[vpn-help] R: Shrew and RSA authentication with Cisco devices

Kevin VPN kvpn at live.com
Thu Oct 6 20:52:04 CDT 2011 

On 10/05/2011 03:38 AM, Trzewiczek Łukasz wrote:
> Thank you for your reply. I attach Shrew IKE logs below. It looks like there`s some problem with validating remote(vpn gateway certificate)? I don`t know why, and what can be the cause. I have to admit that knowledge about PKI is not my advantage. Maybe I import wrong certificate to the client? I have 3 Certificate Authorities: Root CA, Servers CA and Users CA in my company.
>
...
> 11/10/05 08:25:37<A : remote cert 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' message
> 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' loaded
> 11/10/05 08:25:37<A : local cert 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' message
> 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' loaded
> 11/10/05 08:25:37<A : local key 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' message
> 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' loaded
...
> 11/10/05 08:25:38 ii : added hutmen_users_CA.crt to x509 store
> 11/10/05 08:25:38 ii : unable to get issuer certificate(2) at depth:1
> 11/10/05 08:25:38 ii : subject :/DC=pl/DC=hutmen/CN=Hutmen S.A. Uzytkownicy
> 11/10/05 08:25:38 !! : unable to verify remote peer certificate
>
>
> -----Original Message-----
> From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
> Sent: Wednesday, October 05, 2011 4:16 AM
> To: vpn-help at lists.shrew.net
> Subject: Re: [vpn-help] R: Shrew and RSA authentication with Cisco devices
>
> On 10/03/2011 03:01 AM, Trzewiczek Łukasz wrote:
>> Hi,
>>
>> I have encountered the same problem with Mutual RSA +
>> XAUTH authentication. My client version is 2.1.7 and I use it
>> with ASA 5505 (soft ver.6.2) with mutual PSK authentication.
>> Cisco ASA is configured the same as in this tutorial:
>>
>> http://www.cisco.com/en/US/products/ps6120/
>> products_configuration_example09186a0080930f21.shtml
>>
>> I also have Microsoft`s CA. It works perfectly with Cisco VPN
>> Client but doesn`t with Shrew. Has any of you used such dual
>> authentication with success? I have tried probably every option
>> in access manager and I don`t know if there`s any bug in access
>> manager or my configuration is wrong.
>>
>> Logs from ASA are as following:
>>
>> Sep 29 09:06:22 hutmenasa %ASA-6-302015: Built inbound UDP
>> connection 250884 for outside:95.41.84.136/4500 (95.41.84.136/4500)
>> to identity:172.18.1.16/4500 (172.18.1.16/4500)
>>
>> Sep 29 09:06:22 hutmenasa %ASA-6-713172: Group = Uzytkownicy,
>> IP = 95.41.84.136, Automatic NAT Detection Status:     Remote end
>> is NOT behind a NAT device  This end   IS   behind a NAT device
>>
>> Sep 29 09:06:22 hutmenasa %ASA-6-717022: Certificate was
>> successfully validated. serial number: 626A0CC20004000000AD,
>> subject name:  ea=lukasz.trzewiczek at hutmen.pl,
>> cn=<C5>\201ukasz Trzewiczek,ou=FI,ou=DG,ou=Hutmen,ou=Uzytkownicy,
>> dc=hutmen,dc=pl.
>>
>> Sep 29 09:06:22 hutmenasa %ASA-6-717028: Certificate chain was
>> successfully validated with warning, revocation status was not
>> checked.
>>
>> Sep 29 09:06:22 hutmenasa %ASA-5-713050: Group = Uzytkownicy,
>> IP = 95.41.84.136, Connection terminated for peer .  Reason: Peer
>> Terminate  Remote Proxy N/A, Local Proxy N/A
>>
> ...
>
>> Any help will be appreciated.
>>
>
> Hi Lukas,
>
> To me it looks like Shrew has terminated the connection, based on the
> ASA reporting "Peer Terminate".
>
> Can you produce a Shrew log using these instructions to see if helps us:
> http://www.shrew.net/support/wiki/BugReportVpnWindows

Hi Lukas,

I'm not an expert in PKI either, so I'm just guessing too, but you may 
be right.  I notice in the iked.log file that there are two certificates 
with "CA" in the name:

hutmenCA.pem (loaded in Shrew)
hutmen_users_CA.crt (received from ASA gateway)

The first thing to check is hutmenCA.pem the signer certificate for 
hutmen_users_CA.crt?  To me, I would think that if the certificate is 
for a CA, it may actually be self-signed, but I'm not sure on your 
naming scheme.

If hutmen_users_CA.crt is self-signed, you could try loading 
hutmen_users_CA.crt as the Server Certificate Authority file in Shrew.

More information about the vpn-help mailing list