Another (Notso) Easy VPN problem

[makemorebeer]

recently some of our users started buying new computers, specifically ones that run vista, and unless something has changed the SSL VPN does not support Vista yet. so i'm trying to accomodate them with a copy of the cisco vpn client 5.0.3. when i try to connect i'm gett ing the following thorugh my debugs for isakmp. anyone got an idea what this could mean.

03-14-2008 15:50:19 Local7.Info 10.1.254.249 4177: 003770: *Mar 14 15:49:55.146 PCTime: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 66.112.65.81 was not encrypted and it should've been.

 

[garnetbobcat]

Good news! The Cisco AnyConnect client, which uses SSL, supports Vista. In fact, it's the only way you can do full tunnel VPN on Vista x64 - there's no Ipsec client for it.

http://www.cisco.com/en/US/prod/col...s6657/product_data_sheet0900aecd80405e25.html

-----

If you're seeing that error on the router it could indicate that the client has torn down the connection while the router has not. Thus, the router is expecting encrypted packets and not getting them.

Try clearing out the connections on both ends.

Matt
CCIE Security

http://www.wr-mem.com

 

[burtsbees]

I would say either pre-shared keys don't match (that will cause this), or the Vista box is filtering ESP.

Burt

 

[makemorebeer]

Burt, I double checked the entire config keys included and everything looks as though its correct. does Vista filter ESP by default. if so do you know off the top of your head how to stop it from doing so? i mean hey, vista likes to block everything and it's momma, but from what i've seen most of this can be turned off. thanks garnet, i'll deffinatly look into that as well. ah the more holes in the network, i mean remote access for users the better.

 

[burtsbees]

Not sure what all Shista does, but I was sure that you confirmed the keys. I was just stating what causes that error. I'd say somewhere (likely Vista) ESP is blocked.

Burt

 

[makemorebeer]

Shista, i like that. i think i'll put it in my sig line. back to business. i checked around a bit, i'm sure you're familiare with how fun it is to find things in vista, and could not find any furher security settings to turn off. i did however think it was a bit funny that on a vista machine i can't even navigate (IE7) to my webvpn page. i can with firefox though. i'm trying to install the anyconnect client as we speak to see if i can get connected via webvpn again and still having no luck there. It's safe to say i hate vista already. i'm sure some day i'll love it.

 

[burtsbees]

Have you tried disabling that auto tuning crap? Just get to a cmd prompt and type netsh interface tcp set global autotuninglevel=disabled

Burt

 

[makemorebeer]

I'm going to try that as well. Anyconnect. seemed like a good idea but it's created a few other problems. first off being the install of the anyconnect package itself. when i run the install thorugh sdm it does this

<bold>error installing package: unknown error

This may occur if your router uses a LEFS file system. Converting it to use a dos file system may resolve this issue.</bold>

so then i tried it thorugh the CLI and it says it installed fine. i go to check it and nothing connects. the portal is up, and i can get logged in but it won't connect the actual tunnel. so i checked my configurations and found that the context for that connection was noservice. i turned ti back on and tried again. it turned it off a second time. very frustrating. i suppose a good starting point would be what's with the error.

i know it'll get asked so i'll tell now that i'm running 1811 routers and the IOS is 12.4(15)T1, which is supposed to be supported.

i've also tried debugging it and come up with nothing there as well.

 

[burtsbees]

Well, this is just with DissedYa, right? Vista, I mean...

Burt

 

[makemorebeer]

no actually i havn't been able to get an XP machine working either. the error i posted was direct from the router via SDM. i did a little reading on it and checked a few things and apparently i'm running a class B (LEFS) file system. it looks like i might need to upgrade the router to a class C (Dos) filesystem. so i'm going to look into that this morning. i didn't even know that you could reformat the flash file system but apparently you can. it's completely destructive to your current configuration though so i'm really hoping it all works out. i'll make sure to post up, on what the outcome was.

i also tried the auto tuning fix you mentioned and it's telling me that i need escalated rights to do so. but i'm logged in as administrator so it looks like Vista 3 makemorebeer 0.

It seems i'm fighting the good fight from both ends of the battle field! As a further thought, i'm not administering the router from the vista machine either so at least i know thats not working against me.

 

[makemorebeer]

hey garnet thanks for the any connect idea. took a little doing, and by that i mean help from cisco getting it installed since SDM would not install it and it kept killing my contexts when i installed via CLI, but now it's working and working good. I've even found a bug that's been forwarded to the developers. =) i'm not so sure that's a good thing. sorry burt, never did get that easyVPN working correctly.

 

[hoover87]

makemorebeer,

What process did you go through to make to fix the LEFS error?

I have the exact same problem on a 3825 when trying to use anyconnect.

Thanks much!

 

[boschie]

I too had the LEFS issue trying to add the Version 2.x anyconnect package file to the router (3845) via SDM. My workaround was manually copy the package file to the router flash, then "install" it using the 'webvpn install svc xxx flash:' command.