[vpn-help] Cisco VPN

Goncalo Oliveira goncalo at minkan.net
Fri Aug 2 10:06:23 CDT 2013 

Some update on this...

I finally managed to put this to work. I made the following changes.

Client
NAT Traversal: force-rfc   (this one was already set)

Phase 1
Exchange Type: aggressive
DH Exchange: group 2

Phase 2
Transform Algorithm: esp-aes
Transform Key Length: 128
HMAC Algorithm: md5
PFS Exchange: group 2
Compress Algorithm: disabled

So far it's handling well, with no drops. I'm very happy with Shrew client
as it's not as invasive as Cisco VPN client.

:)



On 31 July 2013 13:53, Goncalo Oliveira <goncalo at minkan.net> wrote:

> I'm trying to connect to a Cisco 3000 VPN Concentrator (if I'm not
> mistaken). I'm attaching the logs again.
>
> The lab gateway seems like a good idea.
>
> Cheers.
>
>
> On 30 July 2013 20:52, Jim Harle <vpn at technicolor.com> wrote:
>
>> The “latest” (still two years old) Cisco 64-bit client is 5.0.07.0440,
>> and can be download from here
>> http://www.asc.edu/downloads/CiscoVPN/Windows/, not that it will change
>> anything, but it’s the version I was testing with under Windows 8 x64.  My
>> main complaint with the Cisco client, is it sets the MTU to 1300 on all of
>> your adapters, not just its own virtual one.  The Shrew client uses a 1380
>> MTU (by default) for only its virtual adapter.  Not that this has anything
>> to do with your problem.****
>>
>> ** **
>>
>> What type of device are you connecting through for Internet?  I don’t
>> think the iked.log came through on your original post – I’d like to see it.
>> ****
>>
>> ** **
>>
>> In about a week I’ll have a Cisco ASA gateway set up in a lab environment
>> – perhaps you could try connecting to it after it’s provisioned, just to
>> see if you experience the same symptoms with a different gateway.****
>>
>> ** **
>>
>> -Jim****
>>
>> ** **
>>
>> *From:* Goncalo Oliveira [mailto:goncalo at minkan.net]
>> *Sent:* Tuesday, July 30, 2013 7:26 AM
>> *To:* Harle Jim
>> *Cc:* vpn-help at lists.shrew.net
>>
>> *Subject:* Re: [vpn-help] Cisco VPN****
>>
>> ** **
>>
>> Hi Jim,****
>>
>> ** **
>>
>> Thanks for replying. I have tried using both 32-bit and 64-bit, version
>> 5.0.07.0240. 64-bit is always dropping and sometimes it just stops working
>> - had to re-install. The 32-bit is a bit more stable but still it's not
>> very natural to windows 8 and is unstable.****
>>
>> ** **
>>
>> I was hoping I could replace it with Shrew client, it looks very good and
>> the drivers hassle is cleaner. However, it's not going for phase 2. I
>> already tried using 'force-rfc' on NAT traversal.****
>>
>> ** **
>>
>> I do know that even Cisco client dropped the first time it tried to
>> connect; it would only work at the second attempt, don't know if that can
>> be helpful in anyway.****
>>
>> ** **
>>
>> ** **
>>
>> Any thoughts?****
>>
>> ** **
>>
>> ** **
>>
>> On 29 July 2013 19:45, Jim Harle <vpn at technicolor.com> wrote:****
>>
>> What problems are you having with the Cisco client, and which version is
>> it?  32-bit or 64-bit?****
>>
>>  ****
>>
>> Regarding the Shrew client, have you tried setting the NAT traversal to
>> ‘force-rfc’ ?****
>>
>>  ****
>>
>> *From:* vpn-help-bounces at lists.shrew.net [
>> mailto:vpn-help-bounces at lists.shrew.net<vpn-help-bounces at lists.shrew.net>]
>> *On Behalf Of *Goncalo Oliveira
>> *Sent:* Monday, July 29, 2013 7:23 AM
>> *To:* vpn-help at lists.shrew.net
>> *Subject:* Re: [vpn-help] Cisco VPN****
>>
>>  ****
>>
>> Any ideas, anyone?****
>>
>>  ****
>>
>> On 23 July 2013 14:15, Goncalo Oliveira <goncalo at minkan.net> wrote:****
>>
>> Hi there,****
>>
>>  ****
>>
>> We've been working with Cisco VPN Client 5.0 for some time, though, after
>> installing windows 8 this is not a stable option. So, Shrew came to the
>> rescue. The login to the VPN is made through group authentication, so the
>> configurations are as follows****
>>
>>  ****
>>
>> General****
>>
>> Remote host****
>>
>> Host name or IP address: our provider vpn host name****
>>
>> Auto configuration: ike config pull****
>>
>> Local host****
>>
>> virtual adapter****
>>
>>  ****
>>
>> Client****
>>
>> Firewall****
>>
>> NAT Traversal: enable****
>>
>> IKE fragmentation: enable****
>>
>> Other options****
>>
>> Enable dead peer detection: unchecked****
>>
>>  ****
>>
>> Name resolution****
>>
>> DNS, automatically****
>>
>> WINS off****
>>
>>  ****
>>
>> Authentication****
>>
>> Method: Mutual PSK + XAuth****
>>
>> Local identity****
>>
>> Identification type: Key identifier****
>>
>> Key ID string: our group name identifier****
>>
>> Remote identity****
>>
>> Identification type: any (also tried IP address)****
>>
>> Credentials****
>>
>> Pre shared key: our group password****
>>
>>  ****
>>
>> Phase1****
>>
>> Exchange type: aggressive****
>>
>> DH Exchange: group 2****
>>
>>  ****
>>
>> Phase 2****
>>
>> PFS Exchange: group 2 (also tried auto and disabled)****
>>
>>  ****
>>
>>  ****
>>
>>  ****
>>
>> Phase 1 seems to go well, but phase 2 not so well, keeps writing 'config
>> resend event schedule'.****
>>
>> I'm attaching the iked.log, as there might be something useful there.****
>>
>>  ****
>>
>> Can anyone help me out on this?****
>>
>>  ****
>>
>> Thanks.****
>>
>> Best regards
>> ****
>>
>>  ****
>>
>>  ****
>>
>> --
>> Gonçalo Oliveira ****
>>
>>
>>
>> ****
>>
>>  ****
>>
>> --
>> Gonçalo Oliveira ****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Gonçalo Oliveira ****
>>
>
>
>
> --
> Gonçalo Oliveira
>



-- 
Gonçalo Oliveira
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20130802/baf37935/attachment.html>

More information about the vpn-help mailing list