I am using a VPN Client (release 3.6.3) on a Windows 2K Platform.
I have to terminate an IPSEC tunnel on a VPN Concentrator 3030 as follows:
Before I have to perform a dialup connection via a GPRS terminal, and then, after authenticating on a RAS, I have to implement an IPSEC tunnel above that, terminating on the VPN Concentrator.
In order to avoid the users to use two different windows to login (dialup window for the first GPRS connection and VPN Client wndow for the second IPSEC connection) I have used the option on the VPN client "Connections->Connect to the Internet via dial-up" in order to make the client activate automatically the GPRS connection once the user launches the VPN dialer.
When the user launches the VPN dialer, the VPN dialer itself starts the GPRS connection, and, once the user authenticates on the RAS, then tries to estabilish the IPSEC tunnel. Unfortunately, it takes several seconds for the GPRS connection in order to be fully estabilished, but the Cisco VPN Client, as soon as the first authentication has been accomplished, tries to complete the IKE phase with the VPN Concentrator.
As you imagine this phase fails since the first packets get lost because the GPRS connection is not fully estabilished in that moment. As a consequence I must restart the IPSEC Connection from the VPN Dialer. At the second attempt, it works.
SInce the customer wants to maintain a sinlge window for the login, I think I could solve the issue If I just would be able to tell the VPN dialer to wait several seconds after having estabilished the first dialup connection, before starting the IPSEC connection. In this way I would be sure that when the IPSEC connection starts the GPRS connection is fully estabilished.
I read the documentation, but I did not find any indication, neither in the GUI nor in the .pcf file documentation.
Have you got any suggestion for this issue, for instance a special setting on the VPN Client or VPN Concentrator, or also a dialup script that I could send to the first RAS in order to instruct it to wait several seconds after the first successful authentication ?
Keep in mind that I tried all the different methods (IPSEC, IPSEC over UDP, IPSEC over TCP), but in all the cases the result is the same.
Thanks for your availability and for the patience in reading the whole message
Paolo, we have implemented a fix in VPN Client 3.6.3.B to this (enhancement bug CSCdz56951-VPN dial up wait before tunnel establishment).Resolution:
Our normal behavior is to dial the RAS connection and then go to the next phase, whichis IKE negotiations. But to resolve this issue, we will dial the RAS connection andthen wait few seconds (user configured) before starting the IKE negotiations.
The default behavior of the VPN Client remains unchanged. But if users want towait after dialing the RAS connection, they can do that by modifying the vpnclient.ini file. This file is located in the installation directory
(generally "C:\Program Files\Cisco Systems\VPN Client"). Users will have to add another parameter under main as follows:
where x is in seconds. The default value is 0 seconds. If we do wait, the following
info message is logged to the log viewer:
"Waiting x seconds per user request"
This wait would happen if the VPN Client is used to dial the connection, or if
the VPN Gui is used to configure a third-party dialer for dialing the connection.
Please try it out and let us know how it works for you !!!!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :