fine on any WiFi that is not 192.168.1.x.
    However, since 192.168.1.x is very common (hotels, airports, etc., its a major problem with the Mac.
    Suggestions are greatly appreciated!
    Also, now that we're moving to Citrix, our administrator has created a webpage on the intranet that we launch applications from, but the Mac cannot find that page when connected to VPN from 192.168.1.x. Same problem.
    Thanks in advance.

    Hi,
    I presume you have split-tunneling activated.
    1. Make sure the 192.168.1.x is on the protected networks and on the MacBook client, disable "Allow local LAN access"
    2. Create a separate group for the Mac users and assgn them a different pool (192.168.100.x )and advertise it in your company to point to the VPN Concentrator.
    3. Use the NAT feature on your VPN concentrator.
    If this helped, please rate.
    Regards,
    Daniel

  • Cisco VPN client behind NAT

    Hi,
    We have to setup a VPN connection from a user workstation in our private
    network to a third party host.
    We have to use the Cisco VPN client v4.0.2 (B).
    BM 3.8SP3 with static and dynamic NAT.
    2 filter exceptions:
    UDP port 500 stateful private network to public host IP
    UDP port 10000 stateful private network to public host IP.
    We can login to their Cisco box but after that we cannot ping to their
    hosts.

    Bert wrote:
    > Hi Caterina,
    >
    > I get it worked!
    >
    > I changed the connection type in the Cisco client to TCP (port 10000).
    >
    > I deleted the UDP filter exception for port 10000.
    > Finally I added a filter for TCP.
    >
    > So with 2 filter exceptions it seems to work now:
    > VPN1 -> source: port 500, destination port 500, stateful, UDP
    > VPN2 -> source: port All, destination port 10000, stateful TCP
    >
    > Now I can ping to hosts at the other side and connect to their
    > network with Net use etc.
    >
    > Thanks for your help.
    >
    > Regards,
    > Bert.
    Thank you Bert, you just save me hours of work!
    Dan Verbarg
    BHDP Architecture
    Cincinnati, OH

  • Tunneling using Cisco VPN Client 4.9

    Hello,
    in recent times I used the Cisco VPN Client 4.7 with no problems:
    1. I installed the software
    2. I started "Internet Connect.app", created a VPN connection (PPTP) with no entries
    3. created a new network connection ("Tunnel to company"), with ETH and VPN (PPTP) enabled
    4. the ethernet interface points at the local router wich is connected to my ISP
    5. DHCP-Client-ID: our.company.de, DNS-Server: no entry, Domain-Names: our.company.de
    6. Proxies: our companies proxies
    7. the VPN (PPTP) interface is configuered as PPP, DNS-Server: our companies server IPs, Domain-Names: no entries, Proxy: no entries
    8. Starting the Cisco VPN Client I configuered an new session, connected, ok
    As said, this was in the old days.
    Now using Cisco VPN Client 4.9 on a MacBookPro (Intel) this works also with one exception:
    I can establish a network connection (ping, smb, AFP, intranet/HTTP) only using the companies fully qualified domain name, e.g.:
    1. ping server1: unable to resolve name
    2. ping server1.our.company.de: works as exspected
    I am using Cisco VPN Client 4.9.00 (0050), Mac OS X 4.8 with all available updates.
    Any help would be appreciated
    Roland

    ...
    trying the same (without the "Internet Config.app" / VPN PPTP) using VPN Tracker works fine. But I don´t want to spend Euro 79.-...
    Roland

  • How to uninstall Cisco VPN client 5.0.07.0440, using SCCM \group policy?

    How to uninstall Cisco VPN client 5.0.07.0440, using SCCM \group policy or may be a login script?
    msiexec /u "vpnclient_setup.msi" /q /norestart  , but it did not worked.
    msiexec /x "vpnclient_setup.msi" /q /norestart  , but it did not worked.
    I hav apprx 500+ win 8 clients.
    Thanks in Advance

    Looks like I have to follow this exactly:
    http://myitforum.com/cs2/blogs/smchugh/archive/2006/11/15/automating-removing-the-cisco-vpn-client.aspx
    msiexec.exe /uninstall {Cisco VPN 5.x guid} /qn
    MsiExec.exe/X{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D} /q /norestart

  • Using Cisco VPN client certificate for built in IPSec?

