[vpn-help] R: Shrew and RSA authentication with Cisco devices

Trzewiczek Łukasz lukasz.trzewiczek at hutmen.pl
Wed Oct 5 02:38:18 CDT 2011 

Thank you for your reply. I attach Shrew IKE logs below. It looks like there`s some problem with validating remote(vpn gateway certificate)? I don`t know why, and what can be the cause. I have to admit that knowledge about PKI is not my advantage. Maybe I import wrong certificate to the client? I have 3 Certificate Authorities: Root CA, Servers CA and Users CA in my company.

Thanks in advance

Lukas
________________________________
Logs:
11/10/05 08:25:37 ii : ipc client process thread begin ...
11/10/05 08:25:37 <A : peer config add message
11/10/05 08:25:37 DB : peer added ( obj count = 1 )
11/10/05 08:25:37 ii : local address 77.114.186.12 selected for peer
11/10/05 08:25:37 DB : tunnel added ( obj count = 1 )
11/10/05 08:25:37 <A : proposal config message
11/10/05 08:25:37 <A : proposal config message
11/10/05 08:25:37 <A : client config message
11/10/05 08:25:37 <A : xauth username message
11/10/05 08:25:37 <A : xauth password message
11/10/05 08:25:37 <A : remote cert 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' message
11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' loaded
11/10/05 08:25:37 <A : local cert 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' message
11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' loaded
11/10/05 08:25:37 <A : local key 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' message
11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' loaded
11/10/05 08:25:37 <A : peer tunnel enable message
11/10/05 08:25:37 ii : obtained x509 cert subject ( 185 bytes )
11/10/05 08:25:37 DB : new phase1 ( ISAKMP initiator )
11/10/05 08:25:37 DB : exchange type is aggressive
11/10/05 08:25:37 DB : 77.114.186.12:500 <-> 89.171.80.182:500
11/10/05 08:25:37 DB : b76545efc9d94204:0000000000000000
11/10/05 08:25:37 DB : phase1 added ( obj count = 1 )
11/10/05 08:25:37 >> : security association payload
11/10/05 08:25:37 >> : - proposal #1 payload 
11/10/05 08:25:37 >> : -- transform #1 payload 
11/10/05 08:25:37 >> : -- transform #2 payload 
11/10/05 08:25:37 >> : -- transform #3 payload 
11/10/05 08:25:37 >> : -- transform #4 payload 
11/10/05 08:25:37 >> : -- transform #5 payload 
11/10/05 08:25:37 >> : -- transform #6 payload 
11/10/05 08:25:37 >> : -- transform #7 payload 
11/10/05 08:25:37 >> : -- transform #8 payload 
11/10/05 08:25:37 >> : -- transform #9 payload 
11/10/05 08:25:37 >> : -- transform #10 payload 
11/10/05 08:25:37 >> : -- transform #11 payload 
11/10/05 08:25:37 >> : -- transform #12 payload 
11/10/05 08:25:37 >> : -- transform #13 payload 
11/10/05 08:25:37 >> : -- transform #14 payload 
11/10/05 08:25:37 >> : -- transform #15 payload 
11/10/05 08:25:37 >> : -- transform #16 payload 
11/10/05 08:25:37 >> : -- transform #17 payload 
11/10/05 08:25:37 >> : -- transform #18 payload 
11/10/05 08:25:37 >> : key exchange payload
11/10/05 08:25:37 >> : nonce payload
11/10/05 08:25:37 >> : cert request payload
11/10/05 08:25:37 >> : identification payload
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports XAUTH
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports nat-t ( draft v00 )
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports nat-t ( draft v01 )
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports nat-t ( draft v02 )
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports nat-t ( draft v03 )
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports nat-t ( rfc )
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local supports DPDv1
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local is SHREW SOFT compatible
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local is NETSCREEN compatible
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local is SIDEWINDER compatible
11/10/05 08:25:37 >> : vendor id payload
11/10/05 08:25:37 ii : local is CISCO UNITY compatible
11/10/05 08:25:37 >= : cookies b76545efc9d94204:0000000000000000
11/10/05 08:25:37 >= : message 00000000
11/10/05 08:25:37 -> : send IKE packet 77.114.186.12:500 -> 89.171.80.182:500 ( 1342 bytes )
11/10/05 08:25:37 DB : phase1 resend event scheduled ( ref count = 2 )
11/10/05 08:25:38 <- : recv IKE packet 89.171.80.182:500 -> 77.114.186.12:500 ( 2067 bytes )
11/10/05 08:25:38 DB : phase1 found
11/10/05 08:25:38 ii : processing phase1 packet ( 2067 bytes )
11/10/05 08:25:38 =< : cookies b76545efc9d94204:837a14a15df49646
11/10/05 08:25:38 =< : message 00000000
11/10/05 08:25:38 << : security association payload
11/10/05 08:25:38 << : - propsal #1 payload 
11/10/05 08:25:38 << : -- transform #13 payload 
