SSL VPN Tunnel and Windows 7

Similar Messages

• Problems when trying to surf the Internet through a SSL VPN tunnel

  Hi,
  I have a small/big problem, I have a customer who have the need for the possibility to surf the internet through the SA500W when they are connected through a SSL VPN tunnel in to their network. I am not using a Split Tunnel. What I have seen until now, when you run IPCONFIG/ALL the default gateway for the SSL VPN IP settings is 0.0.0.0. Is this the problem and if so, how can this be solved?
  Thanks in advance!
  Brg
  Niklas Eklov

  There are various causes for this error, see [[Firefox is already running but is not responding]] for details.

• ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?

  Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.

  I don't think it is possible. Following links may help you
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

• RV320 SSL VPN ActiveX and Virtual Passage driver on Windows 7 64-bit

  Hi,
  My company has just purchased a new RV320 router and only afterwards found out from the release notes that there are issues with the SSL VPN in this unit and other small business routers. Is there any news on when these issues will be fixed?
  1) ActiveX controls have expired certificate dated 24/9/14 - this prevents them from running unless without changing IE security settings to prompt or allow unsigned controls, which is a big security risk.
  2) ActiveX controls do not work on Windows 64-bit. Release notes state Windows 7 IE10 and Windows 8.1 IE11, however they also fail on Windows 7 IE11. Even adding router to Trusted Sites to force 32-bit mode results in error message stating that IE is required for the controls.
  3) Virtual Passage driver will not install - crashes IE10/IE11 with a BEX violation.  From a dig around the web it appears that the Netgear SRX5308 uses the same Cavium chipset and a Virtual Passage driver that works with Windows 7 64-bit, and installs fine using IE10/11 (and if you install the Netgear driver it works with the Cisco RV routers too, proving that the driver is fully compatible...) - if Netgear can get this working, why can't Cisco?
  I've only just started setting us this router and show stopper issues like this might end up with an RMA being requested as it appears to be unsuitable for purpose, already run into other issues with I've posted about. :(
  EDIT: Got (2) sort of working on IE11 - seems that the Cisco interface is specifically looking for old style IE user agent strings, so using developer tools to set the user agent to IE9, and changing security settings in Trusted Sites to prompt for unsigned controls (due to issue (1)), allows the controls to install and load. These issues are pretty simple to fix, requiring just a string check change and updated signed controls. Fingers crossed these are fixed in the new firmware due soon, awaiting response from Cisco support to my open ticket.
  Looks like (3) is prevented from working by (1), and also because the certificate has expired it is treated as software without a valid publisher which cannot be installed in Windows 7 without fiddling in the registry. Releasing an updated version with a certificate that isn't expired should solve that issue too.
  These are ridiculously simple fixes to push out, I can't believe a major hardware vendor like Cisco hasn't already solved these issues.

  I've had a reply from Cisco support regarding this issue, and it's a bleak outlook. This is a copy from the email I received:
  "Engineering has no plans to support SSL VPN on RV32x due to chipset limitations. Pretty much, it will work for old XP and Win7 32-bits."
  So Cisco are falsely advertising that the RV320 has SSL VPN capabilities when there are no plans to update it so that it works with 64-bit Windows (which is now the major install base for Windows as most new systems are 64-bit based), and as the certificates have expired in the SSL VPN components they are not even useable on 32-bit systems without overriding a number of security settings.
  Dan

• No SSL VPN tunnel from AnyConnect to IOS

  Dear all
  Due to the annoying WWAN issues with the old Cisco VPN client (IPsec) I am trying to establish remote access to a LAN behind a Cisco 1803 using Anyconnect and SSL VPN.
  But I simply cannot make it work.
  I have a Cisco 1803 running IOS Version 12.4(15)T15 and I have tried Anyconnect 3.0 and 2.4 on Windows XP and MacOS 10.5, none of them established a VPN connection to the router, saying not a single word more but "Connection attempt has failed".
  Here is my configuration on the router:
  crypto pki trustpoint TP-self-signed-595019360
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-595019360
  revocation-check none
  rsakeypair TP-self-signed-595019360
  crypto pki certificate chain TP-self-signed-595019360
  certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  [......skipped....]
  interface Loopback123
  ip address 192.168.123.254 255.255.255.0
  ip local pool GS-POOL 192.168.123.1 192.168.123.10
  webvpn gateway GS-GW
  hostname GS-VPN-test
  ip address x.x.x.x port 443
  ssl trustpoint TP-self-signed-595019360
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context GS-CONTEXT
  ssl authenticate verify all
  policy group GS-POLICY
     functions svc-required
     svc address-pool "GS-POOL"
  default-group-policy GS-POLICY
  gateway GS-GW
  inservice
  These are my debug settings:
  #sh debug
  WebVPN Subsystem:
    WebVPN (verbose) debugging is on
    debug webvpn entry GS-CONTEXT
    WebVPN HTTP (verbose) debugging is on
    WebVPN AAA debugging is on
    WebVPN tunnel (verbose) debugging is on
    WebVPN Single Sign On debugging is on
  And these are all debug messages I get upon incoming connection:
  Sep 13 13:12:03.267 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:12:03.271 MEST: WV: sslvpn process rcvd context queue event
  At this poibnt I have to accept the self-sigbned certificate in the AnyConnect client. Doing so repeats these messages again five times. Then I hav to accept the certificate in the client a second time (WHY?) Then the router gives these messages:
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.754 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:10.766 MEST: WV: http request: / with no cookie
  Sep 13 13:14:10.766 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:10.766 MEST: WV: Client side Chunk data written..
  buffer=0x84E54AA0 total_len=191 bytes=191 tcb=0x85066820
  Sep 13 13:14:10.766 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.050 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.054 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.354 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: sslvpn process rcvd context queue event
  Sep 13 13:14:11.366 MEST: WV: http request: /webvpn.html with domain cookie
  Sep 13 13:14:11.366 MEST: WV-HTTP: Deallocating HTTP info
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54AA0 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A80 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A60 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.366 MEST: WV: [Q]Client side Chunk data written..
  buffer=0x84E54A40 total_len=1009 bytes=1009 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: Client side Chunk data written..
  buffer=0x84E54A20 total_len=641 bytes=641 tcb=0x83DABBF4
  Sep 13 13:14:11.370 MEST: WV: sslvpn process rcvd context queue event
  At this point the Anyconnect client says "Connection attempt failed" and that's all.
  So please, any advice how to solve this?
  And do I have to install any particular svc.pkg in the flash? As far as I have found out you can install only one client package (how do you server different clients then?). But if I use permanently installed AnyConnect on my client system the installed svc.pkg on the router doesn't matter at all, right?
  Thanks a lot for any suggestions,
  Grischa

  Some more restrictions:
  12.4(15)T does not support Anyconnect in standalone mode, only web-launch (i.e. starting AC from the clientless portal). You need 12.4(20)T or later for standalone mode.
  In addition with an untrusted certificate you will run into this bug which is not resolved in 12.4(15)T:
  CSCtb73337    AnyConnect does not work with IOS if cert not trusted/name mismatch
  In short, if it's possible to upgrade, go to 15.0(1)M7  (or latest 12.4(24)Tx if 15.0 is out of the question)
  If you're stuck with 12.4(15)T,  only use AC 2.x with weblaunch and make sure the host trusts the router's certificate (create a trustpoint, enroll it, import the certificate on the client into the trusted root store).
  hth
  Herbert

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• WatchGuard Mobile VPN Uninstall and Windows 10 = Sadness

  Rob6454 wrote:
  maybe someone else out there can give me an idea as to how to ditch the old mobile VPN client and/or confirm any issues with the SSL client(11.9.1) and windows 10.At this point, maybe you should try it out and let us know how it goes.

