[Vpn-help] windows 7 and cisco 3000 vpn concentrator

Wood, Jeremy jbwood at orrick.com
Fri Nov 20 13:59:58 CST 2009 

Could you clarify this a bit please?

IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA

Are these set under Configuration->Tunneling and Security->IPSec->IKE
Proposals?

Thanks.

----Jeremy


-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Garber, Kevin M.
Sent: Friday, November 20, 2009 7:50 AM
To: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

Thanks for this information Stuart.  I hope to be able to test today or
Monday.

I did notice that I'm getting the same errors as Ricky posted.  The
virtual adapter is being disabled with an error code of 22 as well as
the IKED.EXE and DTPD.EXE crashes with NTDLL.DLL.


-----Original Message-----
From: daernsinstantfortress at gmail.com
[mailto:daernsinstantfortress at gmail.com] On Behalf Of Stuart Hall
Sent: Thursday, November 19, 2009 8:42 AM
To: Garber, Kevin M.
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

On Fri, Nov 13, 2009 at 2:29 PM, Stuart Hall <stuart at daern.org> wrote:
> I've just been through the configuration and the default VPN that I 
> use most of the time has been migrated *away* from the old 
> Concentrator and onto our ASA suite.

Ok, been doing some testing with our default LAN configuration. We
*do* have a working config with our 3000 Concentrator and Shrew.

The client config is as follows:

n:version:3
n:network-ike-port:500
n:network-mtu-size:1380
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:disable
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
n:phase1-dhgroup:2
n:phase1-life-secs:86400
s:phase2-transform:auto
s:phase2-hmac:auto
n:phase2-pfsgroup:0
s:ipcomp-transform:disabled
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:123.123.123.123
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-client-data:GroupUserName
b:auth-mutual-psk:GroupPSK
s:network-natt-mode:enable
s:client-saved-username:username

On the concentrator side, we're using a "standard" ESP-3DES-SHA setup,
with x-auth enabled. There's nothing particularly eclectic on the setup
- in fact, we didn't have to touch it to work with the Shrew client.
Same for the ASA boxes, but our legacy PIXs were more problematic.

Anyway, here's a summary of the concentrator config:

4.7.2.F Apr 04 2006 17:39:29
IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help


===========================================================

IRS Circular 230 disclosure:
To ensure compliance with requirements imposed by the IRS, 
we inform you that any tax advice contained in this 
communication, unless expressly stated otherwise, was not 
intended or written to be used, and cannot be used, for 
the purpose of (i) avoiding tax-related penalties under 
the Internal Revenue Code or (ii) promoting, marketing or 
recommending to another party any tax-related matter(s) 
addressed herein.



===========================================================

NOTICE TO RECIPIENT:  THIS E-MAIL IS  MEANT FOR ONLY THE 
INTENDED RECIPIENT OF THE TRANSMISSION, AND MAY BE A 
COMMUNICATION PRIVILEGED BY LAW.  IF YOU RECEIVED THIS E-
MAIL IN ERROR, ANY REVIEW, USE, DISSEMINATION, 
DISTRIBUTION, OR COPYING OF THIS E-MAIL IS STRICTLY 
PROHIBITED.  PLEASE NOTIFY US IMMEDIATELY OF THE ERROR BY 
RETURN E-MAIL AND PLEASE DELETE THIS MESSAGE FROM YOUR 
SYSTEM. THANK YOU IN ADVANCE FOR YOUR COOPERATION.

For more information about Orrick, please visit 
http://www.orrick.com/
===========================================================

More information about the vpn-help mailing list