[Vpn-help] windows 7 and cisco 3000 vpn concentrator

[Stuart Hall]

On Fri, Nov 13, 2009 at 2:29 PM, Stuart Hall <stuart at daern.org> wrote:
> I've just been through the configuration and the default VPN that I
> use most of the time has been migrated *away* from the old
> Concentrator and onto our ASA suite.

Ok, been doing some testing with our default LAN configuration. We
*do* have a working config with our 3000 Concentrator and Shrew.

The client config is as follows:

n:version:3
n:network-ike-port:500
n:network-mtu-size:1380
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:disable
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
n:phase1-dhgroup:2
n:phase1-life-secs:86400
s:phase2-transform:auto
s:phase2-hmac:auto
n:phase2-pfsgroup:0
s:ipcomp-transform:disabled
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:123.123.123.123
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-client-data:GroupUserName
b:auth-mutual-psk:GroupPSK
s:network-natt-mode:enable
s:client-saved-username:username

On the concentrator side, we're using a "standard" ESP-3DES-SHA setup,
with x-auth enabled. There's nothing particularly eclectic on the
setup - in fact, we didn't have to touch it to work with the Shrew
client. Same for the ASA boxes, but our legacy PIXs were more
problematic.

Anyway, here's a summary of the concentrator config:

4.7.2.F Apr 04 2006 17:39:29
IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA