Good Cisco VPN 3030 Log Analyzer

I need your advice on VPN Conc log analyzer. I am using Kiwi Syslog Enterprise as syslog server. Does any body know or have a recommendation for a good VPN log analyzer that analyzes VPN logs and spit out a report?

The RME Syslog Analyzer matches syslog messages with managed devices, so for a very large database (a very large number of devices in inventory), high CPU utilization can be expected for this process, even with a lower message rate. Also note that attempting to generate reports when the database insert rate is high and sustained is the worst case possible.

Similar Messages

Configure vpn 3030 snmp for cisco works 2000

vpn 3030 snmp error in cisco works 2000
I want to monitor vpn3030 through vpn monitor,so do some config on vpn3030:
1)Configuration | System | Management Protocols | SNMP
enabled port 161
2)Configuration | System | Management Protocols | SNMP Communities
public
3)Administration | Access Rights | Administrators | Modify Properties
snmp modify config
I can telent & http vpn3030,but when I run test in in cisco works 2000(server
configuration|diagnostics|connectivity tools|management station to device)
it said:
Interface Status Test Results
172.16.8.1 DOWN SNMPR failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 91 protocol: snmp_get port: 161
SNMPW failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 0 protocol: snmp_set port: 161
about my vpn3030
Monitoring | System Status Thursday, 10 October 2002 16:40:16
VPN Concentrator Type: 3030
Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000
18:57:52
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 3.0.2.Rel Apr 05 2001
20:50:58
Up For: 6d 0:04:27
Up Since: 10/04/2002 16:35:49
RAM Size: 128 MB
There is only a 6509 between cisco works 2000 server and vpn3030,and no restrictions on tcp/ip
flow.
Please help me .thanks in advance.

I test it in cw2000 cdone.
This is really a strange question.
the cw2000 server ip address is 10.8.1.122
the vpn3030 's ip address is 172.16.8.1
between them is a 6509, ip address is 10.8.1.201
when I test connectivity between cw2000 server and 6509, everything is good,snmp is ok.
when i test connectivity between cw2000 server and vpn3030, everything is good,except snmp is not response,while use third party snmp program,snmp status is ok!
when I change the cw2000 server's ip address to 172.16.8.3 and connect it directly to vpn3030,test connectivity between cw2000 server and vpn3030 ,everything is good,snmp is ok.

How long does Cisco VPN client keeps its logs

Hi,
How long does the Cisco VPN client keeps its logs? It seems like 2 weeks. Is it right?

February 18, 2010
Due to popular demand, the Cisco VPN Client v5.0.7 open beta is now available!
In addition to serving as a general maintenance release, the Cisco VPN Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit environments.
A 64-bit specific compatible image is available for installation on these platforms.
Please have communicate feedback (both positive and problems) to [email protected]
Key Capabilities available for Beta Testing:
New Platform support – Windows 7 & Windows Vista 64-bit platform compatibility
Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730 (under 5.BETA)
Software is available for download by any customer with a Cisco.com SMARTnet™ enabled login.
Release Notes will be available next week via a link once the download image is selected.
There are currently no plans to support Windows XP 64 bit in the VPN client.

Log Analyzer for Cisco devices

Hi all:
Could you please help me finding a Log Analyzer tool for Cisco devices (preferably, free).
Thanks!
W.

In the free arena, many people recommend the Kiwi Syslog Analyzer. Solarwinds bought the product last year and now market a licensed version; but they stil offer a free version as well. See:
http://www.solarwinds.com/products/freetools/kiwi_syslog_server/

Cisco VPN client and mac mail

Hi all,
I wonder if someone can be more helpful than my uni IT department who take a minimum of a week to get you an IP address...
My new uni uses Cisco VPN client for connection to the Wi-Fi network. It all works great apart from one (very annoying problem):-my e-mail accounts in mac mail don't seem to be able to connect via the VPN. I have had both an IMAP and a POP server e-mail account work automatically wherever I connect in the world for over a year now-so its not the way I've set up the accounts.
Is there any way to get mac mail to "see" the VPN connection. If I have to physically plug-in my mac this seems a tad ridiculous when it works in every coffee shop with free wi-fi.
My uni are not helpful as they want people to use either outlook or better still log-on to their e-mail using the web. I don't even want to use their e-mail-what is the point when I move jobs again in a year. What I do currently is use an IMAP account from my last job which I've set to forward to my "e-mail for life" from my undergrad uni. I basically only give out my life e-mail address and this also goes on all my papers.
If I can't access this easily and sort all my mail in all the folders I've created to filter out things like facebook etc. I'm wondering what the point of mac mail is.

