THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Andy Leonard

Andy Leonard is CSO of Linchpin People and SQLPeople, an SSIS Trainer, Consultant, and developer; a Business Intelligence Markup Language (Biml) developer; SQL Server database and data warehouse developer, community mentor, engineer, and farmer. He is a co-author of SQL Server 2012 Integration Services Design Patterns. His background includes web application architecture and development, VB, and ASP. Andy loves the SQL Server Community!
Note: Comments are moderated. Spam shall not pass! </GandalfVoice>

Cisco VPN Client and Vista x64

I am disappointed in Cisco.

I have Vista Ultimate x64 installed on my snappy new Red laptop but I cannot install Cisco VPN Client software on it because Cisco VPN Client does not run on Vista 64-bit platforms.

Digging around for a work-around, I came across a couple interesting comments. One comment, from someone who claims to be with Cisco VPN Client Support, states:

"...as mentioned many times on this thread, NO x86-64 support for Windows. Cisco IPSec client will NOT be ported to support 64bit version of Windows now or in the future. If you require 64bit support on Windows please look at migrating to AnyConnect."

Does Cisco think 64-bit OS's are a passing fad? Are they holding out for the 128-bit operating systems before bothering to release an upgrade? What's the logic behind such a move? There has to be some logical explanation...

Release Notes for AnyConnect version 2.2 indicate something new (hardware?) is required to work with 64-bit Vista, but it's entirely possible I'm misreading the notes. I do not know what an Adaptive Security Appliance is.

Other applications install and run in 32-bit mode. Is there some reason - security-related or other - that the Cisco VPN client cannot run in this mode?

I'm forced to create a virtual PC with a 32-bit OS installed just so I can communicate with clients remotely. It is, as I wrote earlier, disappointing.

:{> Andy

Published Friday, May 09, 2008 1:10 AM by andyleonard

Comments

 

Marc Scheuner said:

Amen, brother - I was totally appaled and surprised to see Cisco doesn't even *plan* to support Vista-64 with their VPN client. How can they be ignoring this trend that mostly advanced users who are the most likely users of Cisco VPN will be using?

For now, we have the choice of either sticking with XP 32-bit, or abandoning Cisco - not quite sure which route we'll take......

Cheers!

Marc

May 9, 2008 1:12 AM
 

AaronBertrand said:

Just last night at a user group meeting, Adam was trying to convince me to load Vista x64 on my MacBook Pro, which is capable of running it, but currently I run Vista x86.  I'm glad I saw this post before I wiped that partition, only to find out that I wouldn't be able to connect to the office.

May 9, 2008 9:26 AM
 

jerryhung said:

WOW...

don't abandon Cisco, because I own CSCO stocks, at a -20% loss :(

May 9, 2008 9:38 AM
 

todd brooks said:

Andy, yes, to use the new AnyConnect, you will have to upgrade your PIX to an ASA appliance.  Upgrade = buy new Cisco product.

And yes, this really does suck.

If you can't afford to purchase a new Cisco device, you should look at NCP Secure Entry (http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html); they have a 64bit VPN client that will work with Cisco devices and with Vista x64 (in fact, I'm using it right now).  It is a VERY stable VPN client (as opposed to the highly unstable Cisco VPN client).

May 9, 2008 11:44 AM
 

Adam Machanic said:

Wait -- they're NEVER going to support 64-bit?  Are they trying to put themselves out of business??

May 9, 2008 12:15 PM
 

Denis Gobo said:

Why can't you use Cisco AnyConnect VPN Client instead of Cisco IPSec ?

Maybe Cisco IPSec is dead and all new development will be done for Cisco AnyConnect VPN?

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect21/release/notes/anyconnect21.html

May 9, 2008 12:24 PM
 

AaronBertrand said:

Denis, my company has older Cisco gear, and is not going to spend money on it anytime soon.  Especially only so that I can use x64 remotely, since nobody else is keen on 64-bit at all.

May 9, 2008 4:22 PM
 

AaronBertrand said:

todd, I'm all for alternatives, but I get this on your URL:

"Database Error

The current username, password or host was not accepted when the connection to the database was attempted to be established!"

