cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

1038
Views
0
Helpful
5
Replies
jlewis
Beginner

SA500 series and the Cisco VPN client

Recently updated to the new firmware on our SA540 (v2.1.18) and configured the IPsec VPN to support the Cisco VPN Client. First off, let me say thank you so much for deciding to implement this feature. I loved how simple it was to setup, both on the router and on the clients - this is soooo much better than the SSL VPN and QuickVPN solutions.

However, I have identified 2 problems with the current implementation that unfortunately prevent our company from using this wonderful new feature.

1. The first has already been discussed partially in another thread - the inability to set the DNS information that is used on the Cisco IPsec client when it connects. I've also noticed that there's no way to modify the routing information that is set up on the client. Being able to set what DNS server is used on the client is extremely important to our infrastructure setup so I wanted to emphasize the importance of this being implemented in a future firmware update as soon as possible (and I can't imagine this would be hard to implement since I can see in the IPsec logs that modeConfig info is already being sent to the client from the router). Any ideas when this might be implemented?

2. The second problem I noticed is that when you have IPsec clients that are connect using the Cisco VPN client they are not reported under any of the router status pages. This is highly disconcerting to know that I could have 10 users connected and have no idea who is connected and what they are doing. Only way I've been able to find out the connected clients is to sift through the hundred of lines of the IPsec log output. Am I simply not looking in the correct places or is this a known issue?

Again, many thanks for finally supporting the Cisco VPN client - and here's to hoping the next firmware release is coming soon (with an even better implementation).

Regards,

John Lewis

5 REPLIES 5
tronrider
Beginner

Hi Everybody,

I would like to add to John Lewis' post that the current version of the SA5X0 firmware does not support the "save-password" feature of modeConfig. This feature allows to save the user's password at the vpn client side: this may be insecure but it may also be very convenient. It would be nice if it could be included in the next firmware release.

Best regards,

Xavier

Jo Kern
Cisco Employee

Hi,

issue number 2 you are mentioning has been addressed already and will most likely be working  in  an upcoming release.

using the MacOSX built-in Cisco VPN client on a Macintosh you can specify DNS servers. I have  not tested if it actually works though.

Regards

Jo

Hi Joachim,

jokern wrote:

[...]

using the MacOSX built-in Cisco VPN client on a Macintosh you can specify DNS servers. I have  not tested if it actually works though.

[...]


Unfortunately it doesn't work.

The "save-password" feature doesn't work too with the built-in Cisco VPN client under MacOS X (tested with both an ASA 5505 and an ISR 871) but it works with iPhone OS.

Regards,

Xavier

txlombardi_2
Beginner

Any information on the original poster's number one issue regarding IPsec VPN support for the assignment of DNS servers?  I sold the SA 540 for its stated VPN capabilities only to find out the customer can't use it, because they can't do name resolution using the IPsec client.  This is a critical feature that needs to be implemented as soon as possible (like yesterday).

Tony

Hi Anthony,

The development team has been working hard to deliver point number 1 that many voices are clamoring for.  Let me inform you that this issue has been addressed already and there will be many improvements in an upcoming formal release that will make it easier for users to resolve names across the tunnel as you will be able to specify the DNS server to be used by clients, among other improvements.

If you need this functionality sooner than that, keep an eye out for any release candidate information posted on this forum within the next week or so.  You will be able to request a release candidate version of firmware that you can use to verify that your VPN Client has the functionality your clients need.

Cheers,

Julio