04-23-2014 04:26 AM
Hi,
I am trying to connect vpn client (Win XP) and its works just fine. It is also communicating with radius server and internal network no issues in that. However, when using vpn client on Win 7 it does not connect. I can see from the debug in firewall that phase 2 is complete, but the client does not connect and I can see the error 809 in Win 7 (32 bit and 64 bit) clients. I would really appreciate if anyone can just guide me in right direction. Please see below the code that is working fine for XP.
nat (inside,outside) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp route-lookup
aaa-server int-radius-group protocol radius
aaa-server int-radius-group (inside) host 172.16.5.100
key ***
radius-common-pw ***
crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-dessha esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-dessha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha mode transport
crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 mode transport
crypto dynamic-map dyn-ra-vpn 65000 set ikev1 transform-set RA-VPN-Set-3desmd5 RA-VPN-Set-aes128sha RA-VPN-Set-aes256s-dessha RA-VPN-Set-3dessha RA-VPN-Set-desmd5 RA-VPN-Set-aes192md5 RA-VPN-Set-aes192sha RA-VPN-Set-aesmd5
crypto dynamic-map dyn-ra-vpn 65000 set reverse-route
crypto map ASA-VPN-SITE 65000 ipsec-isakmp dynamic dyn-ra-vpn
crypto map ASA-VPN-SITE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy RA-VPN-GP internal
group-policy RA-VPN-GP attributes
dns-server value 172.16.5.31 172.16.5.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value mydomain.com
intercept-dhcp enable
client-firewall none
tunnel-group DefaultRAGroup general-attributes
address-pool ra-vpn-ippool
authentication-server-group int-radius-group
default-group-policy RA-VPN-GP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Thanks & Regards
Rohit
04-24-2014 11:04 PM
We are using VPN client v5.0.05.0290 without a problem. Here is a link that I found initially when testing with Windows 7 and the VPN client...maybe it will help you resolve your issue.
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx
I didn't have to use this procedure on windows 7 pro 32bit.
On a different note, can you pass traffic to hosts on your internal LAN by IP address or hostname? I found an issue using the AnyConnect client - I didn't configure the connection profile to tell the connecting client what our internal domain name was...so my clients weren't able to make connections inbound withougt manually appending the domain name to the end of the hostname...shot in the dark...
Good Luck!!
"please rate me if post helpful"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide