[Vpn-help] Issue connecting to Cisco ASA
Matthew Grooms
mgrooms at shrew.net
Sun Aug 16 09:41:23 CDT 2009
John Pittman wrote:
> I'm having an issue connecting to our ASA using the Shrew VPN client.
> This is my first experience with the client.
>
> VPN Client Version = 2.2.0 alpha 9
> Windows OS Version = Windows 7 32bit RTM (using wireless)
> Gateway Make/Model = Cisco ASA5520
> Gateway OS Version = 7.1.2
>
> We do have existing VPN configurations on this gateway that work for
> both IPsec and SSL access. It appears that I have the client
> configured per the documentation, and I do have it looking for the
> FQDN of the gateway which is what the gateway presents to the client.
> When connecting the client hangs for a bit and then disconnects
> without bringing up the tunnel. Attached is the iked.txt and the
> capture file.
>
It looks like the gateway isn't responding to your mode config request ...
09/08/10 14:25:45 ii : building config attribute list
09/08/10 14:25:45 ii : - IP4 Address
09/08/10 14:25:45 ii : - Address Expiry
09/08/10 14:25:45 ii : - IP4 Netamask
09/08/10 14:25:45 ii : - IP4 DNS Server
09/08/10 14:25:45 ii : - IP4 WINS Server
09/08/10 14:25:45 ii : - DNS Suffix
09/08/10 14:25:45 ii : - Split DNS Domain
09/08/10 14:25:45 ii : - IP4 Split Network Include
09/08/10 14:25:45 ii : - IP4 Split Network Exclude
09/08/10 14:25:45 ii : - Login Banner
09/08/10 14:25:45 ii : - Save Password
09/08/10 14:25:45 ii : - CISCO UDP Port
09/08/10 14:25:45 ii : sending config push acknowledge
09/08/10 14:25:45 >> : hash payload
09/08/10 14:25:45 >> : attribute payload
09/08/10 14:25:45 == : new configure hash ( 20 bytes )
09/08/10 14:25:45 >= : cookies e2f3728e1023e911:ed4441ceacd65bb6
09/08/10 14:25:45 >= : message f3fbce12
09/08/10 14:25:45 >= : encrypt iv ( 8 bytes )
09/08/10 14:25:45 == : encrypt packet ( 112 bytes )
09/08/10 14:25:45 == : stored iv ( 8 bytes )
09/08/10 14:25:45 DB : config resend event canceled ( ref count = 1 )
09/08/10 14:25:45 -> : send NAT-T:IKE packet 192.168.0.131:4500 ->
207.40.118.194:4500 ( 148 bytes )
09/08/10 14:25:45 DB : config resend event scheduled ( ref count = 2 )
09/08/10 14:25:50 -> : resend 1 config packet(s) [0/2]
192.168.0.131:4500 -> y.y.y.y:4500
09/08/10 14:25:55 -> : resend 1 config packet(s) [1/2]
192.168.0.131:4500 -> y.y.y.y:4500
There was another user that reported the same issue. I did a bit of
investigation and determined that we have a compatibility problem. Cisco
gateways also negotiate parameters to be used to enforce local security
policies. They can be configured to either require security policy
enforcement or request security policy enforcement. In the former case,
the client will fail to negotiate a connection successfully because it
does not perform local policy enforcement. In the latter case, it will
connect successfully. I assume your gateway is configured to require
this feature.
Unfortunately, unless you can talk your administrator into not requiring
this feature you won't be able to use the shrew soft client. Here is an
example of the configuration option on an ASA.
Optional
--------
client-firewall opt cisco-integrated acl-in <access list>
Required
--------
client-firewall req cisco-integrated acl-in <access list>
I will look into fixing this issue in the next version of the client but
for now we require this to be optional.
-Matthew
More information about the vpn-help
mailing list