[c-nsp] Cisco VPN Client for 64-bit????

Kaj Niemi kajtzu at basen.net
Fri Feb 15 09:19:12 EST 2008 

Hi,


I think Cisco hopes that you would "migrate" them from VPN3K and PIX  
to ASA (or IOS) ;-)

I happened to stumble on the same "where do I find a 64 bit vpn client  
for vista" recently and a short investigation resulted in "please look  
into implementing anyconnect vpn instead of expecting 64 bit vpn  
client for vista". Since there is a 64 bit linux implementation of the  
vpn client and there is a 32 bit vista client that kind of works I  
would assume this has more to do with someone deciding they want us,  
the customers, to pay for those nifty little SSL licenses (you get a  
few with your ASA, the rest you have to pay for unlike ipsec licenses  
that you get a bunch of) than technical issues with implementing it on  
the 64 bit network stack.

For anyone attempting to implement Anyconnect with group attributes  
from RADIUS remember to read through CSCsk80264 before starting - it  
will save you a lot of grief. The 8.0 reference documentation (table  
E-5) is wrong and the error you will get from your ASA is something  
along the lines of "Unable to add SVC to  ... " and "Internal Error  
(34 => 34)" even with very heavy vpn-sessiondb and webvpn debug  
enabled. The OS X client also identifies itself as a Windows client  
("sh vpn-sess de svc") for one of the tunnel types (TLS or DTLS), that  
was also pretty hilarious.

As a technology, or as an implementation, Anyconnect 2.0/2.1 does not  
seem as robust as the ipsec vpn client especially if network  
connectivity is a bit flaky. I support guys who are in a bunch of  
different places (Qatar, somewhere in Australia ;-), Malaysia, etc.)  
and where the ipsec client shines is that it works semi-reliably even  
with very high latencies (2+ seconds) and variable packet loss.

Also.. on the webvpn side, what happened in 8.0 to ASA customization?  
"customize foo" is deprecated and does not seem to result in anything  
anymore (in 7.2 that worked). Now there seems to be some kind of xml  
importing tool instead or the assumption that everybody is to use ASDM  
for administration. I could not find any documentation on CCO on the  
new format.

:)


On Feb 14, 2008, at 06:33, Jonathan Charles wrote:

> OK, umm... what do I do for customers that have PIXes and VPN  
> Concentrators? Those will not support SSL VPN....
>
>
> Jonathan
>
> On Feb 13, 2008 9:59 PM, Jules Rogers <jules.rogers at gmail.com> wrote:
>> There will be no 64-bit version of the standard VPN client.  There's
>> only the AnyConnect client.  You might be able to try using
>> Microsoft's built in IPSEC.
>>
>>
>> --
>> Jules Rogers
>>
>> -----
>> With or without religion, you would have good people doing good  
>> things
>> and evil people doing evil things. But for good people to do evil
>> things, that takes religion.
>>  - Steven Weinberg
>>
>> On Feb 13, 2008 9:29 PM, Jonathan Charles <jonvoip at gmail.com> wrote:
>>
>>> I have a lot of users using Dell Precision Workstations with upwards
>>> of 8GB of RAM and are running 64-bit XP and Vista,  and they can't  
>>> get
>>> the Cisco VPN client to work...
>>>
>>> Does Cisco have any intention of supporting 64-bit for the VPN  
>>> Client?
>>>
>>>
>>>
>>> Jonathan
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000

More information about the cisco-nsp mailing list