How to fix/install the Cisco VPN Client on Windows 10 (64 bit)

I have just upgraded from Windows 7 to Windows 10. The first thing I needed to check (since my work depends on it), is that I can use the Cisco VPN Client. Just to clarify, this is not the AnyConnect client, but the old client (v5.0.07).

I had heard that there are problems with this, since it isn’t a supported Windows 10 application, and isn’t going to be either (since Cisco want people to use the AnyConnect client).

Anyway, problems did arise, and this is how I solved them.

First I uninstalled the existing Cisco VPN Client. I took a copy of the Profiles folder before doing so, although the uninstall program appears to leave them in place. In Windows 10, choose Settings from the main start menu and then search for Programs. From there you can search for Cisco, and you can then choose to uninstall the program:

Once uninstalled you need to install the SonicWall VPN 64-bit CLient from Dell. This will add the Deterministic Network Enhancer (DNE) LightWeight filter, and allow your VPN to correctly download the certificates from the VPN Server.

The Sonic Wall client can be downloaded for free from the following location: http://help.mysonicwall.com/applications/vpnclient/

Now you need to install the Cisco VPN Client. If you double click on the self extracting executable then the files will be extracted and by default the executable inside the zip file will be executed. This is not what you want. Uncheck the setting to automatically run the exe:

Once extracted, open the folder where the files are located. Run the MSI. This is important otherwise you’ll see the following error:

Once installed you can uninstall the Sonic Wall client. The application is now needed and the Deterministic Network Enhancer filter remains.

Now fix the display name of the client. You can do this by opening Regedit and then navigating to:

Alter the DisplayName key value, by removing the junk data in front of the description. I left mine as:

Cisco Systems VPN Adapter for 64-bit Windows

It was previously

@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows

The Cisco VPN client should work as expected.

Photo by Kris Krug

How to download the Cisco VPN Client software

If you are trying to download the Cisco VPN client 4.x or 5.x then prepare for the bad news. You can’t. Not unless you are a registered customer that is.

Where can I download the Cisco VPN Client software?

A. You must log in and possess a valid service contract in order to access the Cisco VPN Client software. Cisco VPN Client software can be downloaded from the Cisco Download Software ( registered customers only) page. If you do not have a valid service contract associated with your Cisco.com profile, you cannot log in and download the VPN client software.

In order to obtain a valid service contract, you can:

  • Contact your Cisco Account team if you have a Direct Purchase Agreement.
  • Contact a Cisco Partner or Reseller in order to purchase a service agreement.
  • Use the Profile Manager ( registered customers only) in order to update your Cisco.com profile and request association to a service agreement.

See the Cisco VPN Client FAQs for further information.

Photo by blickpixel (Pixabay)

Howto: Cisco VPN Client on Windows 7 64-bit – Walkthrough

Cisco haven’t released a 64-bit VPN client, and are very unlikely to do so. They are forcing people to move away from IPSEC, and in all their wisdom, will only support 64-bit machines using the Anyconnect client, which a) doesn’t support IPSEC and b) has an implied cost per licence. In essence, they feel they can force companies to invest in new hardware if more and more people get 64-bit client machines. Cisco gave in. the Cisco VPN Client Version 5.0.07 now supports Windows 7 64-bit.

The remainder here is a guide to networking through the Virtual XP Mode in Windows 7, which some may find useful, therefore I will keep it here as a guide.

However, Cisco haven’t hadn’t considered those who use Windows Vista and Windows 7 64-bit, but have no way to force the companies that they work with to upgrade their hardware (and pay out lots of money to do so). Hence, many people have been were left stranded and have resorted to third parties such as NCP and Shrew who offer paid and free VPN clients for 64-bit machines.

Today, I have finally figured out a work around that still uses the Cisco VPN Client (v5) and no extra third party software. I thought I would share the technique.

The trick is to use Windows XP Mode which is a feature that is limited to Ultimate, Professional and Premium versions of Windows 7. You still have to download the feature from Microsoft, but after installing you’ll have a virtual Windows XP installation running under Windows 7. Your machine also needs to support Virtualisation Technology. Microsoft offers a tool to check this support is available. You may need to flick the switch in your BIOS to enable it (I had to do this on my Dell Precision as it was disabled by default).

First some terminology that will help. I will refer to the HOST as the machine that is hosting the virtual system (in my case this is Windows 7 Ultimate). The GUEST is the Windows XP Mode installation.

Once you have downloaded Windows XP Mode from Microsoft and followed the installation instructions, you must then install the second download (see Microsoft download page). At the end of this process, the new Windows XP Mode virtual machine should start up. The next steps are to install some anti-virus software and install the Cisco VPN client in the guest virtual machine. Copy across any Cisco VPN profile (.pcf) files you might need. Your HOST’s disk partitions should automatically be shared to allow you to copy files between the HOST and the GUEST.

Now comes a little configuration. Our aim is to share the active VPN connection on the GUEST with the HOST. The routing will be doing a little loop through the GUEST, then tunneled through the GUEST VPN (then virtually back through the HOST and out via your router to the internet via that VPN).

Make sure you can access the internet on the GUEST and then try a VPN connection using the Cisco VPN client. If that all works, disable the windows firewall (Control Panel -> Windows Firewall)on the GUEST and continue onto the next step.

Shut down the GUEST. Open up Windows Virtual PCManage virtual machines from the start menu. Undert he Settings for that machine, switch the Networking -> Adapter 1 to your network card rather than Shared Networking (NAT) or Internal Network. N.B. NAT might still work, but I haven’t tested it.