Yeah, that stuff normally works for me. Unfortunately this is a situation where you have to use an external Cisco VPN client software, whether you like it or not. Its this horrible clunky thing (which at least half works I guess). So its only like normal wi-fi in terms of selecting the network, then you have to open up this application and put in your log-in etc. Most of the settings on this client seem locked, so there isn't much I can do to configure it.
I've just got to my (temporary) accommodation which doesn't have wi-fi or VPN (just ethernet) and my mail is working again-so it must be the VPN. Goodness knows how it works with an iPod touch (interested in getting one but kind of pointless if I spend most of my time at work and it doesn't work...)
Thanks for your suggestions though!

CISCO VPN CLIENT RUNNING KERNEL 64 MODE (DOESN'T WORK!?)

Hi,
I switched my Mac to Kernel 64 and some days after, trying to run my Cisco VPN Client (vpnclient-darwin-4.9.01.0180-universal-k9), give me back the classic "*ERROR 51: Unable to communicate with the VPN subsystem*"
I'm not sure that the kernel 64 is the cause, but I believe it.
I've just tried the reinstall (also all fix and work around findable on the web and forums), but nothing to do.
The "+sudo SystemStarter restart CiscoVPN+" by terminal doesn't work, and it give back this message:
"+(kernel) Kext com.cisco.nke.ipsec not found for unload request.+
+Failed to unload com.cisco.nke.ipsec - (libkern/kext) not found.+
+Starting Cisco Systems VPN Driver+
+/System/Library/Extensions/CiscoVPN.kext failed to load - (libkern/kext) requested architecture/executable not found; check the system/kernel logs for errors or try kextutil(8).+"
Someone has the same problem?
(p.s.: sorry for my GOOD English...)

Do you really need to run a 64 bit kernel? One of the reasons Apple boots into a 32 bit kernel is because not all 3rd party drivers are 64 bit capable.
Unless you have a 64 bit only driver that you must run, or you have something like 32GB or more of RAM, the 32 bit Mac OS X kernel will work just as well as the 64 bit kernel. Both kernels will equally run 64 bit applications, so there is no downside to a 32 bit kernel for most users.
There are some other posts in this forum where someone ran Mac benchmarks with a 32 bit and 64 bit kernel, and the results were essentially identical. The best performance improvement came from having a 64 bit application, but having a 64 bit kernel didn't affect performance at all.
I too have to use the Cisco VPN Client, and as I do not see any advantage to running a 64 bit kernel, I will be happy running the 32 bit kernel starting Thursday, when my 27" iMac arrives

[T400] Cisco VPN client not working over wireless adapter (but works on cabled connection)

I have a very strange problem.
I need to connect to my work via the cisco vpn client (version 5.0.00.0340).
My previous laptop (T43 , windows XP) worked well through both wired / wireless connections. My desktop machine (vista) works via wired connection (it has no wireless connection).
On my new T400, the VPN client works via a wired connection but not via the wireless adapter.
On the wireless apapter, the vpn seems to connect OK, but when I try to access resources via the VPN there is little response.
I get this in the vpn log...
405 08:56:57.073 04/16/09 Sev=Warning/2 IPSEC/0xE3700003
Function CniInjectSend() failed with an error code of 0xa4510009 (IPSecDrvCB:846)
I've tried disabling the firewall (in both the T400 and the router), removed access connections, and disabling tcp v6. I've rebooted everything too.
But, nothing seems to work. I suspect the problem is on the t400 somewhere, because the old laptop used to work OK via wireless.
I've seen some google links on cisco vpn not working via wireless but nothing seems to apply to my exact situation yet.
Anyone else had this problem or know of a fix? Thanks in advance.
Solved!
Go to Solution.

all good now, got it working.
The Deterministic network thing was not installed on the wireless adapter for some reason.
So, I installed the latest wireless driver, reinstalled the vpn and all is good now.

