47

Cisco VPN client (IPsec) does not support 64bit Windows.

Worse, Cisco does not even plan to release a 64-bit version, instead they say that
"For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client."

But SSL VPN licences cost extra. For example, most new ASA firewalls come with plenty of IPSec VPN licences but only a few SSL VPN licences.

What alternatives do you have for 64-bit Windows? So far, I know two:

  1. 32-bit Cisco VPN Client on a virtual machine
  2. NCP Secure Entry Client on 64-bit Windows

Any other suggestions or experiences?

splattne
  • 28,348
  • 19
  • 97
  • 147
mika
  • 1,466
  • 2
  • 12
  • 18
  • THere is a 64-bit client for cisco VPN. I have it installed and running at home, to connect to one of my clients. ..thomas at socialcash.com and I will send it to you. – Thomas Denton May 19 '09 at 03:08
  • I was mistaken, my NE pulled a fast one on me and used anyconnect vs the IPSEC version. Sorry for the confusion. -T – Thomas Denton May 27 '09 at 11:06
  • The problem is if you have an older PIX, then you may find that while you *can* install the AnyConnect client, your firewall doesn't support it. Cisco's documentation on just what will work is a wee bit cryptic, and I haven't really tested AnyConnect with a PIX, but I *can* say that ShrewSoft VPN client for Windows works well in Win7 x64, RC at least. – nray Sep 11 '09 at 13:07
  • Ok, so the question is that your wanting specifically a "IPSec type of client" which the Cisco AnyConnect doesn't qualify as? – djangofan Mar 18 '11 at 23:18

16 Answers16

50

Hmm, nobody mentioned Shrew Soft VPN Client yet ? It's a free (as in beer) and cross platform VPN client that compatible with Windows 64 bit. Although free, but support from the author has been great. Currently it doesn't support hybrid xauth+certificate mode but the feature will come soon.

Lancom also provides a 64 bit VPN Client for Windows, but IMO they just resell/rebrand NCP's Client.

You can also try TheGreenBow VPN Client, which is a bit cheaper (56 EUR) than NCP/Lancom's client.

Doug Luxem
  • 9,592
  • 7
  • 49
  • 80
Lamnk
  • 1,075
  • 3
  • 11
  • 17
  • 3
    Shrew is nice! But there's one downside. You cannot import Cisco VPN client profiles (.pcf files). You can manually copy an existing Cisco profile to a new Shrew profile, but only if you know the pre-shared key. This means that you can't use Shrew if you only have profiles with hashes of pre-shared keys given to you, and no hope of getting the actual key. NCP can import .pcf files and use psk hashes. – mika Jun 08 '09 at 14:13
  • Yes, I look at Shrew, but the lack of PCF import is a killer for me.... – marc_s Jun 22 '09 at 09:58
  • Then make a request to the author. IMO it's not very hard to implement that feature – Lamnk Jun 27 '09 at 01:55
  • 11
    PCF import was added in version 2.1.5 – mika Aug 03 '09 at 08:53
  • 7
    Just downloaded and tried the latest RC, and gotta say... This is great! Imported my PCF files without complaint, connected without issue. Simple UI, sane options, **fast**... Cisco should fire their programmers and *beg* these guys for a distribution license. – Shog9 Aug 04 '09 at 21:37
  • FYI: Tried installing their latest stable for-vista-64bit on Windows 7 Ultimate. It caused a blue screen and blue screen to appear on subsequent boots. I fixed the bluescreen by running the uninstaller in the program files directory and deleting the registry entries associated with shrewsoft. – Brian Webster Aug 31 '09 at 03:30
  • I'm on Windows 7 Enterprise, and this caused a bluescreen during install and then bluescreened during boot. Had to repair Windows before I could boot again. Stay away from this if you're on Windows 7. – Adam Lassek Sep 08 '09 at 16:53
  • @mika You should be moving away from pcf files anyway. The "hashed" pre-shared keys are extremely trivial to hack. – GregD Jan 21 '10 at 14:12
  • 1
    Note that Windows 7 is now supported as of 12/15/2009 – MattC Mar 03 '10 at 21:53
  • It's a real shame it doesn't support pre-login connections for AD/Domain Logins... – Christopher Edwards Nov 30 '10 at 15:09
  • @Christopher: I suggest you contact the author, he does listen to feature requests (unlike Cisco) – Lamnk Nov 30 '10 at 19:22
  • @Lamnk: The feature is on the planned list according to the site. – Christopher Edwards Dec 01 '10 at 08:52
8

I just tried this free IPsec VPN client, it works well in vista x64 and win 7 RC x64. I was also able to import a cisco .pcf directly into shrew. Just select the pcf file and import.

www.shrew.net/software

Shrew has supports for windows, linux and BSD

There is no need to buy NCP

MiDiMaN
  • 81
  • 1
  • 1
7

Cisco now supports the 64-bit OS with an IPsec VPN client, see Release Notes for Cisco VPN Client, Release 5.0.07.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
4

I am using Windows 7 RC 64-bit and I run the Cisco VPN client in "Virtual XP" mode. It works great, pretty seamless. Probably doesn't help you much right now, but good to know you can use it when Windows 7 is released.