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != aes )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : unmatched isakmp proposal/transform
11/10/05 08:25:38 ii : cipher type ( 3des != blowfish )
11/10/05 08:25:38 ii : matched isakmp proposal #1 transform #13
11/10/05 08:25:38 ii : - transform    = ike
11/10/05 08:25:38 ii : - cipher type  = 3des
11/10/05 08:25:38 ii : - key length   = default
11/10/05 08:25:38 ii : - hash type    = md5
11/10/05 08:25:38 ii : - dh group     = modp-1024
11/10/05 08:25:38 ii : - auth type    = xauth-initiator-rsa
11/10/05 08:25:38 ii : - life seconds = 86400
11/10/05 08:25:38 ii : - life kbytes  = 0
11/10/05 08:25:38 << : key exchange payload
11/10/05 08:25:38 << : nonce payload
11/10/05 08:25:38 << : identification payload
11/10/05 08:25:38 ii : phase1 id target is any
11/10/05 08:25:38 ii : phase1 id match 
11/10/05 08:25:38 ii : received = asn1-dn CN=hutmenasa
11/10/05 08:25:38 << : certificate payload
11/10/05 08:25:38 << : signature payload
11/10/05 08:25:38 << : cert request payload
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : peer is CISCO UNITY compatible
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : peer supports XAUTH
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : peer supports DPDv1
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : peer supports nat-t ( draft v02 )
11/10/05 08:25:38 << : nat discovery payload
11/10/05 08:25:38 << : nat discovery payload
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : unknown vendor id ( 20 bytes )
11/10/05 08:25:38 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000
11/10/05 08:25:38 << : vendor id payload
11/10/05 08:25:38 ii : unknown vendor id ( 16 bytes )
11/10/05 08:25:38 0x : 1f07f70e aa6514d3 b0fa9654 2a500100
11/10/05 08:25:38 ii : nat discovery - remote address is translated
11/10/05 08:25:38 ii : switching to src nat-t udp port 4500
11/10/05 08:25:38 ii : switching to dst nat-t udp port 4500
11/10/05 08:25:38 == : DH shared secret ( 128 bytes )
11/10/05 08:25:38 == : SETKEYID ( 16 bytes )
11/10/05 08:25:38 == : SETKEYID_d ( 16 bytes )
11/10/05 08:25:38 == : SETKEYID_a ( 16 bytes )
11/10/05 08:25:38 == : SETKEYID_e ( 16 bytes )
11/10/05 08:25:38 == : cipher key ( 32 bytes )
11/10/05 08:25:38 == : cipher iv ( 8 bytes )
11/10/05 08:25:38 >> : certificate payload
11/10/05 08:25:38 == : phase1 hash_i ( computed ) ( 16 bytes )
11/10/05 08:25:38 >> : signature payload
11/10/05 08:25:38 >> : nat discovery payload
11/10/05 08:25:38 >> : nat discovery payload
11/10/05 08:25:38 >= : cookies b76545efc9d94204:837a14a15df49646
11/10/05 08:25:38 >= : message 00000000
11/10/05 08:25:38 >= : encrypt iv ( 8 bytes )
11/10/05 08:25:38 == : encrypt packet ( 1865 bytes )
11/10/05 08:25:38 == : stored iv ( 8 bytes )
11/10/05 08:25:38 DB : phase1 resend event canceled ( ref count = 1 )
11/10/05 08:25:38 -> : send NAT-T:IKE packet 77.114.186.12:4500 -> 89.171.80.182:4500 ( 1900 bytes )
11/10/05 08:25:38 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes )
11/10/05 08:25:38 ii : fragmented packet to 434 bytes ( MTU 1500 bytes )
11/10/05 08:25:38 ii : added hutmen_users_CA.crt to x509 store
11/10/05 08:25:38 ii : unable to get issuer certificate(2) at depth:1
11/10/05 08:25:38 ii : subject :/DC=pl/DC=hutmen/CN=Hutmen S.A. Uzytkownicy
11/10/05 08:25:38 !! : unable to verify remote peer certificate
11/10/05 08:25:38 ii : sending peer DELETE message
11/10/05 08:25:38 ii : - 77.114.186.12:4500 -> 89.171.80.182:4500
11/10/05 08:25:38 ii : - isakmp spi = b76545efc9d94204:837a14a15df49646
11/10/05 08:25:38 ii : - data size 0
11/10/05 08:25:38 >> : hash payload
11/10/05 08:25:38 >> : delete payload
11/10/05 08:25:38 == : new informational hash ( 16 bytes )
11/10/05 08:25:38 == : new informational iv ( 8 bytes )
11/10/05 08:25:38 >= : cookies b76545efc9d94204:837a14a15df49646
11/10/05 08:25:38 >= : message 889de6b1
11/10/05 08:25:38 >= : encrypt iv ( 8 bytes )
11/10/05 08:25:38 == : encrypt packet ( 76 bytes )
11/10/05 08:25:38 == : stored iv ( 8 bytes )
11/10/05 08:25:38 -> : send NAT-T:IKE packet 77.114.186.12:4500 -> 89.171.80.182:4500 ( 108 bytes )
11/10/05 08:25:38 ii : phase1 removal before expire time
11/10/05 08:25:38 DB : phase1 deleted ( obj count = 0 )
11/10/05 08:25:38 DB : policy not found
11/10/05 08:25:38 DB : policy not found
11/10/05 08:25:38 DB : tunnel stats event canceled ( ref count = 1 )
11/10/05 08:25:38 DB : removing tunnel config references
11/10/05 08:25:38 DB : removing tunnel phase2 references
11/10/05 08:25:38 DB : removing tunnel phase1 references
11/10/05 08:25:38 DB : tunnel deleted ( obj count = 0 )
11/10/05 08:25:38 DB : removing all peer tunnel refrences
11/10/05 08:25:38 DB : peer deleted ( obj count = 0 )
11/10/05 08:25:38 ii : ipc client process thread exit ...