May 9, 2008 4:24 PM
 

todd brooks said:

Aaron,

I just tried the URL again and it worked for me.  Maybe a routing issue?  In any case, just go to http://www.ncp-e.com/en.html an dselect Universal IPSec VPN Client.  That is the link to their SecureEntry VPN Client.  Highly recommended compared to the Cisco software.

Denis,

you cannot use Cisco AnyConnect VPN client on a Cisco PIX.  It requires one of the newer ASA appliances.

May 10, 2008 4:45 PM
 

Jim Stirling said:

You can blame the computer manufacturers for the unwillingness of other hardware and driver manufacturers to support Vista x64. Dell, HP and any other bulk sellers of PCs and laptops do not sell their product with an x64 OS installed which doesn't provide any incentive to the others to write drivers or provide hardware to support the x64 OS platform. They are willing to slap every 64 bit processor label on their product but they won't put the OS in place to support the speed that the processor will provide. So, what you get is a hunk of iron that is running at half speed or less.

This topic has been a burr under my saddle since Vista x64 has been released.

May 12, 2008 3:22 PM
 

spikey said:

Anyone needing a Vista 64 bit VPN client can get it at:

http://www.ncp-e.com

It even supports XP 64 bit too

May 13, 2008 2:07 PM
 

AaronBertrand said:

Spikey, I tried it on Windows Server 2008 x64, and couldn't get it to connect to my network.  Even if it worked, it is not free.

The point is we paid good money for Cisco gear, and they are basically forcing us to buy new hardware by preventing their client from working on x64.  If we have to buy new hardware just to get this support, what are the odds, do you think, that we're going to keep spending money on Cisco, when they are abandoning us like this?

May 14, 2008 9:30 PM
 

Matthew said:

Install VM Ware and run XP in a virtual machine. You can then install the Cisco VPN client and run it from there. One side benefit: you can now access network resources on your "host"

machine because only the vmware image is technically "on the remote network". So now you can check email while remoting into the client site.

May 27, 2008 4:49 PM
 

Bill Gowland said:

Hey Todd, I tried the NCP client with our ASA's and could not get them to connect.  The farthest I got was P1.  p2 would never work.  Any pointers on setting up the client and/or the ASA to make it work?

June 3, 2008 8:55 PM
 

andyleonard said:

Hi Bill,

  Like you, I have also tried to connect to my remote clients using the NCP Client. So far I have not been able to connect.

:{| Andy

June 3, 2008 10:02 PM
 

Josh said:

This NCP VPN Client does work it was able to connect onto our Cisco 2811 Router for the VPN and a Cisco 2611XM running the VPN on it.

June 12, 2008 12:17 AM
 

andyleonard said:

Hi Josh,

  I didn't say it doesn't work. I don't think anyone else here did either. We're saying it doesn't work for us. Here's part of the reason why:

  With the Cisco client, my clients were able to grant me access and send me a file with most of the goods encrypted. I didn't have to know passwords at several layers of the VPN encryption process - I only needed my login information and the file from the client. As a consultant who isn't technically an employee, this provided a level of comfort about the security of the process of granting me access to log onto their system. When these clients have to hand over internal passwords so I can configure a third-party tool, they lose that level of comfort.

  I have no doubt the client works in some instances. I'm glad it works for you. It doesn't work for me.

:{| Andy

June 12, 2008 12:26 AM
 

Marlon said:

If you can get your Network guys to create the profile for you on NCP it should be ok. The profile is encrypted into a config file and the passwords are never shown. It's a pain I know but the only other way is using a VM and then host using it as a dns or something of the sort I cant remember where, but I saw a detailed post on how to get that working.

June 14, 2008 8:19 PM
 

Lee Armstrong said:

Anyone got an example config for NCP that works with CIsco IOS e.g. Cisco 2800

July 21, 2008 11:44 AM
 

Tarun Chachra said:

I have it connecting to a Cisco 2811 vpn....

Took a few tries...but it connects and works with group auth and user auth....

IPSec General Settings:

IKE Automatic

IPSec Policy Automatic

Exch. Mode Agressive

PFS Group None

Advanced IPSec Options:

IP Compression Checked

Port 500

Identities:

Free String Used to identify Groups

Enter Your Group Name

Check Pre-Shared Key and enter secret key.

