cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
122705
Views
35
Helpful
11
Replies

Windows 10 ASA IPsec VPN Group Authentication

The new Windows 10 has a built in client with L2TP IPsec.  The problem is that there is no field for group security, just a field for a Pre-Shared key.  Of course there is no support for the cisco 5.x fat client, although some people have posted some workarounds.  I was hoping that someone found workaround for the Windows 10 native client.

 

It seems strange that my iPhone and Mac both have fields for group auth but windows does not.

 

Windows 10 Native Client Properties > Security Tab.

 

Windows 10 Native Client Properties > Security Tab > Advanced Settings.

 

Mac OS X VPN Settings > Authentication Settings (see field "Group Name")

11 Replies 11

Abaji Rawool
Level 3
Level 3

Hi,

Windows native L2TP client does not have option to specify group, so this is not specific to Win10.

Also what VPN gateway device you are connecting to? If you are using Cisco ASA it accepts the connection on default RA group as shown in the configuration guide here :http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_l2tp_ipsec.html#wp1074591

 

HTH

Abaji.


 

I agree with Aaron; odd that IPSec with group authentication VPN works on Apple devices, not Microsoft. If the Cisco IPSec client does not work in Windows 10 and the native Windows 10 IP sec connection also does not work for group authentication, what is Cisco's response to people who want to connect their users to the ASA using IPSec with group authentication? How do they recommend that we connect clients?

While I agree with you on both points that

 

A) Windows 10 should support it natively  (Hell, windows XP should've!)

B) Cisco should update the client

 

it does work with a few tweaks,  http://www.gleescape.com/posts/2917

cheers

 

 

 

We have been dealing with this a bit at work and here is what we've found so far.

 

Cisco anyconnect 3.01 and later are effective with windows 10.

2.5 Does not work

V5 is a no go as well

the built in VPN on windows 10 is a near miss, and appears to get hung up by the receiving ASA. Testing a workaround for this.

You can get the Cisco VPN 5.x fat client to work even with build 1511.  I use it daily.

Instructions here.  http://itthatshouldjustwork.blogspot.com/2015/07/cisco-64-bit-vpn-client-on-windows-10.html 

This site above, as well as http://www.gleescape.com/posts/2917 were helpful to me in getting the VPN client installed in Windows 10 on a physical machine. Struggled for weeks though in a VM under VMware Player, Workstation 12 Pro and ESX 5.5u3, where it almost worked, but UDP traffic (including DNS) was failing. Eventually found that the 64-bit DNE NDIS shim does not seem compatible with latest VMware drivers for e1000e (Intel 82574L) or vmxnet3. Going back to older e1000 vnic (Intel Pro 1000MT) and I was able to get everything working again.

Hi, the conclusion is that to use Win10 native L2TP client to connect to ASA is no doubt NOT working?! No workarounds but using additional VPN client like Shrewsoft or Cisco VPN client? Thanks.

Matthew Lee

The problem may not be specific to Windows 10, but the Cisco VPN client works on Windows 8.  It does NOT work on Windows 10. So now there is NO solution whatsoever for people with an ASA 55XX infrastructure. So for now, we don't roll out Windows 10 on any laptops, under any circumstances--until either Cisco or Microsoft offers up a solution. I'm not going to write the code myself, and I'm not going to replace my entire firewall fleet just because Microsoft doesn't want to interoperate... I don't want to hear that the VPN client is end-of-life, either. Just because it isn't being updated anymore doesn't mean it isn't a valid solution or that the hardware it sits on needs to be thrown away.

Hi All,

First of all based on the direction Cisco is going it seems Cisco would like everyone to start going to their AnyConnect SSL VPN solution, and that just does not work for my Company, we primarily use IPSec VPN for both router to router; router to asa; L3 switch to asa and windows workstation to asa .. all over IPSec .. so for us the use of AnyConnect is no needed and would not support everything we do anyways!

The issue is Cisco is pushing AnyConnect anyways and drop support of the only Cisco IPSec client yet still sell products with many built-in IPSec license vs SSL AnyConnect ..
And yes I do also agree it is crazy that Microsoft does not support Cisco full spec of IPSec when Apple does ; Apple has this support for years!! now built-in .. the built-in Client on apply actually name “Cisco IPSec VPN” something like that lol .. and Microsoft has nothing!

So what works for us on Win10 ..
Shrew Soft VPN Client v2.2.2, this software works very well just monitor setting changes needed to the profile and you can export/import profile so you only need to make the setting change once and all other staff or vendor just need to have a copy of your “based” profile .. very easy and its free too ..

So do a search for shrew vpnclient .. web site is ( www. shrew. net)
Still I would like to see Microsoft build-in a fully spec Cisco IPSec client .. and or Cisco continue to support Cisco VPN Client .. all the workarounds just to get the old Cisco VPN going we should not need to do .. Cisco selling VPN IPSec server without a Client is crazy!

I think what makes it worse is that for those of us using ISRs as the VPN termination, SSL VPN is not even supported on the brand new models!

Personally I hate working on ASAs so I avoid them like the plague.  Give me IOS any day...

VPN client options for use via our current Cisco ASA infra – My finding so far…

IPSec client has been deprecated for some time

Anyconnect 3 perpetual licence is deprecated & Apex / 4 looks like subscription based licences (for basic functionality.. really???????)

Windows doesn’t support group authentication for inbuilt L2TP client

Conclusion: Given that we’re moving away from an infrastructure that relies on the idea of VPN client ‘middleware’ to make things work to application level VPN’s. these are seen as bridging the gap and not as strategic... So what options do we have if we don’t want to move down a subscription licence to maintain very basic & legacy connectivity… Migrate to Mac or Change Security Platforms? Any other suggestions are welcome.

To remove such basic should be 'out of the box' capabilities make these these platforms far less attractive as the device of choice going forward in our enterprise.. Well done Cisco.. In a viciously competitive market this seems like another very poor strategy..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: