[vpn-help] [Cisco] Cannot connect more than 4/5 Shrew VPN clients

Renaud Motuelle renaud.motuelle at nttdata.com
Wed Apr 12 01:58:11 CDT 2017 

Dear helpers,

I have set up Shrew VPN to get around an issue with Cisco VPN client that was removing access to our local LAN as soon as we were connected to the remote gateway (Cisco ASE). I do not have access to the Cisco gateway setup.

With Shrew VPN, I can get around this thanks to the policy settings and it works very well for up to 4 (or 5 sometimes) connections... I need 7 active connections (7 developers to access simultaneously to this VPN)...

There seems to be a limit of available connections setup in the gateway for VPN clients when using Shrew VPN (no limitation when using Cisco VPN Client, the 7 developers can connect through the Cisco VPN client simultaneously). Would you have any advice to help us solving this limitation / indicate to the customer the potential configuration changes required on their gateway settings or even on the Shrew VPN Client Settings?

When facing this limitation, symptoms are the following:

On Shrew VPN, the connect tab hangs at "bringing up tunnel ..."
config loaded for site 'config.vpn'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
and stops after a few seconds:
gateway is not responding
tunnel disabled
detached from key daemon


IKE Log at info level (VPN IP @ replaced by x.x.x.x)
17/04/12 14:36:10 ## : IKE Daemon, ver 2.2.2
17/04/12 14:36:10 ## : Copyright 2013 Shrew Soft Inc.
17/04/12 14:36:10 ## : This product linked OpenSSL 1.0.1c 10 May 2012
17/04/12 14:36:10 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
17/04/12 14:36:10 ii : rebuilding vnet device list ...
17/04/12 14:36:10 ii : device ROOT\VNET\0000 disabled
17/04/12 14:36:10 ii : network process thread begin ...
17/04/12 14:36:10 ii : pfkey process thread begin ...
17/04/12 14:36:10 ii : ipc server process thread begin ...
17/04/12 14:37:09 ii : ipc client process thread begin ...
17/04/12 14:37:09 <A : peer config add message
17/04/12 14:37:09 <A : proposal config message
17/04/12 14:37:09 <A : proposal config message
17/04/12 14:37:09 <A : client config message
17/04/12 14:37:09 <A : xauth username message
17/04/12 14:37:09 <A : xauth password message
17/04/12 14:37:09 <A : local id 'VPN-USERS' message
17/04/12 14:37:09 <A : preshared key message
17/04/12 14:37:09 <A : remote resource message
17/04/12 14:37:09 <A : remote resource message
17/04/12 14:37:09 <A : remote resource message
17/04/12 14:37:09 <A : remote resource message
17/04/12 14:37:09 <A : peer tunnel enable message
17/04/12 14:37:09 ii : local supports XAUTH
17/04/12 14:37:09 ii : local supports nat-t ( draft v00 )
17/04/12 14:37:09 ii : local supports nat-t ( draft v01 )
17/04/12 14:37:09 ii : local supports nat-t ( draft v02 )
17/04/12 14:37:09 ii : local supports nat-t ( draft v03 )
17/04/12 14:37:09 ii : local supports nat-t ( rfc )
17/04/12 14:37:09 ii : local supports FRAGMENTATION
17/04/12 14:37:09 ii : local supports DPDv1
17/04/12 14:37:09 ii : local is SHREW SOFT compatible
17/04/12 14:37:09 ii : local is NETSCREEN compatible
17/04/12 14:37:09 ii : local is SIDEWINDER compatible
17/04/12 14:37:09 ii : local is CISCO UNITY compatible
17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:0000000000000000
17/04/12 14:37:09 >= : message 00000000
17/04/12 14:37:09 ii : processing phase1 packet ( 460 bytes )
17/04/12 14:37:09 =< : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:09 =< : message 00000000
17/04/12 14:37:09 ii : matched isakmp proposal #1 transform #14
17/04/12 14:37:09 ii : - transform    = ike
17/04/12 14:37:09 ii : - cipher type  = 3des
17/04/12 14:37:09 ii : - key length   = default
17/04/12 14:37:09 ii : - hash type    = sha1
17/04/12 14:37:09 ii : - dh group     = group2 ( modp-1024 )
17/04/12 14:37:09 ii : - auth type    = xauth-initiator-psk
17/04/12 14:37:09 ii : - life seconds = 86400
17/04/12 14:37:09 ii : - life kbytes  = 0
17/04/12 14:37:09 ii : phase1 id match ( natt prevents ip match )
17/04/12 14:37:09 ii : received = ipv4-host x.x.x.x
17/04/12 14:37:09 ii : peer is CISCO UNITY compatible
17/04/12 14:37:09 ii : peer supports XAUTH
17/04/12 14:37:09 ii : peer supports DPDv1
17/04/12 14:37:09 ii : peer supports nat-t ( draft v02 )
17/04/12 14:37:09 ii : nat discovery - local address is translated
17/04/12 14:37:09 ii : switching to src nat-t udp port 4500
17/04/12 14:37:09 ii : switching to dst nat-t udp port 4500
17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:09 >= : message 00000000
17/04/12 14:37:09 ii : phase1 sa established
17/04/12 14:37:09 ii : x.x.x.x:4500 <-> 10.10.110.93:4500
17/04/12 14:37:09 ii : 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:09 ii : sending peer INITIAL-CONTACT notification
17/04/12 14:37:09 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:09 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:09 ii : - data size 0
17/04/12 14:37:09 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:09 >= : message d023e6f8
17/04/12 14:37:24 ii : sending peer DPDV1-R-U-THERE notification
17/04/12 14:37:24 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:24 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:24 ii : - data size 4
17/04/12 14:37:24 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:24 >= : message c034539d
17/04/12 14:37:39 ii : sending peer DPDV1-R-U-THERE notification
17/04/12 14:37:39 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:39 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:39 ii : - data size 4
17/04/12 14:37:39 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:39 >= : message 6b4feee0
17/04/12 14:37:43 ii : sending peer DPDV1-R-U-THERE notification
17/04/12 14:37:43 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:43 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:43 ii : - data size 4
17/04/12 14:37:43 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:43 >= : message d9c3ccc0
17/04/12 14:37:46 ii : sending peer DPDV1-R-U-THERE notification
17/04/12 14:37:46 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:46 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:46 ii : - data size 4
17/04/12 14:37:46 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:46 >= : message d77f036f
17/04/12 14:37:48 ii : sending peer DPDV1-R-U-THERE notification
17/04/12 14:37:48 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:48 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:48 ii : - data size 4
17/04/12 14:37:48 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:48 >= : message 12e879e9
17/04/12 14:37:49 !! : tunnel DPD timeout for peer x.x.x.x:4500
17/04/12 14:37:49 DB : removing tunnel config references
17/04/12 14:37:49 DB : removing tunnel phase2 references
17/04/12 14:37:49 DB : removing tunnel phase1 references
17/04/12 14:37:49 ii : sending peer DELETE message
17/04/12 14:37:49 ii : - 10.10.110.93:4500 -> x.x.x.x:4500
17/04/12 14:37:49 ii : - isakmp spi = 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:49 ii : - data size 0
17/04/12 14:37:49 >= : cookies 5bbbf81f4742ea5c:2f6c7cefadf5442c
17/04/12 14:37:49 >= : message 20bf4ec9
17/04/12 14:37:49 ii : phase1 removal before expire time
17/04/12 14:37:49 DB : removing all peer tunnel references
17/04/12 14:37:50 ii : ipc client process thread exit ...

Thanks in advance for your support.

Renaud Motuelle

______________________________________________________________________
Disclaimer: This email and any attachments are sent in strictest confidence
for the sole use of the addressee and may contain legally privileged,
confidential, and proprietary data. If you are not the intended recipient,
please advise the sender by replying promptly to this email and then delete
and destroy this email and any attachments without any further use, copying
or forwarding.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20170412/dbcd90c3/attachment-0001.html>

More information about the vpn-help mailing list