    Hi,
    Does anybody know if it is possible to "convert" a certificate exported from Cisco VPN client and import it into the Keychain for using it with built-in IPSec in Snow Leopard?
    Thanks,
    Oli

    I too am having trouble importing the Cisco certificate. It would be nice for some clear documentation. We've been successful converting the x.509 cer to KPCS#7 using openssl which will import into the keychain. However, the VPN (Cisco IPSec) sill doesn't see it.

  • Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

    Hi:
    Need your great help for my new ASA 5505 (8.4)
    I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
    ASA Version 8.4(3)
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.29.8.254 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 177.164.222.140 255.255.255.248
    ftp mode passive
    clock timezone GMT 0
    dns server-group DefaultDNS
    domain-name ABCtech.com
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 172.29.8.0 255.255.255.0
    object service RDP
    service tcp source eq 3389
    object network orange
    host 172.29.8.151
    object network WAN_173_164_222_138
    host 177.164.222.138
    object service SMTP
    service tcp source eq smtp
    object service PPTP
    service tcp source eq pptp
    object service JT_WWW
    service tcp source eq www
    object service JT_HTTPS
    service tcp source eq https
    object network obj_lex
    subnet 172.29.88.0 255.255.255.0
    description Lexington office network
    object network obj_HQ
    subnet 172.29.8.0 255.255.255.0
    object network guava
    host 172.29.8.3
    object service L2TP
    service udp source eq 1701
    access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
    access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended deny tcp any any eq 135
    access-list inside_access_in extended deny tcp any eq 135 any
    access-list inside_access_in extended deny udp any eq 135 any
    access-list inside_access_in extended deny udp any any eq 135
    access-list inside_access_in extended deny tcp any any eq 1591
    access-list inside_access_in extended deny tcp any eq 1591 any
    access-list inside_access_in extended deny udp any eq 1591 any
    access-list inside_access_in extended deny udp any any eq 1591
    access-list inside_access_in extended deny tcp any any eq 1214
    access-list inside_access_in extended deny tcp any eq 1214 any
    access-list inside_access_in extended deny udp any any eq 1214
    access-list inside_access_in extended deny udp any eq 1214 any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any eq www
    access-list inside_access_in extended permit tcp any eq www any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
    89
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
    tp
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
    w
    access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
    tps
    access-list outside_access_in extended permit gre any host 177.164.222.138
    access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
    01
    access-list outside_access_in extended permit ip any any
    access-list inside_access_out extended permit icmp any any
    access-list inside_access_out extended permit ip any any
    access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
    .88.0 255.255.255.0
    access-list inside_in extended permit icmp any any
    access-list inside_in extended permit ip any any
    access-list inside_in extended permit udp any any eq isakmp
    access-list inside_in extended permit udp any eq isakmp any
    access-list inside_in extended permit udp any any
    access-list inside_in extended permit tcp any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (inside,outside) source static orange interface service RDP RDP
    nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
    lex route-lookup
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
    WW
    nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
    _HTTPS
    nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
    nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
    nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group inside_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
    route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server Guava protocol nt
    aaa-server Guava (inside) host 172.29.8.3
    timeout 15
    nt-auth-domain-controller guava
    user-identity default-domain LOCAL
    http server enable
    http 172.29.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 173.190.123.138
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
    ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
    P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.29.8.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside vpnclient-wins-override
    dhcprelay server 172.29.8.3 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    group-policy ABCtech_VPN internal
    group-policy ABCtech_VPN attributes
    dns-server value 172.29.8.3
    vpn-tunnel-protocol ikev1
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_Tunnel_User
    default-domain value ABCtech.local
    group-policy GroupPolicy_10.8.8.1 internal
    group-policy GroupPolicy_10.8.8.1 attributes
    vpn-tunnel-protocol ikev1 ikev2
    username who password eicyrfJBrqOaxQvS encrypted
    tunnel-group 10.8.8.1 type ipsec-l2l
    tunnel-group 10.8.8.1 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 10.8.8.1 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    tunnel-group ABCtech type remote-access
    tunnel-group ABCtech general-attributes
    address-pool ABC_HQVPN_DHCP
    authentication-server-group Guava
    default-group-policy ABCtech_VPN
    tunnel-group ABCtech ipsec-attributes
    ikev1 pre-shared-key *****
    tunnel-group 173.190.123.138 type ipsec-l2l
    tunnel-group 173.190.123.138 general-attributes
    default-group-policy GroupPolicy_10.8.8.1
    tunnel-group 173.190.123.138 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 remote-authentication certificate
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect ftp
      inspect netbios
    smtp-server 172.29.8.3
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:6a26676668b742900360f924b4bc80de
    : end

