[Vpn-help] Cisco Client Access Rules
Matthew Grooms
mgrooms at shrew.net
Sat Dec 12 14:09:30 CST 2009
NMaio at guesswho.com wrote:
> Does anyone know if it is possible to set the Shrew Client to use a
> client type and version number? I use client access rules on our PIX
> and ASA but due to the fact that the shrew client doesn't send a client
> or version type I am forced to allow all clients for some groups.
> Thanks in advance.
>
IPsec VPN Clients sends a Vendor ID hash value to inform a peer when an
optional feature may be available for use. Most of what allows an IPsec
VPN client to work are 'optional' with respect the the RFCs. In fact,
Xauth and modecfg are actually informational drafts which never made the
RFC standards track. I suspect that the problem you are experiencing is
related to the local security policy enforcement feature provided by the
Cisco VPN client.
Anyhow, back to vendor IDs. Some vendors use a ID hash value to identify
a specific version of a product. This implies a whole subset of features
that it expects to be available. In the case of Cisco products, this is
certainly true. However, as far as I know, using a particular vendor ID
string has nothing to do with negotiating local client security policy.
That is actually handled after phase1 negotiations complete and during
the modecfg negotiation process. Although the Shrew Soft VPN client does
send a Cisco unity vendor ID string, it doesn't support negotiation of
any client security policies ( ie. firewall rules ). When a PIX or ASA
is configured to require that the client support local security policy
enforcement, the gateway will disconnect the client.
I have read similar assertions to yours related to vpnc ( unix command
line cisco compatible vpn client ) sending a 'client type and version
number' to work around one issue or another. If anyone has documentation
about this option, feel free to point me at it and I will have a closer
look. Maybe they send an incredibly old Cisco Unity version string that
pre-dates the security policy enforcement feature to work around the
issue ... but thats just a wild guess.
-Matthew
More information about the vpn-help
mailing list