10

IPsec VPN on windows 64 bit with NCP universal VPN client (NCP secure entry client configuration)

Posted by Happy Hippo on 8/22/2009 11:42:00 pm
Update  15/Dec/2009: today I was contacted by NCP-E saying that "people blindly follow the advice on this website" and that it's "frustrating for them to correct mistakes that this thread generates, which frustrates both them and their customers", so before you follow the guide, I want to clarify some points: this thread is a bit out-of-date already, a newer client has been released. Also, this is only a guide how to set-up a particular connection, which I think is very common with universities and workplaces, that allows to access particular resources. For which you need an IPSec group ID, IPSec group password and your Xauth username and password, as this is the only IPSec connection type I have access to. All other situations are not included in this guide. Please don't refer to this website as your configuration guide when contacting NCP-e support, this is not  in any way a technical or support resource, it's more an example what the software is like when working with it. Thank you

Update 10/Sept/2009 (a free solution) :A free VPN client worked successfully for this IPSec connection type ! Its overview is here
 
Many companies or institutions use some sort of VPN (Virtual Private Networking) solution to protect their resources and stuff... I used Cisco VPN client to connect to my university intranet, which uses IPsec technology. But apparently Cisco VPN client does not support 64 bit operating systems!
The Cisco Systems company doesn't want to support 64bit operating systems and the old Cisco VPN client, from what I've read it seems that they are pushing their new AnyConnect VPN client, which apparently doesn't support IPsec, companies would have to upgrade a lot of stuff to use VPN with this new software (information gathered from the internet).  I think this will be even a bigger issue now, that Windows 7 is coming out soon. After 3 days of looking on the internet, trying different things such as Cisco Anyconnect, Windows built-in VPN client, Shrew client, Ovenvpn client, VPNC client, the only thing that worked for me was "universal NCP secure entry" client, so I intend to write a tutorial how to configure it, because it has A LOT more settings than Cisco VPN client and is very tricky to configure.

You can download evaluation copy of the software on: http://www.ncp-e.com/en/downloads/software.html  (go for the beta one!!! the other one gave me blue screens ).  Update: as advised by NCP-e, "it's not a good idea to have multiple VPN clients on the same platform, as the mechanisms (filter drivers) used may conflict and cause unreliable results or even system instability" and it is strongly recommended to remove other VPN clients before installing NPC-e client.

Make sure you have these settings from your old IPsec VPN client:
  • IPSec gateway (e.g. vpn.blahblah.com or 129.123.000.000)
  • IPSec ID, also known as group ID (usually just a word)
  • IPSec secret. also known as group password (also a word)
  • remote access personal username (xauth username)
  • remote access personal password (xauth password)

And maybe some other settings like
"enable transparent tunelling"
"Allow IPSec over UDP (NAT/PAT)"
"ForceKeepAlives"

"EnableNAT"
"TunnelingMode"
IKE Authmode psk
TcpTunnelingPort=10000/4500 

Also, if you have your old Cisco VPN client configuration file (*.pcf), most of the work will be done for you automatically: install NCP client and to Configuration>Profile Import>Browse for your **.pcf file and import the settings. Usually this should work straight away, if it's not working, check the settings as described below (probably tick UDP encapsulation, port 4500 in your "advanced IPSec options"), but instead of creating a new profile, click edit your imported profile. Update: as advised by NCP-e, MOST configurations do not require UDP encapsulation, "this field should only be used in very specific cases, and the vast majority of situations (read: almost ALL) do not require this, and will in fact will only thwart any connection attempts".

Manual configuration:

1) Go to Configuration>Profiles
Then click "add" to create a new profile.
On the next tab select "Link to corporate network using IPSec" and click next. Choose a name for your VPN connection (anything)>Next, select you communication media > Choose LAN (over IP) for broadband or wireless networks (or other media that you use to connect to the internet). DON'T use WLAN it can screw up your wireless drivers!




On the next page enter your IPSec gateway in the "Gateway (Tunel Point)" field and enter your xauth username (IKE username) and password(IKE password).






Next select "aggressive mode" as your exchange mode and set PFS group to "None".





Click "Next" and enter IPSec secret (also known as group password) in the "Shared Secret" field, then select "Free string used to identify groups" in "IKE ID type", and enter your Group ID (also known as IPSec ID) in IKE ID field.


On the next page select IKE config mode, as IP address assignment method and click next. And then on the next page make sure that statefull inspection is off and Netbios over IP is enabled and click finish.


You will be returned to the main window, go to Configuration> Profiles again, and click edit your profile. Navigate to "Advanced IPSec Options" on the left and tick UDP encapsulation, change the port to 4500 (or which ever port you were given).  Click OK and this configuration should work. Update: as advised by NCP-e, MOST configurations do not require UDP encapsulation, "this field should only be used in very specific cases, and the vast majority of situations (read: almost ALL) do not require this, and will in fact will only thwart any connection attempts".