Preventing mac osx users from using cisco vpn

Hi,
I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.
That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?
Please help!!
thanks

thanks i set it up to get 2 syslog messages: 713120 and 713904.
<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).
Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.
Any reason why i dont get an alert from message id 713904, but i get one from 713120.
thanks

AFP Freeze and Cisco VPN Client w/ new Macbook Pro

I have an Intel Core Duo Macbook Pro with all software updates installed and running Cisco VPN client v4.9.01 (0030). If I try to connect to one of my clients via VPN and then connect to one of the server shares, afp basically freezes. I have added a snip of the log below. BUT - I take the same laptop onsite and try to connect to the same server, it works like a champ. I have tried the VPN connection from multiple source points (ie, different ISPs and routers/firewalls) and wired and wireless and all result in the same. I am frustrated and running out of options. Note that the same problem occurred with the previous Cisco VPN client and I thought the newer version would fix it - id didn't. Any help would be much appreciated.
tia,
Bill
Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: doing reconnect on /Volumes/ADVSERV
Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: connect to the server /Volumes/ADVSERV
Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Opening session /Volumes/ADVSERV
Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Logging in with uam 10 /Volumes/ADVSERV
Oct 27 16:05:01 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Restoring session /Volumes/ADVSERV
Oct 27 16:05:01 my-computer KernelEventAgent[59]: tid 00000000 received VQ_NOTRESP event (1)
Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: doing reconnect on /Volumes/ADVSERV
Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: connect to the server /Volumes/ADVSERV
Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Opening session /Volumes/ADVSERV
Oct 27 16:06:02 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Logging in with uam 10 /Volumes/ADVSERV
Oct 27 16:06:03 my-computer kernel[0]: AFP_VFS afpfs_Reconnect: Restoring session /Volumes/ADVSERV
Oct 27 16:06:03 my-computer KernelEventAgent[59]: tid 00000000 received VQ_NOTRESP event (1)

Hi Bill,
Do you have any comparison data on services that DO work? I don't connect remotely to any Apple services so can't vouch for AFP always working, but have no issues with RDP services for Windows servers. Running 4.9.00 (0050). I have however just quickly VPN'd to a client and successfully opened an AFP share and browsed around over VPN - didn't even hesitate in establishing the connection.
When you mention taking the machine onsite i am assuming that you directly access the AFP shares and not via VPN, hence confirming that the VPN software is potentially the issue?
Are you running IPSEC over UDP or TCP? My transport is over UDP.
Good luck,
Justin

Cisco VPN Client is not opening on windows 7 64bits

Hello,
My problem : i instaled Cisco VPN client 5.0.07.0440-k9 on Windows 7 64 bits, the installation ends successfully. But when i restard the computer, when i click it doesnt open.
Notice : when i restard the computer, it takes an infinite time the first rebooting , in the final stage of boot ( The black window with the Microsoft logo and message Windows Is Starting ...) '' it takes an infinite time so i force the reboot.
started the same thread here but no answer yet.
Thank you

check your event viewer/System log. You may see some entries stating that
"The Cisco Systems Inc. IPSec Driver failed to start due to the following error: Windows cannot verify the digital signature for this file."
disable digital signatures (NOT recommended) and cisco works fine
I guess Cisco has already killed this program if they aren't even getting it certified.

Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: end

Hello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer

Cisco VPN Client and Quick VPN interaction?

I have both a Cisco VPN client for connecting to my company LAN and a QuickVPN client for connecting to my home LAN installed on my W2K laptop. Both start and run correctly, and both connect just as they should. My home LAN uses a WRV54G router to provide VPN connection. I can alternate back and forth between the two clients and connect to each LAN with no obvious issues, but not at the same time, of course.
Here's the question. When I connect to the home LAN, I can log on with no problem and I can remotely administer the WRV54G with no problem. I can ping all of the wired and wireless W2K computers on my home LAN with no problem. However, I cannot "see", browse or map any of the shared resources on my home LAN. I have created user accounts on the home LAN computers for my laptop and router logins and I have given these accounts permissions to my shared resources, but I still cannot get to them. Linksys tech support has been absolutely no help whatsoever, even after repeated attempts.
While trying to troubleshoot this myself, I've noticed that when the Cisco VPN client is running and I'm connected to my company LAN, the IP address and subnet of my computer is changed to ones assigned by the DHCP server at my company. This seems to happen because the Cisco client activates the "Local Area Connection Number 2" on my laptop and assigns IP addresses using it. However, when I'm using the QuickVPN client to connect to my home, the IP address and subnet of my laptop continues to be those assigned by whatever local network I'm connected to (e.g. hotel, etc).
I'm wondering if the QuickVPN is supposed to be assigning an IP address and subnet to my laptop from the WRV54G's DHCP server when I connect to my home LAN. If so, could the Cisco VPN client installed on my laptop be preventing that from happening?
Sorry for the long post, but I'm at my wit's end on this one and Linksys is just no help at all.