Check Extended Auth.

Enter your userid and password

IP Address Assignment

IKE Config Mode

Stateful Inspection off

Netbios Over IP Checked

works for me...

August 28, 2008 6:35 PM
 

Chris Leonard said:

I got the NCP client working last night, and it's actually very nice.  The process I used was to simply import the *.pcf file that my company had shipped with our 32-bit Cisco VPN client installer.  NCP was able to read that and give me all the "goods" that Andy mentions a while back.

Just my 0.02,

Chris

September 5, 2008 2:42 AM
 

andyleonard said:

Hi Chris,

  Thanks for the feedback!

  I tried that before and couldn't get it to work. I will try again though - perhaps there's been an update to NCP.

:{> Andy

September 5, 2008 7:30 AM
 

SQLCraftsman said:

I just LOVE it when major vendors stick us in the middle of a urination contest.

September 8, 2008 10:13 AM
 

Seth said:

@Tarun Chachra : You rock! thanks... I've been at it for 2 days now, but can now connect.

September 16, 2008 6:21 PM
 

RJJ said:

Tarun Chacra: Yup, your instructions worked perfectly with group and user ID and PW. Thanks for the post!

September 17, 2008 6:08 PM
 

Cory said:

Does Anyone know where you can purchase the cisco Anyconnect VPN Client I have been searching forever and cannot locate a seller. Or does someone know a link that I can download (torrent)?

October 1, 2008 7:56 PM
 

Jason Gerard said:

Awesome. I was searching for it and YOU were the first hit in google!

October 26, 2008 11:44 PM
 

andyleonard said:

Hi Jason,

  Glad to be of service sir.

:{> Andy

October 27, 2008 6:25 AM
 

VPNHaus said:

Joe Harris (author or Cisco Network Security, Little Black Book), also suggests NCP, check out his blog: http://tinyurl.com/5nb7ba

September 12th, 2008 • Related • Filed Under

Filed Under: Security

You may have noticed that the Cisco IPSec VPN Client does not currently support 64-bit Operating Systems nor will it. If you have a need for an IPSec Client that does have 64-bit OS support, NCP Secure Communications (www.ncp-e.com) has a Universal VPN Client that is 64 Bit compatible and will even import/convert your existing .pcf profiles for a seemless migration to a 64-bit client. More information regarding their products can be found by visiting their products page as well as specific configuration information related to configuring their client with Cisco products is found here: NCP to Cisco Config Guide

NCP engineering is recommended and this looks like the most recent data sheet (second page is the detail): http://tinyurl.com/6rjqmv  

November 13, 2008 4:50 PM
 

funkyfresh said:

chris leonard.....you are AWESOME. I have vista home premium x64 and I live on college campus. there was no way of connecting except through cisco VPN which btw blows. So i downloaded NCP on my vista and downloaded the cisco vpn my college provides on my xp desktop. then you seach the installed folder of cisco for the .pcf files then you copy them to your vista and click config and import them!! thats it!!

the only problem now is paying for that NCP program but it works just like the cisco vpn. hope it works!

December 2, 2008 11:57 AM
 

Allan K. said:

Install Cygwin (gcc + make + libgcrypt + whatever else you want)

Go here: http://www.unix-ag.uni-kl.de/~massar/vpnc/ and download

0.5.1.  Untar and make it.  

Go here: http://openvpn.net/index.php/downloads.html and get a recent Windows install and install the TAP-Win32 virtual NIC.

Part of the connection process involves running a script.  Make sure you tell the vpnc command to use the Windows script.  The Windows version of the script just does cscript of a .js file.  So make sure you get that file name right in the Windows script.

Make sure that vpnc and the processes running the scripts run with Administrator privileges.

I did this last night on my brand new Vista 64 laptop and managed to VPN my way into work.

December 3, 2008 6:09 PM
 

Download said:

Hey guys anybody knows where we can download AnyConnect?

I could not get it fron Cisco site.

December 9, 2008 5:05 PM
 

rgh said:

Have a WRVS4400N router on our server.