    Hello Wayne,
    Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
    I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
    Regards,
    Julio
    Security Trainer

  • Cisco VPN Client and Border Manager

    Don't know if this is the correct spot, but here goes. We are using BM 3.8sp4 using proxy, and NAT. We have a contractor that needs to access his company network using a Cisco VPN Client Ver 5. They have Enable Transparent Tunneling checked in the client and IPSec over TCP port 1000.
    Is this a filter exception to let it out or something else I need to set up?

    Port 1000, or 10000? (10,000 is something I've seen in the past, and
    is what I used for the example in my BMgr filtering book. See URL
    below).
    You would probably need to open two ports up, in FILTCFG, from private
    to public interfaces. First, IKE-st (UDP 500). Next, make a custom
    stateful one for port 1000 (or whatever), probably UDP.
    The last Cisco IPSec VPN client I used through BMgr needed UDP 500 and
    UDP 4500 opened, just like the Novell IPSec VPN client. So I was able
    to use the definitions supplied by Novell in FILTCFG. In your case,
    you will probably have to add at least one custom exception.
    Filter debug will tell you what is being filtered, if you know how to
    use it. Or get PKTSCAN.NLM from download.novell.com, load it on the
    server, and capture packets. Look at them on the server, or use
    Wireshark, and you will see what protocol/ports are being sent from the
    client IP address.
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • Is there really a Cisco VPN client for Linux? _Really?_

    Hello folks,           
            I've finally after almost experiencing a brain aneurysm by trying to think too hard got my Cisco 881-SEC-K9 router properly configured for a multipoint IPSec VPN tunnel to my Amazon Virtual Private Cloud, so that hurdle is finally passed and I actually feel it was a very important milestone in my life somehow. I never thought I'd see the day I actually got my hands on a legitimate Cisco non-stink... erm.. I mean, non-linksys router. Now I just can't seem to find a 'client' VPN program for Linux. I'm currently running a Xen Hypervisor environment on openSUSE Linux because it's the only Linux distribution that completes all of my strenous requirements in a Linux server environment. It's also the most mature, and secure Linux on this planet, making it the most appreciable Linux distribution for my research needs.  Using NetworkManager is not really an option for a basic Linux server environment, and OpenVPN is just too confusing to comprehend for my tiny little head.  I've heard mention of some mysterious "Easy VPN" but after hours of digging online can't find any information about it, even the Cisco download link leads to a Page Not Found error.  I do see a Linux VPN API for the AnyConnect program, but is that an actual VPN client, or just an API?  It seems to want my money to download it but I don't have any money nor do I really know what it is because it's all secretive-like, closed source, and I can't even find a simple README file on it explaining what it is exactly.  I'm just an out-of-work software developer trying to connect to my home router for personal use and I can't really afford to fork over a million and a half dollars for a single program that I'm only going to need to download once in my lifetime that should have been included with the router in the first place. I more than likely won't even be able to figure out how to use the program anyways because I don't know anything about VPN connections which is why I bought this router so I can try to figure it all out as part of the not-for-profit open source, volunteer research I'm presently trying to conduct.  Is there some kind of evaluation or trial period for personal use? That would be really nice so I could at least figure out if I'm going to be able to figure it out or not.  I hate throwing money away when it's in such short supply these days. There's really no alternative to a Cisco router.  It's an absolute necessity for the things I'm trying to accomplish, so trying to settle for something else and going on with my life is not really an option. No, this is something I just need to face head on and get it over with.
    <Rant>
           Maybe I have a little too much crazy in me for my own good, but I don't see why it should take so much money just to learn how to do something for personal reference, it's not really a skill I would ever use otherwise.  Wouldn't it be great if Cisco made their VPN client open source and free to the public to use and modify, to improve on, to learn and to grow and bring the whole world closer together as a community? Even the source code to the old discontinued Cisco VPN client could be used as a valuable learning tool for some poor starving college student or Open Source Software developer somewhere trying to get by on Ramen Noodles and Ramen Noodle Sauce on Toast (don't tell me you never thought about it).  Through the ripple effect, It would drastically improve sales over the course of time, because it would open the door to a whole new market where those who previously could not afford to participate now could. That's the true power of Open Source. It creates a more skilled work force for the future by openly contributing and sharing knowledge together. What if the next big internet technology and the solution to world tyranny - the solution to end all wars forever - were locked in the mind of an unemployed software developer who couldn't afford to upgrade their cisco router software or access the software they needed because it was closed source and required committing to an expensive service contract to download?  That would be just terrible, wouldn't it?  I guess there's no way to ever know for sure. I suppose I'd be just as happy if some kind soul out there could point me to an easy to use alternative to an always on VPN connection that runs in the background which doesn't require NetworkManager or having to spend days upon days digging through and trying to comprehend either some really poor or extremely complex documentation?  I apologize for all the run on sentences posed as questions, but I've just got some serious mental burnout from all of this, being unemployed is some hard work folks. I could really use a vacation.  Perhaps a camping trip to the coast is in order after I get this working, that sounds nice, doesn't it? Nothing like a good summer thunder storm on the ocean beach - far away from technology - to refresh the mind.
    </Rant>

