[vpn-help] Issues with Cisco ASA and Shrewsoft Mutual RSA + XAuth

[Richard Watts]

Afternoon All,

 

We have been using our ASAs with a Mutual PSK + XAuth authentication
scheme for a few years, with a spread of clients between the official
Cisco VPN client and the Shrewsoft client (mainly used by 64bit users).
We have a requirement to implement two-factor authentication on our
client VPNs for our PCIDSS compliance, so we are implementing a client
certificate based authentication scheme rather than the mutual PSK, the
XAuth in this case is integrated with Active Directory via RADIUS.

 

After some fiddling about I have been able to use client certificates to
provide the initial authentication with the Cisco client, the OU
specified in the certificate is matched to a tunnel group
(VPNAdminUsers) configured on the ASA, which is then passed through to
the RADIUS server which authenticates the user in our AD.

 

I imported the working PCF from the Cisco client into the Shrewsoft
client, but have been singularly unsuccessful in connecting the VPN from
the Shrewsoft client.  When I imported the PCF it explained I would have
to import the certificates manually, so I:

 

-          Exported the CA certificate from Microsoft Certificate
Services as Base64 with the default .CER extension, I renamed this file
to a .PEM file and chose this for the Server Certificate Authority file

 

-          Exported my client certificate from the local certificate
store in PKCS12 format with a .pfx extension with the private key
included, I chose this file for both the Client Certificate File and the
Client Private Key File.  The Client seemed happy with this and prompted
me for the certificate key password when I tried to connect.  To
eliminate this as the problem I then took the PKCS12 file and converted
it using OpenSSL to a PEM and KEY file and used those instead of the PFX
file - the client seemed fine with this as well.

 

I am confident all the transform sets are configured correctly, they
work perfectly if the tunnel is reconfigured back to use Mutual PSK
rather than XAuth.

 

When I try and connect the VPN, the tunnel fails to establish when
negotiating the initial connection, the firewall logs:

 

Group = VPNAdminUsers, IP = X, No preshared key configured for group

Group = VPNAdminUsers, IP = X, Can't find a valid tunnel group, aborting

Group = VPNAdminUsers, IP = X, Removing peer from peer table failed, no
match!

 

It is picking up the correct tunnel group from the subject OU in the
client certificate, or at least certainly seems to be, it is the only
place VPNAdminUsers is mentioned anywhere in the Shrewsoft
configuration.  I don't understand why it is looking for a preshared key
though, the client certificate is meant to be used instead of a PSK for
the initial negotiation.

 

Is anyone able to shed any light on this for me?  TLDR is I'm trying to
use a Windows CA to provide Mutual RSA authentication, works perfectly
from the Cisco client but the Shrewsoft one doesn't, I can't see
anything obviously wrong with my configuration so am at a bit of a loss.

 

Any help that you folks can provide would be greatly appreciated.

 

Thanks,

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20101215/bf5d003b/attachment-0001.html>