Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client and dial-up

I am using a VPN Client (release 3.6.3) on a Windows 2K Platform.

I have to terminate an IPSEC tunnel on a VPN Concentrator 3030 as follows:

Before I have to perform a dialup connection via a GPRS terminal, and then, after authenticating on a RAS, I have to implement an IPSEC tunnel above that, terminating on the VPN Concentrator.

In order to avoid the users to use two different windows to login (dialup window for the first GPRS connection and VPN Client wndow for the second IPSEC connection) I have used the option on the VPN client "Connections->Connect to the Internet via dial-up" in order to make the client activate automatically the GPRS connection once the user launches the VPN dialer.

When the user launches the VPN dialer, the VPN dialer itself starts the GPRS connection, and, once the user authenticates on the RAS, then tries to estabilish the IPSEC tunnel. Unfortunately, it takes several seconds for the GPRS connection in order to be fully estabilished, but the Cisco VPN Client, as soon as the first authentication has been accomplished, tries to complete the IKE phase with the VPN Concentrator.

As you imagine this phase fails since the first packets get lost because the GPRS connection is not fully estabilished in that moment. As a consequence I must restart the IPSEC Connection from the VPN Dialer. At the second attempt, it works.

SInce the customer wants to maintain a sinlge window for the login, I think I could solve the issue If I just would be able to tell the VPN dialer to wait several seconds after having estabilished the first dialup connection, before starting the IPSEC connection. In this way I would be sure that when the IPSEC connection starts the GPRS connection is fully estabilished.

I read the documentation, but I did not find any indication, neither in the GUI nor in the .pcf file documentation.

Have you got any suggestion for this issue, for instance a special setting on the VPN Client or VPN Concentrator, or also a dialup script that I could send to the first RAS in order to instruct it to wait several seconds after the first successful authentication ?

Keep in mind that I tried all the different methods (IPSEC, IPSEC over UDP, IPSEC over TCP), but in all the cases the result is the same.

Thanks for your availability and for the patience in reading the whole message

Regards

2 REPLIES
Cisco Employee

Re: VPN Client and dial-up

Paolo, we are investigating a possible solution that will handle the GPRS dialup environment. I would like to discuss our proposal for this. Please email

me at nerodrig@cisco.com so we can start our conversation.

In simple terms, the proposal goes like this:

1) VPN client starts connection and waits for the GPRS RAS to hand it an

IP address. Since the reception of an IP address doesn't necessarily always mean the dialup link is operational, we'll have the client wait a set time before

initating the IKE tunnel.

2) a configurable parameter in the vpnclient.ini file would have this wait time

(GRPS-DialUp_Wait = # (seconds).

I believe this would do it. Anyway , we''ll investigate this further to make sure we don't break anything else.

Please email me.

Thanks.

Nelson Rodrigues

Cisco Employee

Re: VPN Client and dial-up

Paolo, we have implemented a fix in VPN Client 3.6.3.B to this (enhancement bug CSCdz56951-VPN dial up wait before tunnel establishment).Resolution:

Resolution:

Our normal behavior is to dial the RAS connection and then go to the next phase, whichis IKE negotiations. But to resolve this issue, we will dial the RAS connection andthen wait few seconds (user configured) before starting the IKE negotiations.

The default behavior of the VPN Client remains unchanged. But if users want towait after dialing the RAS connection, they can do that by modifying the vpnclient.ini file. This file is located in the installation directory

(generally "C:\Program Files\Cisco Systems\VPN Client"). Users will have to add another parameter under main as follows:

[main]

DialupWait=x

where x is in seconds. The default value is 0 seconds. If we do wait, the following

info message is logged to the log viewer:

"Waiting x seconds per user request"

This wait would happen if the VPN Client is used to dial the connection, or if

the VPN Gui is used to configure a third-party dialer for dialing the connection.

Please try it out and let us know how it works for you !!!!

119
Views
0
Helpful
2
Replies
CreatePlease login to create content