[vpn-help] R: Shrew and RSA authentication with Cisco devices

Trzewiczek Łukasz lukasz.trzewiczek at hutmen.pl
Mon Oct 3 02:01:55 CDT 2011


Hi, 

I have encountered the same problem with Mutual RSA + XAUTH authentication. My client version is 2.1.7 and I use it with ASA 5505 (soft ver.6.2) with mutual PSK authentication. Cisco ASA is configured the same as in this tutorial: 

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml <http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml> 

I also have Microsoft`s CA. It works perfectly with Cisco VPN Client but doesn`t with Shrew. Has any of you used such dual authentication with success? I have tried probably every option in access manager and I don`t know if there`s any bug in access manager or my configuration is wrong.

 

Logs from ASA are as following:

 

Sep 29 09:06:22 hutmenasa %ASA-6-302015: Built inbound UDP connection 250884 for outside:95.41.84.136/4500 (95.41.84.136/4500) to identity:172.18.1.16/4500 (172.18.1

.16/4500)

Sep 29 09:06:22 hutmenasa %ASA-6-713172: Group = Uzytkownicy, IP = 95.41.84.136, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This

 end   IS   behind a NAT device

Sep 29 09:06:22 hutmenasa %ASA-6-717022: Certificate was successfully validated. serial number: 626A0CC20004000000AD, subject name:  ea=lukasz.trzewiczek at hutmen.pl,c

n=<C5>\201ukasz Trzewiczek,ou=FI,ou=DG,ou=Hutmen,ou=Uzytkownicy,dc=hutmen,dc=pl.

Sep 29 09:06:22 hutmenasa %ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

Sep 29 09:06:22 hutmenasa %ASA-5-713050: Group = Uzytkownicy, IP = 95.41.84.136, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy N/A, Local Pr

oxy N/A

Sep 29 09:06:22 hutmenasa %ASA-3-713902: Group = Uzytkownicy, IP = 95.41.84.136, Removing peer from peer table failed, no match!

Sep 29 09:06:22 hutmenasa %ASA-4-713903: Group = Uzytkownicy, IP = 95.41.84.136, Error: Unable to remove PeerTblEntry

Sep 29 09:06:22 hutmenasa %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,

 Reason: Unknown

 

Any help will be appreciated.

 

Regards

 

Lukas

 

 

On 3/17/2010 7:19 AM, Stefano Lassi wrote:

> Hi

> I'm using, with very good success, Shrew VPN Client in order to connect

> Cisco VPN gateways (IOS, ASA/PIX, VPN3000), using PSK authentication.

> Now, I'm trying to connect to same Cisco VPN gateways using Ibrid (RSA +

> XAuth) authentication, without success.

> Main problem I got is Cisco VPN Server seem not recognizing VPN Group

> (profile), normally specified using certificate OU field.

> I tested few different client authentication "Identification Type"

> options (ASN.1, Key Identifier, etc.) without success: Cisco gateways

> report no "group association" were present from client request.

> Somebody has got some hints how configure Shrew VPN Client to

> correctelly propose right OU field <-> VPN profile association to Cisco

> VPN Gateways (correct OU mapping is already correctelly in place on VPN

> servers, because they are working fine with RSA authentication against

> Cisco VPN Clients ...).

> Thank you very much and see you soon

> Stefano

> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20111003/e58ea57a/attachment.html>


More information about the vpn-help mailing list