New VPN Connection...need some help!

E Double U

I rcvd the following email:

With the issues we have seen using the Verizon hotspots as well as incompatibility in Windows 8.1, we need to be able to provide an alternative to using the Cisco IPSec VPN Client. Setting up a L2TP/IPSec VPN connection may work well and would allow us to use the built in Windows network connection.

I recommended a registry fix, but here is the response:

We can get it to work with a registry fix, but it makes other features on the system fail. Also, Cisco is discontinuing their IPSec client so we need another method.

I hate to admit it, but I am stumped. Hopefully someone here can give me some direction. Thanks in advance for any help that you're able to provide.

shodown

There are plenty of open source VPN clients that work with windows 8. I use a shrewsoft vpn client and it has worked fine for my windwos 8 IPSEC VPN.


I do have to ask why arent you guys looking into SSL VPN's, is there a feature in IPSEC that you 100 percent need? Or is it that the license are free?

E Double U

Thanks for the reply!

Actually, most employees do use Clientless SSL VPN (myself included), but the employees that are in the field will be getting Dell Surface Pros and the decision makers want to use IPSec.

Since we're not a humongous organization (few hundred employees) the guys above me like when things are free. Especially since our security budget always seems to drive up costs

E Double U

We came across the following:

[h=2]L2TP/IPSec with Windows 8/7 and Cisco ASA 8.x/9.x[/h]
https://popravak.wordpress.com/2013/03/06/l2tpipsec-with-windows-8-and-cisco-asa-8-x9-x/

Hoping someone here can advise if they've applied this solution.

Hondabuff

I would migrate over to the Cisco SSL VPN. You can create the package on your firewall and export the install package as a .exe file and distribute it out to all your employees. Can also be pushed out with Group Policy if you create an .msi file. Launch it from your Desktop and enter your Domain credentials and your up and running. Its called Cisco Anyconnect VPN Client.

shodown

^^^^

I think they are sticking with the IPSEC firewall because its free based upon the hardware vs SSL which you have to pay for each user.

E Double U

shodown wrote: »

^^^^

I think they are sticking with the IPSEC firewall because its free based upon the hardware vs SSL which you have to pay for each user.

The CIO and CISO like free

Hondabuff

I think "E Double U" needs to present a business need for the company and stress why a paid product has better support and reliability. I would exhaust all efforts and if they then tell you NO, go for a free one because you don't have a choice. I worked in a school district before and this happened all the time. The main school where I was at wanted to go with Google Docs because it was free. We did a pilot test for 3 months and ended up renewing our $20k license for office.

Zartanasaurus

Hondabuff wrote: »

I think "E Double U" needs to present a business need for the company and stress why a paid product has better support and reliability. I would exhaust all efforts and if they then tell you NO, go for a free one because you don't have a choice. I worked in a school district before and this happened all the time. The main school where I was at wanted to go with Google Docs because it was free. We did a pilot test for 3 months and ended up renewing our $20k license for office.

As soon as you make them demo the apps side by side along with the "we aren't responsible for supporting this other one" caveat, they suddenly find the money to pay.
Been there, done that.

E Double U

LOL thanks guys!

phoeneous

shodown wrote: »

^^^^

I think they are sticking with the IPSEC firewall because its free based upon the hardware vs SSL which you have to pay for each user.

Which ASA and ios do you have?

E Double U

phoeneous wrote: »

Which ASA and ios do you have?

5510 version 9.1(5)12

phoeneous

E Double U wrote: »

5510 version 9.1(5)12

Do a show version, you might already have existing ssl licenses to work with. I have a 5510 on 8.2 and it came with 10 ssl licenses.

E Double U

Finally got it to work with a quick change in ACS and following this:

https://supportforums.cisco.com/document/12376016/configure-l2tp-over-ipsec-using-cisco-asa-84-and-ldap-authentication