1. The Cisco VPN client creates a virtual interface on your computer. This allows you to route traffic to the tunnel. The QuickVPN client is simpler. It only encrypts the traffic to the other end. It does not use a virtual interface. That's why you don't have another IP address when connected with QuickVPN. QuickVPN only encrypts IP packets with IPSec from your computer to 192.168.1.* (or whatever you may use on your WRV LAN) and sends them to the WRV's public IP address.
2. Microsoft Windows file sharing and LAN network browsing depends on network broadcasts. Those only work inside a LAN. If you connect from the outside to a LAN, broadcasts won't go through the VPN tunnel. This means you cannot use standard name windows workgroup name resolution to access shares. Those are propagated with broadcasts which will never go through the VPN tunnel. This means you are not able to use workgroup browsing. All you can to do access your shares is to use the IP address of the other computer.
In short:
\\mycomputer\share won't work
\\192.168.1.50\share works
(assuming the general sharing setup is O.K., i.e. you can use sharing correctly inside your LAN).
Of course, firewalls on the server end may cause problems. Access comes in from a public IP address. This may be blocked. Check the firewall logs on the server to find out if this is the case or not.
Moreover, establishing the VPN connection from a private LAN to a private LAN may not work. This is due to the double network address translation which breaks IPSec and thus the connection. If the hotel uses private IP addresses, this may be the case. But in that case you won't get ping responses from your WRV LAN.
What definitively won't work is in case when the hotel uses the same IP address subnet as you. If the hotel uses 192.168.1.* addresses and your WRV uses 192.168.1.* addresses you cannot connect. QuickVPN does only IPSec tunneling. There is no address translation in QuickVPN. Therefore connecting the identical private IP address subnet through QuickVPN will never work because all addresses exists twice, once on either side.

Is there really a Cisco VPN client for Linux? _Really?_

Hello folks,
        I've finally after almost experiencing a brain aneurysm by trying to think too hard got my Cisco 881-SEC-K9 router properly configured for a multipoint IPSec VPN tunnel to my Amazon Virtual Private Cloud, so that hurdle is finally passed and I actually feel it was a very important milestone in my life somehow. I never thought I'd see the day I actually got my hands on a legitimate Cisco non-stink... erm.. I mean, non-linksys router. Now I just can't seem to find a 'client' VPN program for Linux. I'm currently running a Xen Hypervisor environment on openSUSE Linux because it's the only Linux distribution that completes all of my strenous requirements in a Linux server environment. It's also the most mature, and secure Linux on this planet, making it the most appreciable Linux distribution for my research needs. Using NetworkManager is not really an option for a basic Linux server environment, and OpenVPN is just too confusing to comprehend for my tiny little head. I've heard mention of some mysterious "Easy VPN" but after hours of digging online can't find any information about it, even the Cisco download link leads to a Page Not Found error. I do see a Linux VPN API for the AnyConnect program, but is that an actual VPN client, or just an API? It seems to want my money to download it but I don't have any money nor do I really know what it is because it's all secretive-like, closed source, and I can't even find a simple README file on it explaining what it is exactly. I'm just an out-of-work software developer trying to connect to my home router for personal use and I can't really afford to fork over a million and a half dollars for a single program that I'm only going to need to download once in my lifetime that should have been included with the router in the first place. I more than likely won't even be able to figure out how to use the program anyways because I don't know anything about VPN connections which is why I bought this router so I can try to figure it all out as part of the not-for-profit open source, volunteer research I'm presently trying to conduct. Is there some kind of evaluation or trial period for personal use? That would be really nice so I could at least figure out if I'm going to be able to figure it out or not. I hate throwing money away when it's in such short supply these days. There's really no alternative to a Cisco router. It's an absolute necessity for the things I'm trying to accomplish, so trying to settle for something else and going on with my life is not really an option. No, this is something I just need to face head on and get it over with.
<Rant>
       Maybe I have a little too much crazy in me for my own good, but I don't see why it should take so much money just to learn how to do something for personal reference, it's not really a skill I would ever use otherwise. Wouldn't it be great if Cisco made their VPN client open source and free to the public to use and modify, to improve on, to learn and to grow and bring the whole world closer together as a community? Even the source code to the old discontinued Cisco VPN client could be used as a valuable learning tool for some poor starving college student or Open Source Software developer somewhere trying to get by on Ramen Noodles and Ramen Noodle Sauce on Toast (don't tell me you never thought about it). Through the ripple effect, It would drastically improve sales over the course of time, because it would open the door to a whole new market where those who previously could not afford to participate now could. That's the true power of Open Source. It creates a more skilled work force for the future by openly contributing and sharing knowledge together. What if the next big internet technology and the solution to world tyranny - the solution to end all wars forever - were locked in the mind of an unemployed software developer who couldn't afford to upgrade their cisco router software or access the software they needed because it was closed source and required committing to an expensive service contract to download? That would be just terrible, wouldn't it? I guess there's no way to ever know for sure. I suppose I'd be just as happy if some kind soul out there could point me to an easy to use alternative to an always on VPN connection that runs in the background which doesn't require NetworkManager or having to spend days upon days digging through and trying to comprehend either some really poor or extremely complex documentation? I apologize for all the run on sentences posed as questions, but I've just got some serious mental burnout from all of this, being unemployed is some hard work folks. I could really use a vacation. Perhaps a camping trip to the coast is in order after I get this working, that sounds nice, doesn't it? Nothing like a good summer thunder storm on the ocean beach - far away from technology - to refresh the mind.
</Rant>

