[Vpn-help] Configuration to work with Cisco ASA5520 8.04
Matthew Grooms
mgrooms at shrew.net
Sat May 2 14:31:37 CDT 2009
Daniel Skorka wrote:
> Hello,
>
> I am looking to make IKE work with my universities cisco concentrator. I
> have everything working with vpnc (on linux), but am not quite happy with that.
> I've been playing around with the Preferences dialog in ikea, but to no
> avail. The Howto in the wiki isn't very helpful, as it talks about
> configuring the concentrator as well. I have attached a successful run
> of vpnc with much debugging, as well as the converted cisco profile I
> was given. I am especially confused where to put the IPSec secret and
> what to chose in the 'Authentication' tab of ikea. Can anybody share
> some knowledge on whether this is possible, and if yes, how?
>
Hi Daniel,
Your gateway uses hybrid mode for authentication. I just posted a new
2.1.5 client beta that supports hybrid mode with Cisco devices. Do you
also have a certificate authority file in PEM format? If so, you can
build 2.1.5 from source, select the new 'Hybrid GRP + Xauth' mode in the
authentication tab. After that, enter the following information ...
Local Identity:
type = key identifier
value = 'cisco group name'
Remote Identity
type = gateway specific, but probably IPv4 ( see below )
value = gateway specific
Credentials
server certificate authority file = your gateway CA file
pre shared key = 'cisco group password'
The Remote Identity value can be determined by examining the log output
after setting the level to debug. This is handy if you don't know what
your administrator has configured it as. For example, if I set the type
to IP Address and the gateway sends an ASN.1 DN string, the log output
will show the following ...
<< : key exchange payload
<< : nonce payload
<< : identification payload
!! : phase1 id type mismatch ( received asn1-dn but expected ipv4-host )
At that point, you change the Remote Identity to ASN.1 Distinguished
Name and the connection should succeed.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list