  So like many I took my machine and upgraded from Windows 7 to 10 the other day. At the time I still had the older WatchGuard Mobile VPN (ipsec) software installed. It was still there after the upgrade so foolishly I assumed all was well. I went to connect the other day and clearly it was having issues NCPMON.exe. After playing with some compatibility mode settings I got passed that and it let me know that it was "For Windows Vista and Windows XP 64 Bit the license key must be at least 9.0!" - neat. Whatever, no biggie, I installed the shrew soft client and things went fine there. So time to uninstall the old Mobile VPN software right? Nope, that was bad. It appeared to uninstall just fine, however on reboot both my LAN adapter and wireless adapter ceased to function. They showed in the device manager and in Control Panel\Network and...
  This topic first appeared in the Spiceworks Community

• Vpn tunnels and Nat on Cisco soho 91 routers ??

  Is it possible to create the following, using the soho 91 routers:
  Router A (192.168.1.0) network
  E0 192.168.1.250
  E1 external ip (world ip)
  Router B (192.168.99.0) network
  E0 192.168.99.1
  E1 external ip (world ip)
  Router C (192.168.103.0) network
  E0 192.168.103.1
  E1 external ip (world ip)
  tunnel1 = from Router A to Router B
  tunnel2 = from Router A to Router C
  on Router A
  ip route 192.168.2.0 255.255.255.0 192.168.1.2
  ip route 192.168.3.0 255.255.255.0 192.168.1.3
  ip route 192.168.4.0 255.255.255.0 192.168.1.4
  ip route 192.168.99.0 255.255.255.0 to-tunnel1
  ip route 192.168.103.0 255.255.255.0 to-tunnel2
  ip route nat (everything thing else)
  on Router B
  ip route 192.168.1.0 255.255.255.0 to-tunnel1
  ip route 192.168.103.0 255.255.255.0 to-tunnel1
  ip route nat (everything else)
  on Router C
  ip route 192.168.1.0 255.255.255.0 to-tunnel2
  ip route 192.168.103.0 255.255.255.0 to-tunnel2
  ip route nat (everything else)
  Thanks.
  Wayne

  I assume you are using GRE tunnel and not IPSec. If GRE tunnel, the configuration looks OK except for Router C. The "ip route 192.168.103.0 255.255.255.0 to-tunnel2" should be "ip route 192.168.99.0 255.255.255.0 tunnel2 " pointing to the network connected to Router B. Also the correct command should not have "to-tunnel1", it is simply "tunnel1"

• SSL VPN Full and Split Tunnel Config Question

  I am Beta testing SSLVPN on an IOS router. The question I have is this:
  Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

  The below is an example using the ASA - but the principle remains the same:-
  http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
  HTH>

• Cisco VPN Client and Windows XP Home

  Hello,
  I cannot find any information to tell me whether Windows XP Home (Not XP Professional) is supported under ant Cisco VPN client 4.xx or 5.xx.
  We have several "home" users and when trying to install it just causes the pc to do a looping reboot.
  Can anyone advise please ?
  Scott

  Scott,
  Not sure if you read the release notes, but here they are are for V4.06 and V5.0:
  http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/release/notes/46clnt.html#wp1207576
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a0080884df5.html#wp1207576
  I'm not seeing anything that prohibits XP Home, but there are several caveats that may have direct bearing on why your user's can't get it installed (administrative access to internal firewalls).
  HTH
  Steve

• VPN Client and Windows Folder Synchronisation

  We are currently having problems with Windows XP Laptops which have folders Synchronised to Servers.
  When they are working remotely, they use the VPN client to connect to the network. Unfortunately, the VPN Client Adapter does not appear in the "Network Connection" drop down menu within the Synchronisation Setup screens. This means that the synchronisation takes place once the Physical Adapter (LAN or Wireless) comes active and an error message appears everytime.
  Has anyone come across this and found a fix for it ? There must be a away of getting the VPN LAN Adapter into the Synchronisation Network Connection list.

