[Vpn-help] windows 7 and cisco 3000 vpn concentrator

Garber, Kevin M. Kevin.Garber at glatfelter.com
Fri Nov 20 14:18:02 CST 2009 

Jeremy,

You would set the IKE-3DES-SHA-DH2 in the IKE Proposals.
You would set the ESP-3DES-SHA in the SA sections, which for me is under
Policy Management -> Traffic Management ->SAs (I'm running an older
version of the OS).  In the SA, you define your IKE Proposal,
negotiation mode, PFS, etc.
The NAT-T is enabled in the NAT Transparency configuration as well as
verifying if IPSec over TCP is enabled or disabled.  I do not know if
enabling IPSec over TCP disables IPSec over UDP or if both are allowed.
Would need to verify this.  We currently have IPSec over TCP enabled.



-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Wood, Jeremy
Sent: Friday, November 20, 2009 3:00 PM
To: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

Could you clarify this a bit please?

IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA

Are these set under Configuration->Tunneling and Security->IPSec->IKE
Proposals?

Thanks.

----Jeremy


-----Original Message-----
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Garber, Kevin M.
Sent: Friday, November 20, 2009 7:50 AM
To: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

Thanks for this information Stuart.  I hope to be able to test today or
Monday.

I did notice that I'm getting the same errors as Ricky posted.  The
virtual adapter is being disabled with an error code of 22 as well as
the IKED.EXE and DTPD.EXE crashes with NTDLL.DLL.


-----Original Message-----
From: daernsinstantfortress at gmail.com
[mailto:daernsinstantfortress at gmail.com] On Behalf Of Stuart Hall
Sent: Thursday, November 19, 2009 8:42 AM
To: Garber, Kevin M.
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] windows 7 and cisco 3000 vpn concentrator

On Fri, Nov 13, 2009 at 2:29 PM, Stuart Hall <stuart at daern.org> wrote:
> I've just been through the configuration and the default VPN that I 
> use most of the time has been migrated *away* from the old 
> Concentrator and onto our ASA suite.

Ok, been doing some testing with our default LAN configuration. We
*do* have a working config with our 3000 Concentrator and Shrew.

The client config is as follows:

n:version:3
n:network-ike-port:500
n:network-mtu-size:1380
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:disable
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
n:phase1-dhgroup:2
n:phase1-life-secs:86400
s:phase2-transform:auto
s:phase2-hmac:auto
n:phase2-pfsgroup:0
s:ipcomp-transform:disabled
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:123.123.123.123
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-client-data:GroupUserName
b:auth-mutual-psk:GroupPSK
s:network-natt-mode:enable
s:client-saved-username:username

On the concentrator side, we're using a "standard" ESP-3DES-SHA setup,
with x-auth enabled. There's nothing particularly eclectic on the setup
- in fact, we didn't have to touch it to work with the Shrew client.
Same for the ASA boxes, but our legacy PIXs were more problematic.

Anyway, here's a summary of the concentrator config:

4.7.2.F Apr 04 2006 17:39:29
IKE-3DES-SHA-DH2
IPSec over UDP, NAT-T enabled
ESP-3DES-SHA

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help


===========================================================

IRS Circular 230 disclosure:
To ensure compliance with requirements imposed by the IRS, we inform you
that any tax advice contained in this communication, unless expressly
stated otherwise, was not intended or written to be used, and cannot be
used, for the purpose of (i) avoiding tax-related penalties under the
Internal Revenue Code or (ii) promoting, marketing or recommending to
another party any tax-related matter(s) addressed herein.



===========================================================

NOTICE TO RECIPIENT:  THIS E-MAIL IS  MEANT FOR ONLY THE INTENDED
RECIPIENT OF THE TRANSMISSION, AND MAY BE A COMMUNICATION PRIVILEGED BY
LAW.  IF YOU RECEIVED THIS E- MAIL IN ERROR, ANY REVIEW, USE,
DISSEMINATION, DISTRIBUTION, OR COPYING OF THIS E-MAIL IS STRICTLY
PROHIBITED.  PLEASE NOTIFY US IMMEDIATELY OF THE ERROR BY RETURN E-MAIL
AND PLEASE DELETE THIS MESSAGE FROM YOUR SYSTEM. THANK YOU IN ADVANCE
FOR YOUR COOPERATION.

For more information about Orrick, please visit http://www.orrick.com/
===========================================================

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list