Now we need to share the GUEST VPN connection. We will enable Internet Connection Sharing on the VPN Connection in the GUEST. Go to Control Panel -> Network Connections (switch to Classic View if you can’t see that) and you will most likely see Local Area Connection 2, Cisco Systems VPN Adapter. Feel free to rename to connection to Cisco VPN Connection. Right click on the connection and click Properties. Click on the Advanced tab and make sure that the Allow other network users to connect through this computer’s internet connection is ticked, as well as the other checkbox below it (not essential). You will receive a long worded warning. Click to continue and accept the change. The warning is simply that Internet Connection Sharing (ICS) will alter your IP Address to the default of 192.168.0.1, which we will be changing in a minute anyway.

Now we need to setup some static IP addresses on both the GUEST and HOST. Usually your router will be giving out IP addresses using DHCP, but we don’t want that because we need to add a static route in a minute. If you can exclude a portion of your network IP range to static addressing. Most modern routers allow you to set the DHCP address range. I often exclude the first 50 IP addresses to be safe.

Now select the GUESTs main connection Local Area Connection and right click and select Properties. Scroll down on the items and select Internet Protocol (TCP/IP). Click on the Properties button. You need to know the values to put in here. The easiest way to do this is to find out the IP address you have now on the HOST. The easiest way to do this is to open a command window (Start -> Search Programs -> Type “cmd.exe” and click to select the program). Type at the command prompt “ipconfig /all“. You’ll see your current IP address, gateway and DNS settings. You’ll need all of these, so make a note of them.

Switch back to the GUEST and enter in the IP address you want. e.g. 192.168.1.31, the network mask of 255.255.255.0 and the gateway IP address you just wrote down. Try the internet connection and VPN again. They should still work. Your GUEST is now ready to share its VPN connection.

Now we need the HOST to know to route through the GUEST for the VPN connection. To do this, we will setup another static IP address for the HOST. Follow the same process as on the GUEST to set the IP address. E.g. 192.168.1.30. Note that in Windows 7, you’ll find the Network connections in a slightly different place. You’ll need Control Panel -> (View By -> Small Icons) -> Network and Sharing Centre (oooh) -> Change Adapter Settings (left hand side) and right click on Local Area Connection. Scroll down the items to Internet Protocol version 4 (TCP/IPv4) and select it, then click Properties. The resulting dialog box is more or less the same as Windows XP.

Now lets check we can ping the GUEST from the HOST. They should now both be on the same subnet. With the command window that is still open on the HOST, type “ping 192.168.1.31 (or your GUEST IP address). If you have Windows Firewall enabled on the GUEST, this WON’T work!

Now, we need to add the route. We want to add a persistent route from your HOST through your GUEST, for those routes that the VPN connections support. Usually, these routes fall under certain restricted ranges (the 192.168 range is one of these). If your VPN IP address range is a 192.168 range, then you’ll need some extra tweaking). usually the ranges will be in the 10.0.x.x or 172.30.x.x ranges. Mine falls under the 172.30.x.x range.

Using the already open command window I enter the following to add my static (persistent -p) route:

It should say OK! Then you can use route print to see the new route in the routing table. If you screwed up and need to delete the route, type route delete 172.30.1.0 (i.e. your target range).

On the GUEST machine, with the VPN connected, ping one of the machines connected to the VPN, i.e. ping myserver. Notice the IP address to which this corresponds to. Move over to the HOST and ping that IP address (you can’t ping it by name, because the DNS requests aren’t going via the VPN). If you can see a response from the server, you are now accessing your VPN connection via the HOST. Congratulations, the hardest part is now over.

To make it easier to connect, Microsoft has built in some cool, application shortcuts into Windows XP Mode. On the HOST follow All Programs -> Windows Virtual PC -> Windows XP Mode Applications -> Cisco Systems VPN Client -> VPN Client (Windows XP Mode). right click on that last application and Pin to Start Menu. You’ll now have a VPN Client (Windows XP Mode) in your start menu.

Close down the guest (full shutdown). Now double click the start menu item, and you’ll see the usual Cisco VPN client, running virtually, but transparently in Windows 7!

Problems with Skype and the Cisco VPN Client

I have a variety of problems with Skype call quality, and calls being dropped, whilst connected to a Cisco VPN Concentrator using the Cisco VPN Client. I am using version 4.8.02.0010 of the client. I would be interested to hear from anyone else who has problems with this, and if you managed to find a solution, I’d love to hear about it.

Ideally, Skype is allowed Local LAN access, and goes out via that interface, whilst other VPN traffic moves normally across the VPN. I understand this might require split tunneling? Other people have told me that they don’t have these call problems, so I am wondering if it is a problem with my machine configuration.

I am using a vanilla Linksys WRT54GS router, connected to a cable modem (with no configuration access). I have setup port forwarding to direct Skype into a desired port, and without VPN, those calls are crystal clear. Are there any other settings on the router that might improve VPN and Skype quality?

Using the Cisco VPN Client’s “Stateful Firewall” definitely causes problems, but that doesn’t surprise me since Cisco bought in third party code to accomplish this task (Zone Alarm). What implications does switching this off actually have in terms of a security risk?

So, what are the options? What is the best configuration? How can you fix the client without degrading security on the VPN (split tunneling is not recommended)? I welcome any comments.

UPDATE

I have upgraded my Cisco VPN Client from 4.8 to 5.0.04. Although the problem still happens occasionally, it is much less frequent than it was. I hope this helps others with the same issue.