[vpn-help] Cisco RSA Authentication - configuration help needed

Matthew Grooms mgrooms at shrew.net
Sun Mar 14 21:19:06 CDT 2010

On 3/12/2010 9:20 AM, Tero Karttunen wrote:
> I am trying to set up Windows Server 2008 64-bit environment, and I am
> evaluating Shrew Soft VPN Client as an alternative to Cisco Systems
> VPN Client, which sadly does not work in 64-bit environments.
> I have two Cisco profiles to import called "TE-access" and "SU4TSF".
> The first one got imported successfully, and its type was "Mutual PSK
> + XAuth". However, the second one caused import to fail with 2.1.5.
> Learning that Cisco support is a recent addition, I downloaded
> 2.1.6-beta-6 and tried again.
> The message I got was: "The Cisco site configuration was imported but
> uses a RSA authentication method. You will need to import a
> certificate manually to complete the configuration." Preselected
> authentication method now seems to be "Mutual RSA + XAuth".
> Right. Pretty straightforward instruction; however, I cannot seem to
> get it to function correctly.
> What I have in hand are SU4TSF.pfx and SU4TSF.pcf files, the second
> being the Cisco profile and the first one containing all the necessary
> certificates. There are no certificate passwords so I am able to
> install both the enclosed VPN certificate and accompanied root CA
> sertificate into Windows certificate registry.
> PFX is PKCS12 file, right? However, when I attempted to set all the
> files (Server Certificate Authority File, Client Certificate File,
> Client Private Key file) to SU4TSF.pdf, it did not work. The results
> are:
> ------------------------------------------
> peer configured
> iskamp proposal configured
> esp proposal configured
> client configured
> server cert config failed
> detached from key daemon ...
> ------------------------------------------
> Can you please advice me how to correctly complete the configuration?
> Is there a HOWTO somewhere on converting pfx into necessary files? The
> vpnhelp documentation is somewhat sparse on what kind of files it
> expects!

I would try exporting the certificate manually using openssl to see if 
that works. This may produce more than one so it may take some trial and 
error. Google spits out a wealth of links when I type in "pfx to pem". 
Have a look at this ...


If you get it to work this way, please let us know.


More information about the vpn-help mailing list