Could make VPN connections from Win XP systems, but not Vista systems.  CISCO support told us today (after several weeks of trying to connect from a new VISTA laptop) that there is a known issue and the only workarounds are to either use 3rd party VPN Cliets or change the OS bact to XP.  They suggested Greenbow or SafteNet.

I asked but they refused to provide such software as a customer service leaving us to spend additional dollars.

Nice customer support!

January 13, 2009 12:36 PM
 

Tegiri Nenashi said:

I'm logging *-th day of my time on this issue... Tried NCP client, and failed. Installed VmWare, now Virtual PC. It connects fine, but may I ask if the host is supposed to be able to get behind firewall as well? (Otherwise, the only option is Linux VM which is leaner, but I have to do traffic routing setup?)

January 23, 2009 1:16 AM
 

Steve C said:

I found the reference here to NCP client after realizing I'd "upgraded" myself into the 64-bit box with my work laptop which I use with the VPN normally.  My rather "structured" IT support is not going to handle any updates for this, so the NCP client is a nice bridge to keep in in the loop - installed easily off their web site on 64-bit vista and after importing my pcf file out of my XP 32-bit machine at home, got the connection.  Happy camper - yeah, $200 bites, but that's the price I guess i'll have to live with.  Thanks for the tops and ocmments folks!

January 25, 2009 11:23 PM
 

Chad Heese said:

Easy - free solution (NCP is $144) to get your VPN working on Vista 64.  Got to http://sourceforge.net and download VPNC Front End. Makes connecting to your company VPN easy.  You'll need to download and install OpenVPN (just the TAP Driver is needed).  It even has a PCF import tool to setup the connection.  You just need to make sure you selet the TAP Device as the Network interface and you're good to go.

February 8, 2009 1:23 PM
 

Jon R. said:

Chad Heese, I did all the steps that you mention in your post with downloading VPNC and OpenVPN for the driver. My only issue is that once I open VPNC and import my pcf file, the Network Interface menu does not let me select the TAP Device. I did restart my computer after installing the driver, and it did not help. How can I make VPNC use the TAP Device?

February 9, 2009 1:30 AM
 

MartinK said:

Hi, hope somebody can help. I have following problem:

Trying to use NCP on Windows 7 64bit...

Was using Cisco VPN client IPSec/UDP with Certificate authentication on WinXP 32bit.

All is fine, importing profile, getting root cert, but I have problem to get User cert to NCP from old machine. While Cisco VPN client is using .cer, NCP can accept only .p12 (PKCS#12).

I am converting CER to PEM and then to PKCS#12 with OpenSSL while I don't have private key, so I am using -nokey, but then I get error in NCP. So obviously I need private key. But it seems that private key is not on my computer. I have tried all of these that are in "c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\" but could not get them working. Tried to get ownership on them, but option to export cert with private key is still grayed. Maybe I need to convert them to Base 64 encoding for openssl to be recognized?

If someone can point me the right direction or write short step by step how to setup NCP in case of Certificate authentication was used in Cisco VPN client.

Any help is much appreciated...

February 15, 2009 12:00 PM
 

vpn said:

The installed vpn-server does not respond.

I've set-up a mac mini, with 10.4.6 as vpn-server,

as described above. System.log and vpnd.

log suggest a proper working vpnd.

But I can't connect from a client, also 10.4.6.

The client does'nt find the server.

I've tried it with a direct connection

(one ehternet-cable between client and mac mini and

self assigned IPs), and also with an WRT54G that is my

network-router and also with a swtich,

on that only server and client have been connected.

But all these tries didn't take any effect,

vpnd runs like isolated.

All these hardware-configurations were tested in combination with both firewalls on and off.

Can I have advice, where my error in configuration and

setup might be?

February 20, 2009 7:10 PM
 

andyleonard said:

I'm glad to read the comments and email from folks who got this to work. I did not get it to work. The only part of this that worked for me was the corporate billing - and I lost $144 as a result.

:{< Andy

February 21, 2009 8:20 AM
New Comments to this post are disabled

This Blog

Syndication

My Company


Other Blog

Check out my personal blog...
http://andyleonard.me

Contact Me

Twitter: @AndyLeonard
Email: andy.leonard@gmail.com

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement