[vpn-help] Please Help Test Possible Cisco Interoperability Improvements ...

VPN Client Product Support vpn-help at lists.shrew.net
Thu Dec 17 02:28:30 CST 2009 

All,

I took a break from the kernel work tonight to focus briefly on Cisco 
interoperability issues that have been reported. This manifests itself 
primarily as a disconnect shortly after the tunnel is established. I 
would like to say that there is a single modification that can be done 
to the client that will allow it to work with all Cisco gateways, but 
unfortunately that isn't the case. Its actually few edge cases that 
cause the same result which I will attempt to describe in some detail.

1) The Cisco gateway is an older 3000 series concentrator that has split 
tunnel policies configured. The Shrew Soft VPN client attempts to 
negotiate individual security associations for each IPsec security 
policy. The Cisco VPN client negotiates a single IPsec SA with the local 
ID matching its virtual IP address and a remote ID of 0.0.0.0/0. For the 
case where split tunneling is used ( tunnel all ), the Shrew Soft client 
happens to use the same IDs as the Cisco Client. For the case where 
split tunneling is not used, the Shrew Soft client will negotiate 
multiple SAs with the local ID matching its virtual address, but with 
the remote ID matching the distant network.

In other words, if there is a single network of 10.1.2.0/24 behind the 
gateway, the SAs get negotiated as follows ...

Cisco client with or without Split Tunneling
IN  0.0.0.0/0 -> VIP
OUT VIP -> 0.0.0.0/0

Shrew Soft client with Split Tunneling
IN  10.1.2.0/24 -> VIP
OUT VIP -> 10.1.2.0/24

Shrew Soft client without Split Tunneling
IN  0.0.0.0/0 -> VIP
OUT VIP -> 0.0.0.0/0

Newer Cisco Concentrators like ASAs don't mind if the Shrew Soft client 
negotiates unique SAs for each policy. However, older Cisco 3000 series 
concentrators reject client SA negotiation of this type.

WORKAROUND: As a test in 2.1.6 Beta 2, the Shrew Soft VPN client will 
allow the user to specify a single include network of 0.0.0.0/0.0.0.0 
under the site configuration policy tab. This configuration will force 
ALL traffic via the VPN tunnel, even in situations where split tunnels 
are desired by the gateway. However, this will also force the Shrew Soft 
client to use the same IDs as the Cisco client. This should allow 
connectivity to resources via the VPN connection.

SOLUTION: During the brief 2.1.6 development cycle, a new option could 
be introduced that will allow SAs to be negotiated in the same manner as 
the Cisco VPN client. However, this will depend on feedback provided by 
users. If there are ample reports of success using the workaround 
described in the previous paragraph, I will invest the time in adding 
this option.

2) The Cisco gateway utilizes client "application version" access rules 
that only allow specific versions of the client to connect. The Shrew 
Soft VPN Client wasn't reporting version information, so gateways that 
enforced this check would force a disconnect after authentication.

SOLUTION: Beginning with 2.1.6 Beta 2, the Shrew Soft VPN client will 
send an application version identical to the Cisco VPN client version 
4.8.01 which is the latest 4.x version. If that version of the Cisco VPN 
client is allowed to connect, so will the Shrew Soft VPN client.

3) The Cisco gateway utilizes client "firewall type" access rules that 
only allow VPN Clients that enforce local firewall security policies to 
connect. The Shrew Soft VPN Client wasn't reporting a firewall type, so 
any gateway that enforced this check would force a disconnect after 
authentication.

SOLUTION: Beginning with 2.1.6 Beta 2, the Shrew Soft VPN client will 
send an unknown firewall type. This should allow the client to connect 
although we don't actually enforce the firewall policies. I'm still 
struggling with the ethical implications of this change so don't be 
surprised if I revert this change before the final release.

4) Bugs in the Cisco PCF import feature??? I'm not sure if this is even 
relevant at this point but the possibility should not be ruled out.

I think that pretty much covers it. If anyone has any additional input 
to add I would love to here it. If you are experiencing problems with 
Cisco gateway connectivity, please try version 2.1.6 Beta 2 and let me 
know if you have success or failure.

Thanks,

-Matthew

More information about the vpn-help mailing list