[Vpn-help] PIX 501 and Shrew 2.0.2 client
Matthew Grooms
mgrooms at shrew.net
Wed Oct 31 23:34:20 CDT 2007
Marc Goldburg wrote:
> I'm attempting to use the Shrew 2.0.2 Windows client on WinXP with a PIX
> 501 running rev 6.3(5). Phase I completes successfully, but Phase II
> startup appears to go into a loop with no errors reported by either side
> but nothing exchanged other than dead peer detection packets.
>
Hi Mark,
I use the Shrew Soft client quite regularly to connect to a Cisco ASA
but don't have a PIX to test with. It mimics the Cisco VPN client quite
well so this shouldn't be a problem. I think you are trying to setup the
pix a bit too much like a site to site connection. The 2.0.2 client
expects to enter a modecfg exchange which probably isn't working well
because the pix is missing some parameters. Basically you need to setup
the pix like it will be supporting the Cisco VPN Client. You do have the
dynamic map but appear to be missing a vpngroup, an address pool and
optionally an access list that describes split tunneling configuration
to the client.
This document is pretty well written and should get you started in the
right direction.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml
I have attached a site configuration template that you can import into
the access manager application via the file menu. The only values you
should need to substitute are the hostname/address of your pix gateway,
the local fqdn identity value ( will be your vpngroup name ) and the
preshared key value ( will be your vpngroup password ). It isn't
necessary to hard code any of the phase1/phase2 ( besides the exchange
mode and dh group ) parameters with 7.x code but the 6.x code may be
different in this respect.
Let me know if you have any other questions and I will do what I can to
help. Good luck and thanks for trying out the Client :)
-Matthew
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cisco.vpn
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071031/47170d0b/attachment-0002.ksh>
More information about the vpn-help
mailing list