[vpn-help] cisco asa + vpn client for windows 2.1.5

Attila Mihalicz mihalicz.attila at gmail.com
Sun Dec 20 14:36:21 CST 2009


Hi!

I'm unable to connect to our Cisco ASA 5500 using the Shrew Soft Vpn Client.
(Windows 7 64 bit)

The connection works with the Cisco VPN Client, and the NCP-e Secure Entry
Client.

I imported the Cisco VPN Client's .pcf file to the Shrew Soft VPN client, I
changed the 'PFS Exchange' setting to group 2 , but when I try to connect to
the asa, I got the following error message:
-----
config loaded for site 'psk.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon ...
-----

detailed log:
--------
09/12/20 19:18:16 ## : IKE Daemon, ver 2.1.5
09/12/20 19:18:16 ## : Copyright 2009 Shrew Soft Inc.
09/12/20 19:18:16 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/12/20 19:18:16 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
09/12/20 19:18:16 ii : rebuilding vnet device list ...
09/12/20 19:18:16 ii : device ROOT\VNET\0000 disabled
09/12/20 19:18:16 ii : network process thread begin ...
09/12/20 19:18:16 ii : pfkey process thread begin ...
09/12/20 19:18:16 ii : ipc server process thread begin ...
09/12/20 19:18:21 !! : unable to connect to pfkey interface
09/12/20 19:19:05 ii : ipc client process thread begin ...
09/12/20 19:19:05 <A : peer config add message
09/12/20 19:19:05 <A : proposal config message
09/12/20 19:19:05 <A : proposal config message
09/12/20 19:19:05 <A : client config message
09/12/20 19:19:05 <A : xauth username message
09/12/20 19:19:05 <A : xauth password message
09/12/20 19:19:05 <A : local id 'TUNNEL-GROUP-NAME' message
09/12/20 19:19:05 <A : preshared key message
09/12/20 19:19:05 <A : peer tunnel enable message
09/12/20 19:19:05 ii : local supports XAUTH
09/12/20 19:19:05 ii : local supports nat-t ( draft v00 )
09/12/20 19:19:05 ii : local supports nat-t ( draft v01 )
09/12/20 19:19:05 ii : local supports nat-t ( draft v02 )
09/12/20 19:19:05 ii : local supports nat-t ( draft v03 )
09/12/20 19:19:05 ii : local supports nat-t ( rfc )
09/12/20 19:19:05 ii : local supports FRAGMENTATION
09/12/20 19:19:05 ii : local supports DPDv1
09/12/20 19:19:05 ii : local is SHREW SOFT compatible
09/12/20 19:19:05 ii : local is NETSCREEN compatible
09/12/20 19:19:05 ii : local is SIDEWINDER compatible
09/12/20 19:19:05 ii : local is CISCO UNITY compatible
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:0000000000000000
09/12/20 19:19:05 >= : message 00000000
09/12/20 19:19:05 ii : processing phase1 packet ( 476 bytes )
09/12/20 19:19:05 =< : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 =< : message 00000000
09/12/20 19:19:05 ii : matched isakmp proposal #1 transform #2
09/12/20 19:19:05 ii : - transform    = ike
09/12/20 19:19:05 ii : - cipher type  = aes
09/12/20 19:19:05 ii : - key length   = 256 bits
09/12/20 19:19:05 ii : - hash type    = sha1
09/12/20 19:19:05 ii : - dh group     = modp-1024
09/12/20 19:19:05 ii : - auth type    = xauth-initiator-psk
09/12/20 19:19:05 ii : - life seconds = 86400
09/12/20 19:19:05 ii : - life kbytes  = 0
09/12/20 19:19:05 ii : phase1 id target is any
09/12/20 19:19:05 ii : phase1 id match
09/12/20 19:19:05 ii : received = fqdn asa.domain.com
09/12/20 19:19:05 ii : peer is CISCO UNITY compatible
09/12/20 19:19:05 ii : peer supports XAUTH
09/12/20 19:19:05 ii : peer supports DPDv1
09/12/20 19:19:05 ii : peer supports nat-t ( draft v02 )
09/12/20 19:19:05 ii : nat discovery - local address is translated
09/12/20 19:19:05 ii : switching to src nat-t udp port 4500
09/12/20 19:19:05 ii : switching to dst nat-t udp port 4500
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 >= : message 00000000
09/12/20 19:19:05 ii : phase1 sa established
09/12/20 19:19:05 ii : 193.xxx.xxx.41:4500 <-> 192.168.10.241:4500
09/12/20 19:19:05 ii : 192347d65cb76a3c:2f644b20af32bbb
09/12/20 19:19:05 ii : sending peer INITIAL-CONTACT notification
09/12/20 19:19:05 ii : - 192.168.10.241:4500 -> 193.xxx.xxx.41:4500
09/12/20 19:19:05 ii : - isakmp spi = 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 ii : - data size 0
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 >= : message 3c431f2a
09/12/20 19:19:05 ii : processing config packet ( 76 bytes )
09/12/20 19:19:05 =< : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 =< : message de1d0f23
09/12/20 19:19:05 ii : - xauth authentication type
09/12/20 19:19:05 ii : - xauth username
09/12/20 19:19:05 ii : - xauth password
09/12/20 19:19:05 ii : received basic xauth request -
09/12/20 19:19:05 ii : - standard xauth username
09/12/20 19:19:05 ii : - standard xauth password
09/12/20 19:19:05 ii : sending xauth response for ad-domain-user
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 >= : message de1d0f23
09/12/20 19:19:05 ii : processing config packet ( 76 bytes )
09/12/20 19:19:05 =< : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 =< : message 94baa9d6
09/12/20 19:19:05 ii : received xauth result -
09/12/20 19:19:05 ii : user ad-domain-user authentication succeeded
09/12/20 19:19:05 ii : sending xauth acknowledge
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 >= : message 94baa9d6
09/12/20 19:19:05 ii : building config attribute list
09/12/20 19:19:05 ii : sending config pull request
09/12/20 19:19:05 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 >= : message 2c94bbd5
09/12/20 19:19:05 ii : processing config packet ( 332 bytes )
09/12/20 19:19:05 =< : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:05 =< : message 2c94bbd5
09/12/20 19:19:05 ii : received config pull response
09/12/20 19:19:05 ii : waiting for vnet to arrive ...
09/12/20 19:19:06 !! : VNET adapter MTU defaulted to 1500.
09/12/20 19:19:06 ii : creating IPSEC INBOUND policy ANY:192.168.4.0/24:* ->
ANY:172.23.34.36:*
09/12/20 19:19:06 ii : creating IPSEC OUTBOUND policy ANY:172.23.34.36:* ->
ANY:192.168.4.0/24:*
09/12/20 19:19:06 ii : created IPSEC policy route for 192.168.4.0/24
--- I deleted a few subnet
09/12/20 19:19:06 ii : creating IPSEC INBOUND policy
ANY:192.168.54.0/24:*-> ANY:172.23.34.36:
*
09/12/20 19:19:06 ii : creating IPSEC OUTBOUND policy ANY:172.23.34.36:* ->
ANY:192.168.54.0/24:*
09/12/20 19:19:06 ii : created IPSEC policy route for 192.168.54.0/24
09/12/20 19:19:07 ii : split DNS bypassed ( no split domains defined )
09/12/20 19:19:07 >= : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:07 >= : message f1244028
09/12/20 19:19:07 ii : processing informational packet ( 92 bytes )
09/12/20 19:19:07 =< : cookies 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:07 =< : message 4a97adf4
09/12/20 19:19:07 ii : received peer DELETE message
09/12/20 19:19:07 ii : - 193.asa.xx.41:4500 -> 192.168.10.241:4500
09/12/20 19:19:07 ii : - isakmp spi = 192347d65cb76a3c:2f644b200af32bbb
09/12/20 19:19:07 ii : cleanup, marked phase1
192347d65cb76a3c:2f644b200af32bbb for removal
09/12/20 19:19:07 ii : phase1 removal before expire time
09/12/20 19:19:07 ii : removing IPSEC INBOUND policy ANY:192.168.4.0/24:* ->
ANY:172.23.34.36:*
09/12/20 19:19:07 ii : removing IPSEC OUTBOUND policy ANY:172.23.34.36:* ->
ANY:192.168.4.0/24:*
09/12/20 19:19:07 !! : failed to remove IPSEC policy route for ANY:
192.168.4.0/24:*
--- I deleted a few subnet
09/12/20 19:19:07 ii : removing IPSEC INBOUND policy
ANY:192.168.54.0/24:*-> ANY:172.23.34.36:
*
09/12/20 19:19:07 ii : removing IPSEC OUTBOUND policy ANY:172.23.34.36:* ->
ANY:192.168.54.0/24:*
09/12/20 19:19:07 !! : failed to remove IPSEC policy route for ANY:
192.168.54.0/24:*
09/12/20 19:19:07 DB : removing tunnel config references
09/12/20 19:19:07 DB : removing tunnel phase2 references
09/12/20 19:19:07 ii : phase2 removal before expire time
09/12/20 19:19:07 DB : removing tunnel phase1 references
09/12/20 19:19:07 DB : removing all peer tunnel refrences
09/12/20 19:19:07 ii : ipc client process thread exit ...
--------