Marco Manzini Landscape and Nature Photography



If you are having troubles connecting, you can see where the problem is using LOGs. To do that go to Log>Logbook





You will see a new window, that shows log text. Now try to connect to your profile, and check what error you get. I tried to identify some common error codes, although I'm not very good at advanced configurations.

Troubleshooting guide: 

1) No connection to the internet>incorrect communication medium chosen. Usually these will be displayed in red in the actual NCP window (not in log): e.g.: ISDN error, COM error: Modem not responding, Could not resolve gateway IP (this is either if you LAN/wireless LAN not working or your entered incorrect gateway address or it's down, or your firewall is blocking NCP), RAS not found.


Solution: check your internet connection, gateway address, and check communication medium settings in "Basic Settings" tab.


2) Phase1 errors: IPSec general settings tab has incorrect settings.







Solution: check IPSec general and Advanced settings:
Also some  security data maybe wrong, like: group ID, group password (if this is the case, the log will display this in red: e.g. wrong preshared key, or a window will pop-up to enter xauth password/username again).












3) Phase 2 errors: Incorrect IPSec address assignment.




Solution: check IPSec Address assignment page:

This should solve most common problems, just try different settings depending on the phase of your problem. Also you can contact me via Message Box on the right (scroll up or down to find it)    =>
Enjoy!
P.S. It would be great if you could leave any comments about this guide or click "reactions" below (funny, interesting, informative...) , thanks :)
















Update: there seem to be another program that can be used on 64bit systems: VPNC Front End, which is free and can be downloaded here:
http://sourceforge.net/projects/vpncfe/ I could not connect to my VPN server though, but try it anyway, if you want something free.

Also, there is Shrew VPN: http://www.shrew.net/download/vpn  which is also free, but it gave me blue screen :( Try alpha version (and again, I did not succeed in connection to my vpn), and I wrote the tutorial here .


10 Comments

Thomas Svensen says:

This was very useful! It downloaded the beta, imported my existing Cisco config, and voila - connected! Now my only concern is what I will do when the 30 day eval. period expires. 144 USD is a little pricey for something that my employer SHOULD be providing.


Thank you so much. I was pulling my hair out after I got the new home computer and kept getting errors trying to load the Cisco VPN software. We found a different blog abour the VCP software, and your comments about setting it up on your blog. I followed your instructions - and everything worked great the very first time. I bought the non-trial version right away. Something that works right the first time, with ease of setup is worth the price to me!


Thank You for information. I try to use NCP installed on Windows 7 64-bit to connect to Cisco 1811 on another side. Connection was successfully but i can't ping and enter any equipments on another side. After this i installed on Windows 7 virtual XP and install again same version of NCP, 32-bit, and try same connection. Connection to any eqipment on another side was fine, i can ping and telnet.
How it can be that???


Re, comment2: the decision to buy it was probably too soon (for personal use). There seem to be some free alternatives already. I think employers should buy this software and provide it free for their employees.

Re, comment3: unfortunately I don't know what causes this problem, but I have heard about some problems with pinging individual computers/devices even after the VPN tunnel has been established, it might be windows 7 firewall, or the VPN client or something else. I don't know at the moment, but if I find a solution I will post it.
Thanks


I posted a possible solution to the ping problem in the comments section of this post: http://read-stuff-here.blogspot.com/2009/09/shrew-vpn-tutorial-on-windows-64-bit.html
Let's discuss this problem there please.


ADVANCED IPSEC OPTIONS:
I had to uncheck UDP encapsulation and leave it at port 500


IDENTITIES:
ID en USER ID have to be the same
PRE-SHARED KEY and XAUTH need to be checked
SHARED SECRET AND PASSWORD had to be the same

and then it worked


Today I uninstalled NCP VPN, because my internet connection stopped working. If I go to Network Centre>Network Adapter , and click on my internet adapter,go to properties and untick NCP VPN filter, everything starts working again. I also believe this NCP filter caused blue screen 2 times in my computer when using Windows built-in PPTP VPN client.
And anyway, a free solution is already available.


Thanks a lot, it has been many hours I was looking for an answer and finally you solve it : waouh !

I have still one problem : it is my first vpn connection and I don't know after I am connected what do I have to do to have access to the network? Do I have to launch a web browser with the host adress (vpn.sample.us) ?

Thank you !


This is really complex for me.I have tried to understand this configuration but then my head just ached. I wish you have simpler steps on this. Thank you. I will be waiting for your response.


vpn


This comment has been removed by the author.

© All content on this site is copyright, except where other sources are specified. Please contact me before using any resources on this blog in any way ©