    I do tend to talk too much and I don't mince any words either.  What I am however, is really appreciative for the help. I know you hear that all the time, but you have no idea how much time and headache you just saved me.  I think vpnc might be just what I've been looking for, unless someone can think of a client for Linux that I might be able to throw a little further.  I'm very security minded now, after the backlash of Blackhat 2013, there's no telling which direction the internet might head next. Oh, you didn't hear? Well wether they realize it or not, DARPA basically declared war with other government agencies by releasing their own version of a spy program for civilians to use against the whoever -- possibly even the governmnet itself. They even went so far as to suggest it's private usage to blanket entire cities in information gathering. Civilians are a powerful foe, as they are not bound by the oath of office, any evidence they obtain is admissible in court, wether they know that or not. There's a very important reason for that. It's to prevent another civil war from ever happening, we shed enough blood the first time around less people forgot.  It's something that can and will be avoided because our civilization has advanced beyond the need for bloodshed. The courts have to obey the majority rule, no matter what. For the first time in history, cyberwarfare can reach into the physical world to cause serious damage to physical structures like the nuclear facility incident in Iran.  There's scarry bills trying to sneak through congress that are changing the landscape of technology forever for the entire world. We're at a pivotal point now where things can happen. It will be interesting to see how it all plays out over the next decade or so. No matter which way you look at it, just be preparerd to sell a whole lot of routers.

  • IP Communicator doesn't work with Cisco VPN Client

    Hi,
    Im having problem to connect  IP Communicator (either ver 2 or 7 )whenever using Cisco VPN Client 5.0.06.0160 for windows
    the IPC didn't register to the CUCM
    There's nothing showing on the screen
    but whenever im using  Anyconnect VPN Client, it works perfectly
    The remote side is using ASA5505
    Anyone can help ??
    Thanks

         It's probably an issue with the ASA configuration in your "group-policy attributes".  The "split-tunnel-network-list value" is pointing to an access list without the subnet for the call manager.  While your ssl group-policy for webvpn has a "split-tunnel network-list value" access-list which does contain the subnet for the call manager.
         The other issue could be that your using different ip pools for ipsec and ssl vpn.  The ip pool subnet that you might be giving out for ipsec might not be in your "no nat" acl.
    Jason

  • Which ports to open in PIX for outgoing Cisco VPN client connections ?

    I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?

    It depends on how you have deployed your VPN Remote Access users.
    By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.
    If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).
    either way, the operation of the VPN depends on:
    1) Whether these service have been enable on the VPN Concentrator
    2) Enabling the relevant transport settings on the VPN Client connection Properties.
    Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.
    Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005

  • IPhone 2.1 now supports Cisco VPN Client to IOS router

    Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.

    I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
    The relevant isakmp/ipsec config should be:
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group myvpn
    key mysecretkey
    dns 10.0.0.2 10.0.0.3
    wins 10.0.0.2
    domain mydomain.example.com
    pool ippool
    acl 150
    split-dns mydomain.example.com
    netmask 255.255.255.0
    crypto isakmp profile ike-myvpn-profile
    match identity group myvpn
    client authentication list userauthen
    isakmp authorization list groupauthor
    client configuration address respond
    virtual-template 2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile myvpn
    set transform-set ESP-3DES-SHA
    set isakmp-profile ike-myvpn-profile
    interface Virtual-Template2 type tunnel
    ip unnumbered FastEthernet1
    ip nat inside
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile myvpn
    See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
    If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting.

  • ASA500: migrate from Cisco VPN Client to native Windows VPN connection

    We have a need at this time for only one of our computers to allow 2 Windows users to connect to our network thru VPN (it's a work share situation, they will not both be logged on the same day). We happily use the old Cisco VPN client for everyone else. But the old client will not install twice on the same machine, nor is there the option to "install for any user".
    Thinking to KISS and not invest at this point, trying to get Windows native VPN to work ?
    What combination of settings will work in its properties->security tab to do the same IKE IPsec over UDP(NAT) and with group auth along with the individual's login?
    ... (so no reconfiguration is needed in the ASA?)
    Or are one of the other "type of VPN" will need minimal change on the ASA ?

    Thank you.
    I found this: http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/l2tp_ips.html#wp1041306
    Will this have any effect on the rest of the users?
    Step 1 Specify IPSec to use transport mode rather than tunnel mode with the mode keyword of the crypto ipsec transform-set command:
    hostname(config)# crypto ipsec transform-set trans_name mode transport

  • Cisco VPN Client is not opening on windows 7 64bits

    Hello,
    My problem : i instaled Cisco VPN client 5.0.07.0440-k9 on Windows 7  64 bits, the installation ends successfully. But when i restard the computer, when i click it doesnt open.
    Notice : when i restard the computer, it takes an infinite time the first rebooting ,  in the final stage of boot ( The black window with the Microsoft logo and  message Windows Is Starting ...)  '' it takes an infinite time so i force the reboot.
    started the same thread here but no answer yet.
    Thank you

    check your event viewer/System log.   You may see some entries stating that
    "The Cisco Systems Inc. IPSec Driver failed to start due to the following error: Windows cannot verify the digital signature for this file."
    disable digital signatures (NOT recommended) and cisco works fine
    I guess Cisco has already killed this program if they aren't even getting it certified.

Maybe you are looking for

  • HT4906 i ve deleted i photo fm my mac how can i recover it?plz help me out

    i have deleted from my mac book now please help me how to recover it?

  • I bought "Pages" "Keynote" and "Numbers" Apps for my iPad and iPhone

    I bought "Pages" "Keynote" and "Numbers" Apps for my iPad and iPhone and now I have a new iMac but the Apps didn't install? I thought when you bought an App that is on one device it would be available on all other devices? The App store is now wantin

  • Leave request example in workflow

    Hi, Has anyone got step-by-step example of leave request using workflow? Pls send me the document or the link My id : [email protected] Regards

  • Navigations-Erweiterung in Dreamweaver

    Hallo Ich bin noch Anfängerin und mühe mich gerade mit unserer eigenen Website für Photographie ab! Mein Problem ist, dass ich keine Schritte gefunden habe, die mir zeigen, wie ich an meine einzelnen Navigations-Elemene (horizontal) weitere "Unterele

  • Is PM used in retail industry ?

    Hi everyone, I work for Loblaw the largest retailer in Canada with more than 1500 stores. We are implementing SAP, can some help and share her/his experience if PM implemented for retail organization. How PM used  successfully at retail store, wareho