IPsec VPN on windows 64 bit with NCP universal VPN client (NCP secure entry client configuration)

Update  15/Dec/2009: today I was contacted by NCP-E saying that "people blindly follow the advice on this website" and that it's "frustrating for them to correct mistakes that this thread generates, which frustrates both them and their customers", so before you follow the guide, I want to clarify some points: this thread is a bit out-of-date already, a newer client has been released. Also, this is only a guide how to set-up a particular connection, which I think is very common with universities and workplaces, that allows to access particular resources. For which you need an IPSec group ID, IPSec group password and your Xauth username and password, as this is the only IPSec connection type I have access to. All other situations are not included in this guide. Please don't refer to this website as your configuration guide when contacting NCP-e support, this is not  in any way a technical or support resource, it's more an example what the software is like when working with it. Thank you

Update 10/Sept/2009 (a free solution) :A free VPN client worked successfully for this IPSec connection type ! Its overview is here ! 
 

Many companies or institutions use some sort of VPN (Virtual Private Networking) solution to protect their resources and stuff... I used Cisco VPN client to connect to my university intranet, which uses IPsec technology. But apparently Cisco VPN client does not support 64 bit operating systems!
The Cisco Systems company doesn't want to support 64bit operating systems and the old Cisco VPN client, from what I've read it seems that they are pushing their new AnyConnect VPN client, which apparently doesn't support IPsec, companies would have to upgrade a lot of stuff to use VPN with this new software (information gathered from the internet).  I think this will be even a bigger issue now, that Windows 7 is coming out soon. After 3 days of looking on the internet, trying different things such as Cisco Anyconnect, Windows built-in VPN client, Shrew client, Ovenvpn client, VPNC client, the only thing that worked for me was "universal NCP secure entry" client, so I intend to write a tutorial how to configure it, because it has A LOT more settings than Cisco VPN client and is very tricky to configure.

You can download evaluation copy of the software on: http://www.ncp-e.com/en/downloads/software.html  (go for the beta one!!! the other one gave me blue screens ).  Update: as advised by NCP-e, "it's not a good idea to have multiple VPN clients on the same platform, as the mechanisms (filter drivers) used may conflict and cause unreliable results or even system instability" and it is strongly recommended to remove other VPN clients before installing NPC-e client.

Make sure you have these settings from your old IPsec VPN client:

• IPSec gateway (e.g. vpn.blahblah.com or 129.123.000.000)
• IPSec ID, also known as group ID (usually just a word)
• IPSec secret. also known as group password (also a word)
• remote access personal username (xauth username)
• remote access personal password (xauth password)

And maybe some other settings like
"enable transparent tunelling"
"Allow IPSec over UDP (NAT/PAT)"
"ForceKeepAlives"
"EnableNAT"
"TunnelingMode"
IKE Authmode psk
TcpTunnelingPort=10000/4500 

Also, if you have your old Cisco VPN client configuration file (*.pcf), most of the work will be done for you automatically: install NCP client and to Configuration>Profile Import>Browse for your **.pcf file and import the settings. Usually this should work straight away, if it's not working, check the settings as described below (probably tick UDP encapsulation, port 4500 in your "advanced IPSec options"), but instead of creating a new profile, click edit your imported profile. Update: as advised by NCP-e, MOST configurations do not require UDP encapsulation, "this field should only be used in very specific cases, and the vast majority of situations (read: almost ALL) do not require this, and will in fact will only thwart any connection attempts".

Manual configuration:

1) Go to Configuration>Profiles
Then click "add" to create a new profile.
On the next tab select "Link to corporate network using IPSec" and click next. Choose a name for your VPN connection (anything)>Next, select you communication media > Choose LAN (over IP) for broadband or wireless networks (or other media that you use to connect to the internet). DON'T use WLAN it can screw up your wireless drivers!

On the next page enter your IPSec gateway in the "Gateway (Tunel Point)" field and enter your xauth username (IKE username) and password(IKE password).

Next select "aggressive mode" as your exchange mode and set PFS group to "None".

Click "Next" and enter IPSec secret (also known as group password) in the "Shared Secret" field, then select "Free string used to identify groups" in "IKE ID type", and enter your Group ID (also known as IPSec ID) in IKE ID field.


On the next page select IKE config mode, as IP address assignment method and click next. And then on the next page make sure that statefull inspection is off and Netbios over IP is enabled and click finish.

You will be returned to the main window, go to Configuration> Profiles again, and click edit your profile. Navigate to "Advanced IPSec Options" on the left and tick UDP encapsulation, change the port to 4500 (or which ever port you were given).  Click OK and this configuration should work. Update: as advised by NCP-e, MOST configurations do not require UDP encapsulation, "this field should only be used in very specific cases, and the vast majority of situations (read: almost ALL) do not require this, and will in fact will only thwart any connection attempts".

If you are having troubles connecting, you can see where the problem is using LOGs. To do that go to Log>Logbook





You will see a new window, that shows log text. Now try to connect to your profile, and check what error you get. I tried to identify some common error codes, although I'm not very good at advanced configurations.

Troubleshooting guide: 

1) No connection to the internet>incorrect communication medium chosen. Usually these will be displayed in red in the actual NCP window (not in log): e.g.: ISDN error, COM error: Modem not responding, Could not resolve gateway IP (this is either if you LAN/wireless LAN not working or your entered incorrect gateway address or it's down, or your firewall is blocking NCP), RAS not found.


Solution: check your internet connection, gateway address, and check communication medium settings in "Basic Settings" tab.

2) Phase1 errors: IPSec general settings tab has incorrect settings.

Solution: check IPSec general and Advanced settings:
Also some  security data maybe wrong, like: group ID, group password (if this is the case, the log will display this in red: e.g. wrong preshared key, or a window will pop-up to enter xauth password/username again).

3) Phase 2 errors: Incorrect IPSec address assignment.

Solution: check IPSec Address assignment page:

This should solve most common problems, just try different settings depending on the phase of your problem. Also you can contact me via Message Box on the right (scroll up or down to find it)    =>
Enjoy!
P.S. It would be great if you could leave any comments about this guide or click "reactions" below (funny, interesting, informative...) , thanks :)

Update: there seem to be another program that can be used on 64bit systems: VPNC Front End, which is free and can be downloaded here: http://sourceforge.net/projects/vpncfe/ I could not connect to my VPN server though, but try it anyway, if you want something free.

Also, there is Shrew VPN: http://www.shrew.net/download/vpn  which is also free, but it gave me blue screen :( Try alpha version (and again, I did not succeed in connection to my vpn), and I wrote the tutorial here .