[vpn-help] Using Shrewsoft with IAS Radius + Cisco

Shawn Edwards sedwards at pathix.com
Thu Feb 11 11:39:56 CST 2010


I've tried this variation as well and I still get the exact same errors on 
the router and client..
Thanks,
Shawn Edwards
Sr. Network Analyst
Pathix ASP
A Division of Vector Aerospace Corporation 
Ph: 709-724-8564
Fax: 709-724-8545
sedwards at pathix.com



From:
"Garber, Kevin M." <Kevin.Garber at glatfelter.com>
To:
"Shawn Edwards" <sedwards at pathix.com>, <vpn-help at lists.shrew.net>, 
<vpn-help-bounces at lists.shrew.net>
Date:
02/11/2010 01:48 PM
Subject:
RE: [vpn-help] Using Shrewsoft with IAS Radius + Cisco



Shawn,
 
Are you using the format of user at domain.whatever?   The format of 
domain\user does not work. 
 
Kevin
 
From: vpn-help-bounces at lists.shrew.net [
mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Shawn Edwards
Sent: Thursday, February 11, 2010 11:33 AM
To: vpn-help at lists.shrew.net; vpn-help-bounces at lists.shrew.net
Subject: Re: [vpn-help] Using Shrewsoft with IAS Radius + Cisco
 
We are using a Cisco ISR with Easy VPN Server to connect remote users to 
our network. We've been using it for quite some time with Cisco VPN Client 
but obviously need a 64 bit VPN Client. I came across shrewsoft VPN Client 
not too long ago, and would love if I could get this software working as 
it seems too good to be true.. In any case Here's what we have: 

Cisco ISR 2821 Running IPSEC VPN , doing radius authentication to a 
Windows Server 2003 Radius Server. Everything's configured properly as we 
use it successfully with the Cisco VPN Client. 

I installed shrewsoft 2.1.5, and it successfully imported the existing 
cisco PCF File we had. When I attempt to connect it asks me for username 
and password (No Domain field like Cisco VPN Though) I enter in 
credentials of a user that has permission's to connect.. Here is the 
output of shrewsoft: 

config loaded for site 'MyCompany.pcf' 
configuring client settings ... 
attached to key daemon ... 
peer configured 
iskamp proposal configured 
esp proposal configured 
client configured 
local id configured 
pre-shared key configured 
bringing up tunnel ... 
user authentication error 
tunnel disabled 
detached from key daemon 

I did a Debug RADIUS on the cisco ISR and get the following: 

*Feb 10 15:08:16 NST: ISAKMP:(0):Support for IKE Fragmentation not enabled 

*Feb 10 15:08:16 NST: RADIUS/ENCODE(000064C7):Orig. component type = 
VPN_IPSEC 
*Feb 10 15:08:16 NST: RADIUS:  AAA Unsupported Attr: interface [175] 13 

*Feb 10 15:08:16 NST: RADIUS:   31 39 32 2E 31 36 38 2E 32 35 32 
 [192.168.252] 
*Feb 10 15:08:16 NST: RADIUS/ENCODE(000064C7): dropping service type, 
"radius-se 
rver attribute 6 on-for-login-auth" is off 
*Feb 10 15:08:16 NST: RADIUS(000064C7): Config NAS IP: removed-ip-address 
*Feb 10 15:08:16 NST: RADIUS/ENCODE(000064C7): acct_session_id: 25799 
*Feb 10 15:08:16 NST: RADIUS(000064C7): sending 
*Feb 10 15:08:16 NST: RADIUS(000064C7): Send Access-Request to 
192.168.32.2:1645 
 id 1645/5, len 161 
*Feb 10 15:08:16 NST: RADIUS:  authenticator 97 70 52 F6 D5 AD D2 3F - 57 
93 56 
2F 79 6D C5 3F 
*Feb 10 15:08:16 NST: RADIUS:  User-Name           [1]   9   "testinguser" 

*Feb 10 15:08:16 NST: RADIUS:  Calling-Station-Id  [31]  17 
"removed-ip-address" 
*Feb 10 15:08:16 NST: RADIUS:  Vendor, Microsoft   [26]  24 
*Feb 10 15:08:16 NST: RADIUS:   MS-CHAP-Challenge  [11]  18 
*Feb 10 15:08:16 NST: RADIUS:   97 70 52 F6 D5 AD D2 3F 57 93 56 2F 79 6D 
C5 3F 
 [?pR?????W?V/ym??] 
*Feb 10 15:08:16 NST: RADIUS:  Vendor, Microsoft   [26]  58 
*Feb 10 15:08:16 NST: RADIUS:   MS-CHAP-V2-Response[25]  52  * 
*Feb 10 15:08:16 NST: RADIUS:  NAS-Port-Type       [61]  6   Virtual 
       [5] 
*Feb 10 15:08:16 NST: RADIUS:  NAS-Port            [5]   6   9 

