[Vpn-help] Cisco Client Access Rules

[NMaio at guesswho.com]

Great news.  Thanks Matthew.

________________________________________
From: Matthew Grooms [mgrooms at shrew.net]
Sent: Saturday, December 12, 2009 5:00 PM
To: Nicholas Maio
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] Cisco Client Access Rules

NMaio at guesswho.com wrote:
> Matthew,
> Thank you for the response.  I believe we might be talking about two different things though.  What I am referring to is the fact that with PIX/ASA version 7 and up you have the ability to restrict a client from access to the gateway if the version number of the client is not correct.  VPNC has a way to send anything you want which means you can make it look like it is an actual Cisco client even though it is not.  The shrew client "appears" not to send a client type or version so if you are restricting to specific client versions the shrew client will not work unless you allow all clients.
>
> Here is the command I am referring to.  This is not acls applied to the traffic from a client...it is just restricting the client version.
> http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499
>
> Here is a thread of what I am referring to in the VPNC client.  The config directve is "Application Version"
> http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-February/001342.html
>

Hi Nick,

Thanks for the information. You may notice in the previous thread email,
the poster initially had the same suspicions I did which I believe to be
valid ...

'It suggests that either "concentrator configured to require a firewall"
or "concentrator configured to require IP compression".'

... the former being the firewall policy enforcement I was referring to.
However, I wasn't aware of the 'Application version' check which should
certainly be supported by the Shrew Soft VPN Client. I'll dig through
the vpnc source code to see how type and version are communicated during
negotiations. With any luck it won't be too difficult to add.

-Matthew