Connecting to a VPN using the Cisco VPN Client under Windows 8 x64 (almost solved)
Hello!
Despite the fact that the Windows 8 compatibility center claims the full compatibility of the Cisco VPN Client with the new operating system, this client managed to work only with nontrivial actions and, alas, for many cases, except mine.
I hope, however, that the information will be useful and, perhaps, the collective mind will help solve the problem to the end.
')
So, given: VPN, built on Cisco equipment and the need to connect to it under 64-bit Windows 8 Professional. First, install the latest available version of Cisco VPN Client 5.0.07.0440. Installation takes place without any complications. Import your favorite .pcf with connection settings and try to connect. Further we have problems:
This problem is solved by correcting the key value in the registry, for this:
After updating the registry reboot is not required. So, the virtual adapter is now safely located, and if authentication is performed using the Shared Key (does not require a client certificate), the problems are settled.
If authentication is performed by a certificate, we have the following:
It is assumed that a certificate (which does not require a private key on a separate eToken device) is normally uploaded to the user storage of certificates (User Storage). At the same time, in the client log we have the following message: “Could not load certificate [certificate description] from store Microsoft User Certificate. Reason: store empty. ” That is, despite the presence of a certificate in the store, the VPN Client does not see it.
There were two ways to solve this problem:
Moving to the next level: now we have key authentication using e-token (Alladin). We have a program that comes with a key (eToken PKI Client), which, when connecting a USB token to the machine, automatically places the certificate on the token in the user certificate store (this is why I solved problem number two using the second method). When trying to connect to a VPN in this configuration, we get the following error:
In the client log you can see the message “Failed to generate signature: signature generation failed” and other even less informative formulations. Here, unfortunately, there is a dead end: the log messages do not shed light on the essence of the problem, which way to dig further is not known.
I hope not alone in this issue and someone will be more intelligent and successful.
UPD: As an alternative to connect, you can use the Shrew Soft VPN Client, which has no problems running on Windows 8 (the article about installing and configuring this program has already skipped over to Habré). The program has one minus - it does not know how to work with certificates from Windows certificate stores (certificates need to be loaded from a file when setting up a connection), which is also not appropriate for the case with the eToken key.
Despite the fact that the Windows 8 compatibility center claims the full compatibility of the Cisco VPN Client with the new operating system, this client managed to work only with nontrivial actions and, alas, for many cases, except mine.
I hope, however, that the information will be useful and, perhaps, the collective mind will help solve the problem to the end.
')
So, given: VPN, built on Cisco equipment and the need to connect to it under 64-bit Windows 8 Professional. First, install the latest available version of Cisco VPN Client 5.0.07.0440. Installation takes place without any complications. Import your favorite .pcf with connection settings and try to connect. Further we have problems:
Problem number one: error "Reason 442: Failed to enable Virtual Adapter"
This problem is solved by correcting the key value in the registry, for this:
- Open the registry editor (type "regedit" in the search bar, run the found application);
- Find the branch HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ CVirtA;
- Find the parameter DisplayName;
- The value of this parameter contains something like "oem4.inf,% CVirtA_Desc%; Cisco Systems VPN Adapter for 64-bit Windows." You need to change this value, leaving only the "Cisco Systems VPN Adapter for 64-bit Windows."
After updating the registry reboot is not required. So, the virtual adapter is now safely located, and if authentication is performed using the Shared Key (does not require a client certificate), the problems are settled.
If authentication is performed by a certificate, we have the following:
Problem number two: "Reason 403: Unable to contact security gateway"
It is assumed that a certificate (which does not require a private key on a separate eToken device) is normally uploaded to the user storage of certificates (User Storage). At the same time, in the client log we have the following message: “Could not load certificate [certificate description] from store Microsoft User Certificate. Reason: store empty. ” That is, despite the presence of a certificate in the store, the VPN Client does not see it.
There were two ways to solve this problem:
- Move certificate from User Store to Local Computer Store;
- Modify Service Settings for Cisco Systems, Inc. VPN Service ”on the“ Log On ”tab, forcing the service to run under a user account (the same account under which we logged in to the system and are trying to connect).
Moving to the next level: now we have key authentication using e-token (Alladin). We have a program that comes with a key (eToken PKI Client), which, when connecting a USB token to the machine, automatically places the certificate on the token in the user certificate store (this is why I solved problem number two using the second method). When trying to connect to a VPN in this configuration, we get the following error:
Problem number three (unresolved): “Reason 401: An unrecognized error occured while establishing the VPN connection”
In the client log you can see the message “Failed to generate signature: signature generation failed” and other even less informative formulations. Here, unfortunately, there is a dead end: the log messages do not shed light on the essence of the problem, which way to dig further is not known.
I hope not alone in this issue and someone will be more intelligent and successful.
UPD: As an alternative to connect, you can use the Shrew Soft VPN Client, which has no problems running on Windows 8 (the article about installing and configuring this program has already skipped over to Habré). The program has one minus - it does not know how to work with certificates from Windows certificate stores (certificates need to be loaded from a file when setting up a connection), which is also not appropriate for the case with the eToken key.
Source: https://habr.com/ru/post/157807/
All Articles