*Feb 10 15:08:16 NST: RADIUS:  NAS-Port-Id         [87]  15 
"removed-ip-address" 
*Feb 10 15:08:16 NST: RADIUS:  NAS-IP-Address      [4]   6 
removed-ip-address 

*Feb 10 15:08:16 NST: RADIUS: Received from id 1645/5 
removed-ip-address:1645, Access- 
Reject, len 42 
*Feb 10 15:08:16 NST: RADIUS:  authenticator 4D 85 12 70 89 79 43 60 - 5B 
76 6B 
BA 80 20 92 D3 
*Feb 10 15:08:16 NST: RADIUS:  Vendor, Microsoft   [26]  22 
*Feb 10 15:08:16 NST: RADIUS:   MS-CHAP-ERROR      [2]   16 
*Feb 10 15:08:16 NST: RADIUS:   00 45 3D 36 39 31 20 52 3D 30 20 56 3D 33 
 [?E=691 R=0 V=3] 
*Feb 10 15:08:16 NST: RADIUS(000064C7): Received from id 1645/5 
*Feb 10 15:08:16 NST: RADIUS/DECODE: Failure message in the MS-Chap-Error 
attrib 
ute is E=691 R=0 V=3 
*Feb 10 15:08:16 NST: RADIUS/DECODE: Authentication failure 


Any ideas/help would be greatly appreciated.. 


Thanks,
Shawn Edwards
Sr. Network Analyst
Pathix ASP
A Division of Vector Aerospace Corporation 
Ph: 709-724-8564
Fax: 709-724-8545
sedwards at pathix.com 


From: 
"Mike Parsons" <mike.parsons at mynetwiz.com> 
To: 
"'Lukasz Sokol'" <el.es.cr at googlemail.com>, <vpn-help at lists.shrew.net> 
Date: 
02/11/2010 12:59 PM 
Subject: 
Re: [vpn-help] Using VPN Trace utility
 




Thanks, Lukasz--

You're referring to the open log button I assume and not the trace log?
What is the trace log ubutton used for?

Why aren't log files showing up in the shrew soft directory under the 
debug
folder?

Thanks in advance.

Mike Parsons -- CISSP, IAM, IEM
Chief Technical Officer
mike.parsons at mynetwiz.com
cell:    336-403-9710 
office:  336-306-5573 

Information security architecture and consulting 
Risk assessment
Compliance readiness assessment
Design and implementation services 
JNCIA -- Firewalls, SSL/VPN, IDP 
JNSS -- UAC, Security, Routers, DX 
Ironport, Bluecoat and Tipping Point certified 
Graduate Certificate in Information Security and Privacy 
Security+
MCP 
www.mynetwiz.com
******************************************************* 
Managing information risk through the application of sound technology 
If you know me, you can trust me.

Galatians 2:20 

-----Original Message-----
From: Lukasz Sokol [mailto:el.es.cr at googlemail.com] 
Sent: Thursday, February 11, 2010 11:22 AM
To: Mike Parsons
Subject: Re: [vpn-help] Using VPN Trace utility

Hello Mike,

On 11/02/2010 15:57, Mike Parsons wrote:
> Hello-
> 
> 
> 
> I am trying to debug a vpn client connect issue using Shrew Soft 2.1.5 
on
> windows 7 and connecting to a Juniper SSG
> 
> 
> 
> I started the VPN trace application and then attempted top connect to 
the
> SSG.  No output showed up in any of the VPN trace application tabs nor 
did
> anything show up in the log files of the client.
> 
> 
> 
> Any thoughts?
> 

When you start Shrew Trace Utility, you need to go to File -> Options,
there select Log Output Level (I select Informational), click OK,
then in the main window click on Open Log button in each tab.
(ver 2.1.5 had it so)

Lukasz

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help






This e-mail may contain confidential information and the sender does not 
waive any related rights and obligations. If you are not the intended 
recipient please notify the sender and discard it.





This e-mail may contain confidential information and the sender does not 
waive any related rights and obligations. If you are not the intended 
recipient please notify the sender and discard it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100211/50b9c72e/attachment-0002.html>


More information about the vpn-help mailing list