[Vpn-help] Configuration to work with Cisco ASA5520 8.04

[Matthew Grooms]

Daniel Skorka wrote:
> Hello,
> 
> I am looking to make IKE work with my universities cisco concentrator. I
> have everything working with vpnc (on linux), but am not quite happy with that.
> I've been playing around with the Preferences dialog in ikea, but to no
> avail. The Howto in the wiki isn't very helpful, as it talks about
> configuring the concentrator as well. I have attached a successful run
> of vpnc with much debugging, as well as the converted cisco profile I
> was given. I am especially confused where to put the IPSec secret and
> what to chose in the 'Authentication' tab of ikea. Can anybody share
> some knowledge on whether this is possible, and if yes, how?
> 

Hi Daniel,

Your gateway uses hybrid mode for authentication. I just posted a new 
2.1.5 client beta that supports hybrid mode with Cisco devices. Do you 
also have a certificate authority file in PEM format? If so, you can 
build 2.1.5 from source, select the new 'Hybrid GRP + Xauth' mode in the 
authentication tab. After that, enter the following information ...

Local Identity:
  type = key identifier
  value = 'cisco group name'

Remote Identity
  type = gateway specific, but probably IPv4 ( see below )
  value = gateway specific

Credentials
  server certificate authority file = your gateway CA file
  pre shared key = 'cisco group password'

The Remote Identity value can be determined by examining the log output 
after setting the level to debug. This is handy if you don't know what 
your administrator has configured it as. For example, if I set the type 
to IP Address and the gateway sends an ASN.1 DN string, the log output 
will show the following ...

<< : key exchange payload
<< : nonce payload
<< : identification payload
!! : phase1 id type mismatch ( received asn1-dn but expected ipv4-host )

At that point, you change the Remote Identity to ASN.1 Distinguished 
Name and the connection should succeed.

Hope this helps,

-Matthew