[Vpn-help] windows 7 and cisco 3000 vpn concentrator

Garber, Kevin M. Kevin.Garber at glatfelter.com
Fri Nov 20 06:50:25 CST 2009


Thanks for this information Stuart.  I hope to be able to test today or
Monday.

I did notice that I'm getting the same errors as Ricky posted.  The
virtual adapter is being disabled with an error code of 22 as well as
the IKED.EXE and DTPD.EXE crashes with NTDLL.DLL.


-----Original Message-----
From: daernsinstantfortress at gmail.com
[mailto:daernsinstantfortress at gmail.com] On Behalf Of Stuart Hall
Sent: Thursday, November 19, 2009 8:42 AM
To: Garber, Kevin M.
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

On Fri, Nov 13, 2009 at 2:29 PM, Stuart Hall <stuart at daern.org> wrote:
> I've just been through the configuration and the default VPN that I 
> use most of the time has been migrated *away* from the old 
> Concentrator and onto our ASA suite.

Ok, been doing some testing with our default LAN configuration. We
*do* have a working config with our 3000 Concentrator and Shrew.

The client config is as follows:

n:version:3
n:network-ike-port:500
n:network-mtu-size:1380
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:disable
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
n:phase1-dhgroup:2
n:phase1-life-secs:86400
s:phase2-transform:auto
s:phase2-hmac:auto
n:phase2-pfsgroup:0
s:ipcomp-transform:disabled
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:123.123.123.123
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-client-data:GroupUserName
b:auth-mutual-psk:GroupPSK
s:network-natt-mode:enable
s:client-saved-username:username

On the concentrator side, we're using a "standard" ESP-3DES-SHA setup,
with x-auth enabled. There's nothing particularly eclectic on the setup
- in fact, we didn't have to touch it to work with the Shrew client.
Same for the ASA boxes, but our legacy PIXs were more problematic.

Anyway, here's a summary of the concentrator config:

4.7.2.F Apr 04 2006 17:39:29
IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA




More information about the vpn-help mailing list