[vpn-help] R: Shrew and RSA authentication with Cisco devices

Stefano Lassi stefano.lassi at dastech.biz
Thu Mar 25 03:14:19 CDT 2010

Hi Matthew
I can't use Hybrid because Cisco configuration requests Mutual.
I tried using Trace utility, but it seems to me it is not working on W7 (64bit).
Anyway form VPN Client I'm getting output:
 attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...
in meanwhile VPN Server logging is reporting gateway was unable to choose correct VPN Profile (that normally is recognized form certificate OU field).
Please note I'm using same certificate that is working fine with same VPN server and Cisco VPN Client.
Thank you very much about your help


Da: Matthew Grooms [mailto:mgrooms at shrew.net]
Inviato: mer 24/03/2010 17.13
A: Stefano Lassi
Cc: vpn-help at lists.shrew.net
Oggetto: Re: [vpn-help] Shrew and RSA authentication with Cisco devices

On 3/17/2010 7:19 AM, Stefano Lassi wrote:
> Hi
> I'm using, with very good success, Shrew VPN Client in order to connect
> Cisco VPN gateways (IOS, ASA/PIX, VPN3000), using PSK authentication.
> Now, I'm trying to connect to same Cisco VPN gateways using Ibrid (RSA +
> XAuth) authentication, without success.
> Main problem I got is Cisco VPN Server seem not recognizing VPN Group
> (profile), normally specified using certificate OU field.
> I tested few different client authentication "Identification Type"
> options (ASN.1, Key Identifier, etc.) without success: Cisco gateways
> report no "group association" were present from client request.
> Somebody has got some hints how configure Shrew VPN Client to
> correctelly propose right OU field <-> VPN profile association to Cisco
> VPN Gateways (correct OU mapping is already correctelly in place on VPN
> servers, because they are working fine with RSA authentication against
> Cisco VPN Clients ...).
> Thank you very much and see you soon
> Stefano


For Cisco Hybrid, you should not use Mutual RSA + Xauth. Use Hybrid RSA
+ XAuth instead. If you need Mutual RSA + Xauth and that isn't working,
can you provide log output from the client and the gateway?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100325/e694dcd8/attachment-0002.html>

More information about the vpn-help mailing list