I do tend to talk too much and I don't mince any words either. What I am however, is really appreciative for the help. I know you hear that all the time, but you have no idea how much time and headache you just saved me. I think vpnc might be just what I've been looking for, unless someone can think of a client for Linux that I might be able to throw a little further. I'm very security minded now, after the backlash of Blackhat 2013, there's no telling which direction the internet might head next. Oh, you didn't hear? Well wether they realize it or not, DARPA basically declared war with other government agencies by releasing their own version of a spy program for civilians to use against the whoever -- possibly even the governmnet itself. They even went so far as to suggest it's private usage to blanket entire cities in information gathering. Civilians are a powerful foe, as they are not bound by the oath of office, any evidence they obtain is admissible in court, wether they know that or not. There's a very important reason for that. It's to prevent another civil war from ever happening, we shed enough blood the first time around less people forgot. It's something that can and will be avoided because our civilization has advanced beyond the need for bloodshed. The courts have to obey the majority rule, no matter what. For the first time in history, cyberwarfare can reach into the physical world to cause serious damage to physical structures like the nuclear facility incident in Iran. There's scarry bills trying to sneak through congress that are changing the landscape of technology forever for the entire world. We're at a pivotal point now where things can happen. It will be interesting to see how it all plays out over the next decade or so. No matter which way you look at it, just be preparerd to sell a whole lot of routers.

Unable to install Cisco VPN Client on Windows 7

Hello,
After a successfull uninstallation of Cisco VPN version 4. I try to install Cisco VPN Client version 5.0.07.0290.
But after launching vpnclient_setup.msi, the wizard is starting. When I click on Next button, I have the following message: "installation ended prematurely because of an error".
In attachment, I add the details of the error find in the windows logs (logError.txt) and the logs generated from MSI installer in verbose mode (log2.txt).
My computer is a lenovo W500 with Windows 7 64 bits and 4 GB of memory (compliant with the Cisco VPN Client requirements).
I have administrator privileges on this computer.
Please help me !
I need to use it to connect to my company network.
Thanks in advance.
BR
Jerome

You should be able to install the 64 bit version of the Cisco VPN software
Latest version is vpnclient-winx64-msi-5.0.07.0440-k9.exe
Using Shrew VPN is a workaround more than a solution / answer to this issue.
You should download and run MCPR.exe first, to clean out any traces of McAfee products that conflict with Cisco VPN.
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
If there is a problem with vbscript registration on the system - there is a fixit tool from Microsoft for that:
MicrosoftFixit50842.msi

Connect sequence with Cisco VPN & BT FON

I have an issue with the connection sequence using Cisco VPN & BT Openzone/FON
I cannot connect the VPN until I have logged in to BT FON/Openzone
This would be ok, but I use a tabbed browser & it is trying to connect all tabs at once over an unsecured link. Also, when (not if) the connection drops I am in the same position.
It should be possible to connect the VPN first, then the browser
Thanks in advance,
Alan
Solved!
Go to Solution.

The VPN client connection cannot be established without a path to BT Openzone, which hosts the VPN server.
That`s just the way VPNs work, you have a server and a client.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Good Cisco VPN 3030 Log Analyzer

Similar Messages

Maybe you are looking for