[Vpn-help] Issue connecting to Cisco ASA

Matthew Grooms mgrooms at shrew.net
Sun Aug 16 09:41:23 CDT 2009 

John Pittman wrote:
> I'm having an issue connecting to our ASA using the Shrew VPN client.
> This is my first experience with the client.
> 
> VPN Client Version = 2.2.0 alpha 9
> Windows OS Version = Windows 7 32bit RTM (using wireless)
> Gateway Make/Model = Cisco ASA5520
> Gateway OS Version = 7.1.2
> 
> We do have existing VPN configurations on this gateway that work for
> both IPsec and SSL access. It appears that I have the client
> configured per the documentation, and I do have it looking for the
> FQDN of the gateway which is what the gateway presents to the client.
> When connecting the client hangs for a bit and then disconnects
> without bringing up the tunnel. Attached is the iked.txt and the
> capture file.
> 

It looks like the gateway isn't responding to your mode config request ...

09/08/10 14:25:45 ii : building config attribute list
09/08/10 14:25:45 ii : - IP4 Address
09/08/10 14:25:45 ii : - Address Expiry
09/08/10 14:25:45 ii : - IP4 Netamask
09/08/10 14:25:45 ii : - IP4 DNS Server
09/08/10 14:25:45 ii : - IP4 WINS Server
09/08/10 14:25:45 ii : - DNS Suffix
09/08/10 14:25:45 ii : - Split DNS Domain
09/08/10 14:25:45 ii : - IP4 Split Network Include
09/08/10 14:25:45 ii : - IP4 Split Network Exclude
09/08/10 14:25:45 ii : - Login Banner
09/08/10 14:25:45 ii : - Save Password
09/08/10 14:25:45 ii : - CISCO UDP Port
09/08/10 14:25:45 ii : sending config push acknowledge
09/08/10 14:25:45 >> : hash payload
09/08/10 14:25:45 >> : attribute payload
09/08/10 14:25:45 == : new configure hash ( 20 bytes )
09/08/10 14:25:45 >= : cookies e2f3728e1023e911:ed4441ceacd65bb6
09/08/10 14:25:45 >= : message f3fbce12
09/08/10 14:25:45 >= : encrypt iv ( 8 bytes )
09/08/10 14:25:45 == : encrypt packet ( 112 bytes )
09/08/10 14:25:45 == : stored iv ( 8 bytes )
09/08/10 14:25:45 DB : config resend event canceled ( ref count = 1 )
09/08/10 14:25:45 -> : send NAT-T:IKE packet 192.168.0.131:4500 -> 
207.40.118.194:4500 ( 148 bytes )
09/08/10 14:25:45 DB : config resend event scheduled ( ref count = 2 )
09/08/10 14:25:50 -> : resend 1 config packet(s) [0/2] 
192.168.0.131:4500 -> y.y.y.y:4500
09/08/10 14:25:55 -> : resend 1 config packet(s) [1/2] 
192.168.0.131:4500 -> y.y.y.y:4500

There was another user that reported the same issue. I did a bit of 
investigation and determined that we have a compatibility problem. Cisco 
gateways also negotiate parameters to be used to enforce local security 
policies. They can be configured to either require security policy 
enforcement or request security policy enforcement. In the former case, 
the client will fail to negotiate a connection successfully because it 
does not perform local policy enforcement. In the latter case, it will 
connect successfully. I assume your gateway is configured to require 
this feature.

Unfortunately, unless you can talk your administrator into not requiring 
this feature you won't be able to use the shrew soft client. Here is an 
example of the configuration option on an ASA.

Optional
--------
client-firewall opt cisco-integrated acl-in <access list>

Required
--------
client-firewall req cisco-integrated acl-in <access list>

I will look into fixing this issue in the next version of the client but 
for now we require this to be optional.

-Matthew

More information about the vpn-help mailing list