______________________________


-----Original Message-----
From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
Sent: Wednesday, October 05, 2011 4:16 AM
To: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] R: Shrew and RSA authentication with Cisco devices

On 10/03/2011 03:01 AM, Trzewiczek Łukasz wrote:
> Hi,
>
> I have encountered the same problem with Mutual RSA +
> XAUTH authentication. My client version is 2.1.7 and I use it
> with ASA 5505 (soft ver.6.2) with mutual PSK authentication.
> Cisco ASA is configured the same as in this tutorial:
>
> http://www.cisco.com/en/US/products/ps6120/
> products_configuration_example09186a0080930f21.shtml
>
> I also have Microsoft`s CA. It works perfectly with Cisco VPN
> Client but doesn`t with Shrew. Has any of you used such dual
> authentication with success? I have tried probably every option
> in access manager and I don`t know if there`s any bug in access
> manager or my configuration is wrong.
>
> Logs from ASA are as following:
>
> Sep 29 09:06:22 hutmenasa %ASA-6-302015: Built inbound UDP
> connection 250884 for outside:95.41.84.136/4500 (95.41.84.136/4500)
> to identity:172.18.1.16/4500 (172.18.1.16/4500)
>
> Sep 29 09:06:22 hutmenasa %ASA-6-713172: Group = Uzytkownicy,
> IP = 95.41.84.136, Automatic NAT Detection Status:     Remote end
> is NOT behind a NAT device  This end   IS   behind a NAT device
>
> Sep 29 09:06:22 hutmenasa %ASA-6-717022: Certificate was
> successfully validated. serial number: 626A0CC20004000000AD,
> subject name:  ea=lukasz.trzewiczek at hutmen.pl,
> cn=<C5>\201ukasz Trzewiczek,ou=FI,ou=DG,ou=Hutmen,ou=Uzytkownicy,
> dc=hutmen,dc=pl.
>
> Sep 29 09:06:22 hutmenasa %ASA-6-717028: Certificate chain was
> successfully validated with warning, revocation status was not
> checked.
>
> Sep 29 09:06:22 hutmenasa %ASA-5-713050: Group = Uzytkownicy,
> IP = 95.41.84.136, Connection terminated for peer .  Reason: Peer
> Terminate  Remote Proxy N/A, Local Proxy N/A
>
...

> Any help will be appreciated.
>

Hi Lukas,

To me it looks like Shrew has terminated the connection, based on the 
ASA reporting "Peer Terminate".

Can you produce a Shrew log using these instructions to see if helps us: 
http://www.shrew.net/support/wiki/BugReportVpnWindows
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help


Hutmen Spółka Akcyjna z siedzibą we Wrocławiu przy ul. Grabiszyńskiej 241, 53 - 234 Wrocław  
wpisana do rejestru prowadzonego przez Sąd Rejonowy dla Wrocławia - Fabrycznej, VI Wydział Gospodarczy, pod numerem KRS 0000036660,
NIP 896-000-01-96, wysokość kapitału zakładowego i kapitału wpłaconego - 255.962.700 złotych.
www.hutmen.pl
_________________________________________________________________________________________________
Hutmen S.A., a joint stock company seated ul. Grabiszynska 241, 53-234 Wroclaw, Poland,
registered by the District Court for Wroclaw-Fabryczna, 6th Commercial Division, National Court Register No. 0000036660,
VAT No. PL 8960000196, share capital and paid-in capital PLN 255.962.700

More information about the vpn-help mailing list