Unfortunately I don't control the asa, but the network admin sent me the
relevant part of the config:
-------
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac
crypto dynamic-map DYNMAP 10 set transform-set AES256 3DES AES
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map CMAP 99 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface ipsec

crypto isakmp identity hostname
crypto isakmp enable ipsec
crypto isakmp policy 1
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 3
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group TUNNEL-GROUP-NAME type ipsec-ra
tunnel-group TUNNEL-GROUP-NAME general-attributes
 authentication-server-group radius-server
 accounting-server-group radius-server
 default-group-policy TUNNEL-GROUP-NAME-RA
tunnel-group TUNNEL-GROUP-NAME ipsec-attributes
 pre-shared-key *


group-policy TUNNEL-GROUP-NAME-RA internal
group-policy TUNNEL-GROUP-NAME-RA attributes
 wins-server value 193.wins.xxx.11
 dns-server value 193.dns1.xxx.1 193.dns2.xxx.200
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp enable
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ROUTING_SPLIT
 default-domain value domain.com
 user-authentication enable
 address-pools value VPN_USERS

ip local pool VPN_USERS 172.23.32.1-172.23.33.255 mask 255.255.252.0

access-list ROUTING_SPLIT standard permit 192.168.4.0 255.255.255.0
-------

Any suggestion?

Regards:
Attila
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091220/ec1f8941/attachment-0001.html>


More information about the vpn-help mailing list