[vpn-help] Shrew and RSA authentication with Cisco devices

Matthew Grooms mgrooms at shrew.net
Wed Mar 24 11:13:07 CDT 2010

On 3/17/2010 7:19 AM, Stefano Lassi wrote:
> Hi
> I'm using, with very good success, Shrew VPN Client in order to connect
> Cisco VPN gateways (IOS, ASA/PIX, VPN3000), using PSK authentication.
> Now, I'm trying to connect to same Cisco VPN gateways using Ibrid (RSA +
> XAuth) authentication, without success.
> Main problem I got is Cisco VPN Server seem not recognizing VPN Group
> (profile), normally specified using certificate OU field.
> I tested few different client authentication "Identification Type"
> options (ASN.1, Key Identifier, etc.) without success: Cisco gateways
> report no "group association" were present from client request.
> Somebody has got some hints how configure Shrew VPN Client to
> correctelly propose right OU field <-> VPN profile association to Cisco
> VPN Gateways (correct OU mapping is already correctelly in place on VPN
> servers, because they are working fine with RSA authentication against
> Cisco VPN Clients ...).
> Thank you very much and see you soon
> Stefano


For Cisco Hybrid, you should not use Mutual RSA + Xauth. Use Hybrid RSA 
+ XAuth instead. If you need Mutual RSA + Xauth and that isn't working, 
can you provide log output from the client and the gateway?


More information about the vpn-help mailing list