  • I tried this, but had no luck... the program runs, but I can't connect to VPN. Did you have to do something special? – Jim Geurts Jun 10 '09 at 18:21
  • This works great for me. I did nothing special... I just setup an "XP Mode" VM and installed the 32bit Cisco client within and it works. – Brian Webster Sep 03 '09 at 23:01
4

On our Cisco VPN, we have Point-to-Point Tunnel Protocol (PPTP) tunneling method configured which allows us to use the native Windows client. That's the only way we've been able to get Vista 64-bit users to connect.

Joseph
  • 3,787
  • 26
  • 33
4

The Shrew Soft VPN Client is awesome. Just make sure to go with the Windows 7 supported version (currently 2.1.5-rc-3) if you are installing on Windows 7. Otherwise you'll get a BSOD during the install.

jswoods7
  • 196
  • 1
  • 3
3

Cisco has an official 64-bit VPN client in beta:

In addition to serving as a general maintenance release, the Cisco VPN Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit environments. A 64-bit specific compatible image is available for installation on these platforms.

Please have communicate feedback (both positive and problems) to cvc-beta@cisco.com.

Key Capabilities available for Beta Testing: New Platform support – Windows 7 & Windows Vista 64-bit platform compatibility Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730 (under 5.BETA) Software is available for download by any customer with a Cisco.com SMARTnet™ enabled login.

There are currently no plans to support Windows XP 64 bit in the VPN client.

The Version 5 clients no longer have the integrated stateful firewall, you need to add a 3rd party firewall if desired.

2

Use OpenVPN. It's open source, rock solid, very flexible and cross platform.

David Schmitt
  • 2,165
  • 2
  • 15
  • 25
  • 1
    I would prefer to use the VPN solution that ALL our clients use, namely Cisco IPsec VPN. Having multiple vpn solutions to manage does not add any value. However, at home and in university networks I have found OpenVPN to work well, if little slow – mika May 06 '09 at 11:14
2

Cisco released a new licensing model around May/June called AnyConnect Essentials that is a significantly cheaper alternative than the original SSL VPN licensing. Street price for the ASA5510 is $105. This is for the full 250 users, not per user.

2

I have got Shrew Soft 2.1.5-RC4 working with our Cisco VPN Concentrator 3005, on both Windows Vista Ultimate 64 bit and Windows 7 Professional 64 bit.

I had to set up a new profile on the VPN concentrator that used pre shared keys rather than a certificate for each user.

Then on a spare x86 laptop, I installed the traditional Cisco client 5.x, made sure I could connect to the new profile. Then I exported the PCF file and imported it into the Shrew Soft x64 client. Everything worked!

Ian Burrowes
  • 21
  • 2
1

I'm using VPNC Front End on XP, Vista 32/64 and Seven and both 32 and 64 bit. http://sourceforge.net/projects/vpncfe/

It also can impost cisco'd PCF file with VPN cinfig data.

Install this tool as admin and Run it as admin, on both Vista/Win7. While you are on Win7, run it in compatibility mod as Vista, if you have problems.

Alex
  • 171
  • 1
  • 5
1

We contacted the Cisco support a few weeks ago and this week we just received the Cisco VPN Client 5.0.07 BETA for Windows X64, not SSL VPN or Cisco AnyConnect - the real IPsec client.

If you have a valid support contract, maybe just try to get and use this beta.

It works great!

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
1

Cisco has a beta out that works with the 64bit version of Windows 7. I downloaded it and tested it out... it worked for me.

Cisco link for Cisco VPN Client v5.0.7 beta http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730

hope this helps! Lid

1

2010-04-13, a 64-bit client (not beta) can be found at Download Software, Cisco VPN Client v5.x, Release 5.0.07.0290.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
1

But SSL VPN licences cost extra.

Really? We recently switched to 64-bit desktops, and hence switched from the Cisco IPSec client to Cisco AnyConnect, and we were not required to pay any additional licenses.

Do you have a Cisco rep? You might want to take it up with them.

Portman
  • 5,263
  • 4
  • 27
  • 31
  • So Cisco AnyConnect VPN handles IPSec VPN too? From their website I thought, that it is only for SSL VPN. – Kazimieras Aliulis May 06 '09 at 12:41
  • Ok. We are a small shop with one ASA 5510, and go with the default licensing schemes. There are 6 licencing options for SSL VPN Peers (2-250 peers) and no options for IPsec (250) (http://bit.ly/RXjMH). I remember reading that AnyConnect could support IPsec some day, but for the moment, it doesn't. – mika May 06 '09 at 13:07
  • From what I understand, Cisco includes 2 SSLVPN licenses with their software. I don't think it does any kind of check, though. You could use more than 2, but you're not licensed unless you actually purchase the extra licenses. – a_hardin May 06 '09 at 15:35
  • I *believe* we are using IPSec over AnyConnect. I'll double-check. – Portman May 06 '09 at 20:21
  • PW...we have licenses for each of us at the company..when we were 40 not everyone could be on at the same time. a 5510 comes with a default number of seats as part of the "IOS" At some point it is tracked on a connection basis....also we are doing DTLS over Anyconnect not IPSEC. – Thomas Denton May 19 '09 at 03:05
-2

My first reaction was why not use Microsoft's VPN?

You have the client, and you have the server.

Ian Boyd
  • 5,131
  • 14
  • 57
  • 79