Blog:: Craig Pringle

Several people have asked for me to post more detail about the CMD scripts that I wrote to get the Cisco VPN client working on my 64-bit Win 7 machine using Virtual XP .

Basically I have written two scripts.  One adds routes to the subnets I need at work and the other deletes them.  So – what are routes?  Basically they are the directions that computers use to send communications to the right place. 

The first thing you need to do is identify what network addresses are in use on your work network.  Fortunately the Cisco client makes this fairly easy for you.  Once the Cisco VPN client is installed in the virtual XP environment, connect the VPN and then Select the Statistics option from the Status menu in the VPN client window.  This will list the subnets on your remote network as shown below:

I created a text file where each line in the file was a remote subnet and subnet mask, separated by a semicolon.  For example if your remote network used three networks: 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 then your text file would look like this:

192.168.1.0;255.255.255.0
192.168.2.0;255.255.255.0
192.168.3.0;255.255.255.0

Save this text file to your hard drive.  I saved mine in c:\utils\addroutes.txt

In a nutshell when I am connected to the VPN I run AddRoutes.cmd script and it helps the Windows 7 machine identify the traffic intended for my work network.  In the example above it would need to know to send any traffic for the above three networks to the Loopback adaptor of the host as discussed in my previous post.

Here is what is in the AddRoutes.cmd script:

@Echo Off
Set GW=192.168.233.1
Echo Setting Up Routes:
for /F "delims=; tokens=1-2" %%i in (c:\utils\vpnroutes.txt) Do route add %%i Mask %%j %GW% metric 1>NUL
Echo Done!

(note that “for” through to NUL is all one line)

What does this do?  The first line tells the script not to show the commands as it runs them.

The next line creates a variable called GW and sets it to the IP Address of the loopback adaptor.

The third line just provides some visual feedback and tells you that it is about to add the routes.

Line 4 is the workhorse.  I’m not going to go into the nuts and bolts of the “for” command, but it is very powerful.  If you want to know more, you can type “for /?” at the command line.  In a nutshell what line 4 says is:

In C:\utils\vpnroutes.txt each line is a list of values seperated by semicolons.  For each line run the following command with the first two values:

route add Value1 mask Value2 GW

Where GW is the address of the gateway we set in line 2.

That’s it – you are online and know how to talk to your VPN network.

Now when you disconnect  you don’t need those routes anymore, and if you leave them there they may cause issues.  So DeleteRoutes.cmd removes them again.

Here is what is in DelRoutes.cmd:

@Echo Off
Echo Deleteing Routes...
for /F "delims=; tokens=1" %%i in (c:\utils\vpnroutes.txt) Do route delete %%i>NUL
Echo Done!

This is very similar to the first script – For each line in the vpnroutes.txt file it runs a command to remove the route again. 

There is one last thing you may need to make everything work as expected and that is name resolution.  This one is easy to fix.  If you know the address of your DNS server on your remote network add it as the DNS server on the properties of the loopback adaptor.  This won’t cause any issues if you leave it there full time.

Hope that helps everyone.  I will admit it is a bit of a nasty work around but it does work.

Previously I blogged about the lack of a 64-bit Cisco VPN client. 

In the comments of that post yaz points out that NCP has a Beta Client that works on 64-bit clients – and that includes Windows 7.  It also supports 3rd party VPNs and that includes Cisco.

The NCP beta client is available via this page.  Install was simple and there is even a UI to import your existing Cisco VPN profile. 

It appears to be a 30 day trial – which is a bit odd for a beta product.  It does appear to work though.  I’ll give it a good work out over the next couple of days and report back.

For reasons that escape me Cisco have chosen not to release a 64-bit version of the IPSec Cisco VPN Client.

This is a problem for me since I installed the 64-bit version of Windows 7 RC on my Toshiba M750.

To get around this without rebuilding with the 32-bit version I employed Windows 7’s new XP Mode – aka Virtual XP.

First I followed the steps on the download page:

1. Enabled virtualisation extensions in the BIOS.
2. Download and install the Virtual PC Beta.
3. Download Windows XP Mode.

That done I fired up the Virtual Windows XP from my Start Menu:

This loaded up a Virtual Machine already running Windows XP.  I installed the Cisco VPN Client and verified that it could connect to the VPN. 

This is where it gets a little tricky.  At this point I have my Toshiba, which is the host and an XP machine which is a guest.  The XP Guest has a virtual adaptor that leverages the host’s network adaptor and can connect to the remote network.  But the host has not way to connect through the guest to get to the remote network.

For initial testing I created a static route for one of the subnets and pointed it to the IP Address of the guest.  This worked, but it is a bit fiddly as the guest IP address is assigned by DHCP and as such will change depending on where I am.

I wanted something that required a little less work to get connected.  To achieve this I needed to create a virtual adaptor on the Host.  This is done by adding a loopback adapter to the host.

Adding a Loopback Adapter to the Host

In Device Manager right click the root node and select Add Legacy Hardware

On the welcome screen click Next.

Then select Install the hardware that I manually select from a list (Advanced) and then click Next

Scroll down and select Network Adapters and then click Next

Then select Microsoft as the Manufacturer and Microsoft Loopback Adapter and then click Next

On the confirmation screen click Next.  Then when the installation finishes click Finish.

Once this has completed you will find a new network adapter in the Network Connections.

I configured this adapter with a private IP address in a range that I don’t use at home or work. 

Next I added a second Virtual Adapter to the Virtual Windows XP machine and bound this to the new Loopback Adapter.  I assigned a static address to this in the same range as the Loopback adapter.

Because the network I am connecting to uses a number of subnets I wrote two quick CMD scripts.  One adds the routes on the host, the other removes them.

Virtual PC also creates shortcuts for applications installed in the guest on the Start Menu of the host. 

To connect to my VPN I can run this and it hides Virtual Machine’s desktop and the VPN client looks like it is running on the Windows 7 machine.  I then run my script to create the routes and I can work away.  When I disconnect the VPN I run another script to delete the routes again.  Of course I can add shortcuts to all three actions to my desktop to ease the process.  Not quite as clean as installing the client directly on the machine, but it works.

Update: For details of the command scripts see this post.

My friend Chris recently took the plunge and installed Windows 7 on his Lenovo T61 notebook.  He had managed to get the fingerprint reader working on it and has documented the process in great detail. 

After rebuilding my trusty T61 with Windows 7 about a week ago, the only device that was not functioning correctly was the “biometric coprocessor”. I tried installing the software using ThinkVantage Productivity Center, but this did not work. After asking google, I found that the device was manufactured by UPEK and that they have released a Windows 7 driver on their site.

Chris’ post is a great reference on how to install and configure the Lenovo T61 fingerprint reader in Windows 7.  Check it out.