A few weeks ago, I decided to upgrade my home workstation to accommodate GNS3 and VMWare.   This was mainly done so that I would have a performance-tuned workstation when studying IE’s workbook labs for my Security track.  I originally configured the machine to dual-boot Fedora v8.0 x86 and Micro2003.  After upgrading the machine from 2GB to 8GB of memory, I soon realized there were limitations for each operating system and that they couldn’t access the additional memory.  For my Fedora instance, all I had to do was run ‘yum install kernel-PAE’ and now my linux instance could utilize the entire 8GB.  When I start the machine up in Runlevel 3, Fedora only uses 500K of the memory so now the rest is free for emulating. 

My windows instance, however, was more of a challenge.  For those of you who are unaware, Micro2003 is just an nLite version of Windows 2003 Enterprise.  Reading through Microsoft’s data sheets reveals that 8GB is supported for the enterprise version.  Despite all the research and configuration changes I made (i.e. adding the /PAE switch to the boot.ini, changing the registry settings, or manually updating the ntoskrnl.exe file), I couldn’t get Micro2003 to recognize more than 3.5GB of memory.  In my attempts at isolating this memory problem, I formatted the drive and installed the full Windows 2003 Enterprise version which didn’t help my cause in any way because only 3.5GB was recognized.

I was a little frustrated at this point and started Googling around for alternative operating systems.  Then I stumbled upon, Damn Tiny Vista, and decided to install it.  Whoever created this nLite version of Vista left the ability to connect/disconnect to CIFS shares, which is a huge plus since Micro2003 didn’t support it.  Now the full 8GB is recognized and useable.  After a few hours of playing around with the OS, I decided to test out the OS and attempted to conduct some work through a VPN session.  I connected into our WEBVPN portal and Cisco’s AnyConnect VPN Client version 2.2.0133 installed without any issues.

The firewall bundle we use for our portal came with 750 client licenses and 2 WEBVPN licenses.  The popularity for WEBVPN access has increased and so now I find myself fighting to even use it.  On occasion, I’ve reverted back to using the actual client.  The problem now is Cisco’s VPN Client is not supported on 64-bit operating systems nor do they have plans for upgrading.  Their primary focus is to develop AnyConnect, so I was left with finding another client software solution.  I found NCP Secure and it is supported in Vista.  Installing was the application was straight forward.

The only real issue I had with the software was that it couldn’t import my .pcf files as stated, so I had to configure my connections manually.

For those that are interested in the actual configuration, here’s what my ASA looks like:

ip local pool EZVPN-Pool 10.2.2.217-10.2.2.223 mask 255.255.255.248

crypto ipsec transform-set EZVPNSET esp-3des esp-md5-hmac

crypto dynamic-map EZVPNDYN 20 set transform-set EZVPNSET
crypto dynamic-map EZVPNDYN 20 set security-association lifetime seconds 28800
crypto dynamic-map EZVPNDYN 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map EZVPNDYN 20 set reverse-route
crypto map secure 20 ipsec-isakmp dynamic EZVPNDYN

crypto map secure interface outside

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
address-pool EZVPN-Pool
default-group-policy EZVPN

tunnel-group EZVPN ipsec-attributes
pre-shared-key TEST

And here’s what my NCP configuration looks like:

Basic Settings:
-Profile Name: WORK_VPN
-Communication Medium: LAN (over IP)

Line Management:
-Connection Mode: manual
-Inactivity Timeout (sec): 3600

IPSec General Settings:
-Gateway (Tunnel Endpoint): 194.4.4.44
-Policies:
–IKE Policy: PSK-3DES-MD5-DH2
–IPSec Policy: ESP-3DES-MD5
–Exch. Mode: Aggressive Mode
–PFS Group: none
–Policy Lifetimes:
—IKE Policy
—-Duration: 000:08:00:00
—IPSec Policy
—-Life Type: both
—-Duration: 000:08:00:00
—-kBytes: 4608000

Advanced IPSec Options:
-IPSec Compression

Identities:
-Local Identity:
–IKE ID-Typ: Free string used to identify groups
–IKE ID: EZVPN
-Pre-shared Key
–Shared Secret: TEST
–Confirm Secret: TEST
–Certificate Configuration: none
-Extended Authentication (XAUTH)
–User ID: netops
–Password: OCSIC
–from the configuration above

IP Address Assignment:
-Assignment of the Private Address: IKE config mode
-IP Address: 0.0.0.0

Link Firewall:
-Stateful Inspection: off

The key to getting this client software to connect to the firewall gateway succesfully is verifying all your settings.  If you run into any connection issues, my suggestion would be to use the Log>Logbook feature to review your logs or if you have a backdoor into your firewall (tsk tsk), you could run ‘debug crypto isakmp sa’ to help narrow down the issue.