  The only supported IPSec client for Windows 7 is 5.0.6. I would recommend uninstalling the client version that you have, upgrade the DNE package from Citrix, and then install the latest IPSec client.
  Release Note:
  http://www.cisco.com/en/US/partner/docs/security/vpn_client/cisco_vpn_client/vpn_client5006/release/notes/vpnclient5006.html#wp62415
  DNE Update:
  http://www.citrix.com/lang/English/lp/lp_1680845.asp
  Client Download:
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=5.0.06.0110&mdfid=281940730&sftType=VPN+Client+Software&optPlat=Windows&nodecount=2&edesignator=null&modelName=Cisco+VPN+Client+v5.x&treeMdfId=268438162&treeName=Security&modifmdfid=&imname=&hybrid=&imst=&lr=Y

• VPN Client and Windows 7 - Window won't show

  Bizarre issue I've now experienced on two separate PC's with VPN Client 5.00.07.0410 on 32-bit Windows 7:
  Out of the blue, when the user double-clicks the Cisco VPN Client icon, the lock shows up in the system tray, and the application shows in the taskbar. You may get a glimpse of the window when you double-click the taskbar icon, or single click it and choose the application from the list. However, you are not able to actually get the window to be visible. This of course makes it impossible for the user to click the "connect" button.
  I've discovered that when the icon is in the taskbar, and you hit "Enter" on the keyboard, it will connect. However I wouldn't expect a user to be able to figure this out, and so it was quite frustrating for them when this happened.
  I've noticed there is a new version of the software for 64-bit users, but not for 32.
  Anybody else experience this? Find a solution?
  I tried uninstalling/re-installing and it made no difference.
  -Chris

  Try this so you don't have to do it each time... it worked for XP Pro 32-bit (Dell E6410). Haven't yet encountered on W7 Pro:
  Bring up Task Manager (Ctrl+Alt_Delete). Open the Applications tab. Highlight VPN Client, right-click and select Maximize. (Sometimes if the system dies (power-loss) when connected to VPN the registry remembers the minimized setting and will not un-minimize it except with this process (and maybe one yet to be determined).)
  I'm currently working (20140617) on a similar issue for W7 Pro for the User Authentication window where the RSA passcode needs to be entered. Alt-Tab works but I'm trying to make it permanent. (One problem is the user has a difficult time following instructions.)

• VPN Client and Windows 7 Issue

  Using VPN Client, V5.0.07.0440 a Dell Vostro W7 Professional system, 64 bit. The client installs and runs the same way it has on at least 20 other systems without issue. When I try to remote into the network, I get a "can not connect" error attempting to connect to any system or server. I placed a known good laptop using XP on the same internet line, it connects without issue. The remote access (mstsc.exe) verson is 6.1.7601.17514 there is no Admin switch in the shortcut. This is the first time anything like this has happened, numerous W7 32 and 64 bit and XP systems. Any help greatly appreciated.
  Thanks
  It's like the VPN connects to the network, but the remote access is not using the same connection. I get the same results whether the VPN Client is loaded or not.
  Sure could use some help on this.

  The system that I am trying to connect with is a Dell Vostro desktop, W7 64bit Pro. I am attempting to connect to a Windows 2003 domain thru a PIX 501 firewall. The desktop system uses an onboard Ethernet adaptor connected to the Internet thru Charter. I do not have ready access to the computer as it's my employers home system. The frustrating thing is, I have installed and set this up on at least 30 other systems and all of them worked flawlessly. Of course, this one would be the problem as it belongs to my boss.
  Thanks for responding, I plan on picking up the unit so I can devote some real time to fixing it.
  Thanks again

• Ssl smart tunnel and vmware client

  Has anyone gotten the vmware client(for either server or VI) to work using a smart tunnel on webvpn? I set up a smart tunnel for vmware.exe, but it does not seem to connect. I am running 8.0.4. Also, has anyone been able to smart tunnel explorer.exe?

  The AnyConnect VPN Client is not compatible with virtualization software, such as VMWare.

• RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

  For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
  This is mostly a question, and partly "in use" observations.
  Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
  If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
  Summary of VPN modes I've gotten to work with an RV220W:
  Client
  Split Tunnel Works?
  Full Tunnel Works?
  OS?
  Notes
  SSL VPN
  Yes
  Yes
  Win7/64
  IE10 or IE11
  QuickVPN
  Yes
  No
  Win7/64
  IPSec VPN
  Yes
  No
  Win7/64
  Shrew Soft VPN Client

  I have to mark this as not a correct answer.
  Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
  To Michal Bruncko who posted this:
  1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
  2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?