Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN Client v4.0 running to VPN3015 with 3.6.5

We have a VPN3015 running 3.6.5. The new client v4.0 works fine with preshared key connections but fails with certificate based users.

Does anyone know if you can run client v4.0 with a certificate based auth and xauth to a concentrator running 3.6.5.

Logging shows that the cert. passes but you then start seeing out of sequence packets.

Any help would be appreciated.



Re: Cisco VPN Client v4.0 running to VPN3015 with 3.6.5

Firstly, certificates signed by one of the following Certificate Authorities are supported: Baltimore Technologies, Entrust Technologies, Netscape, Verisign Inc., Microsoft Certificate Services  Windows 2000 or a digital certificate stored on a smart card. The VPN Client supports smart cards via the MS CAPI Interface. Make sure that you are using one of these.

Second, bug CSCdt11315 talks about problems in loading certificates from the certificate store while using certificate with Windows NT SP3. You should probably have a look at the same. Another issue that might be to blame is that the VPN client using Start Before Logon (SBL) and Microsoft Machine-based certificates fails. The problem in this case is not with the client.

New Member

Re: Cisco VPN Client v4.0 running to VPN3015 with 3.6.5

Thanks for the reply. We are using MS Cert. Services on a Win2K platform. The system is working perfectly for clients that are 3.6.2b but I wanted to test the new v4.0 client and found that it only works with preshared keys and not with a certificate that functions with the earlier client 3.6. I am thinking that the concentrator needs to be updated to handle the PKI between the new client and itself.

We don't use the SBL feature, actually I was hoping that Cisco would have included the Cisco client as a service instead of a GINA applet on login.