I'm trying to connect to what I think is a Cisco gateway using Shrew 2.1.7. The Cisco client works fine, but local LAN traffic has been disabled by the sysadmin which is a dealbreaker for me.<br><br>The Cisco GUI uses a .pcf file and .p12 certificate to connect. I used OpenSSL to extract the client and CA certs and client private key from the PKCS#12 file.<br>
<br>I get the following output in the connect dialogue when connecting:<br><br>config loaded for site 'xxxxxx'<br>configuring client settings ...<br>attached to key daemon ...<br>peer configured<br>iskamp proposal configured<br>
esp proposal configured<br>client configured<br>server cert configured<br>client cert configured<br>client key configured<br>bringing up tunnel ...<br>negotiation timout occurred<br>tunnel disabled<br>detached from key daemon ...<br>
<br>-------------------------------------------------------------------------------------<br><br>The redacted .pcf file looks like this:<br><br>[main]<br>Description=VPN connexion<br>Host=xxx.xxx.xxx.xxx<br>AuthType=3<br>
GroupName=<br>GroupPwd=<br>enc_GroupPwd=<br>EnableISPConnect=0<br>ISPConnectType=0<br>ISPConnect=Mobile Connect<br>ISPPhonebook=C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk<br>ISPCommand=<br>Username=<br>
SaveUserPassword=0<br>UserPassword=<br>enc_UserPassword=<br>NTDomain=<br>EnableBackup=0<br>BackupServer=<br>EnableMSLogon=1<br>MSLogonType=0<br>EnableNat=1<br>TunnelingMode=0<br>TcpTunnelingPort=10000<br>CertStore=1<br>CertName=client<br>
CertPath=<br>CertSubjectName=cn=client,ou=xxxxx,o=xxxxxxxxxxxxxxxxx,st=xxxxxxxxxxxx,c=xx<br>CertSerialHash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br>SendCertChain=0<br>PeerTimeout=90<br>EnableLocalLAN=0<br><br>-------------------------------------------------------------------------------------<br>
<br>The trace output is as follows:<br><br>10/12/01 23:00:57 ## : IKE Daemon, ver 2.1.7<br>10/12/01 23:00:57 ## : Copyright 2010 Shrew Soft Inc.<br>10/12/01 23:00:57 ## : This product linked OpenSSL 0.9.8h 28 May 2008<br>
10/12/01 23:00:57 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'<br>10/12/01 23:00:57 ii : rebuilding vnet device list ...<br>10/12/01 23:00:57 ii : device ROOT\VNET\0000 disabled<br>10/12/01 23:00:57 ii : network process thread begin ...<br>
10/12/01 23:00:57 ii : pfkey process thread begin ...<br>10/12/01 23:00:57 ii : ipc server process thread begin ...<br>10/12/01 23:01:12 ii : ipc client process thread begin ...<br>10/12/01 23:01:12 <A : peer config add message<br>
10/12/01 23:01:12 DB : peer added ( obj count = 1 )<br>10/12/01 23:01:12 ii : local address 192.168.1.101 selected for peer<br>10/12/01 23:01:12 DB : tunnel added ( obj count = 1 )<br>10/12/01 23:01:12 <A : proposal config message<br>
10/12/01 23:01:12 <A : proposal config message<br>10/12/01 23:01:12 <A : client config message<br>10/12/01 23:01:12 <A : xauth username message<br>10/12/01 23:01:12 <A : xauth password message<br>10/12/01 23:01:12 <A : remote cert 'C:\Documents and Settings\xxxx\Desktop\server.pem' message<br>
10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\server.pem' loaded<br>10/12/01 23:01:12 <A : local cert 'C:\Documents and Settings\xxxx\Desktop\clientcert.pem' message<br>10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\clientcert.pem' loaded<br>
10/12/01 23:01:12 <A : local key 'C:\Documents and Settings\xxxx\Desktop\clientkey.pem' message<br>10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\clientkey.pem' loaded<br>10/12/01 23:01:12 <A : peer tunnel enable message<br>
10/12/01 23:01:12 ii : obtained x509 cert subject ( 106 bytes )<br>10/12/01 23:01:12 DB : new phase1 ( ISAKMP initiator )<br>10/12/01 23:01:12 DB : exchange type is aggressive<br>10/12/01 23:01:12 DB : <a href="http://192.168.1.101:500">192.168.1.101:500</a> <-> xxx.xxx.xxx.xxx:500<br>
10/12/01 23:01:12 DB : 4bb4816e147a3ab7:0000000000000000<br>10/12/01 23:01:12 DB : phase1 added ( obj count = 1 )<br>10/12/01 23:01:12 >> : security association payload<br>10/12/01 23:01:12 >> : - proposal #1 payload <br>
10/12/01 23:01:12 >> : -- transform #1 payload <br>10/12/01 23:01:12 >> : -- transform #2 payload <br>10/12/01 23:01:12 >> : -- transform #3 payload <br>10/12/01 23:01:12 >> : -- transform #4 payload <br>
10/12/01 23:01:12 >> : -- transform #5 payload <br>10/12/01 23:01:12 >> : -- transform #6 payload <br>10/12/01 23:01:12 >> : -- transform #7 payload <br>10/12/01 23:01:12 >> : -- transform #8 payload <br>
10/12/01 23:01:12 >> : -- transform #9 payload <br>10/12/01 23:01:12 >> : -- transform #10 payload <br>10/12/01 23:01:12 >> : -- transform #11 payload <br>10/12/01 23:01:12 >> : -- transform #12 payload <br>
10/12/01 23:01:12 >> : -- transform #13 payload <br>10/12/01 23:01:12 >> : -- transform #14 payload <br>10/12/01 23:01:12 >> : -- transform #15 payload <br>10/12/01 23:01:12 >> : -- transform #16 payload <br>
10/12/01 23:01:12 >> : -- transform #17 payload <br>10/12/01 23:01:12 >> : -- transform #18 payload <br>10/12/01 23:01:12 >> : key exchange payload<br>10/12/01 23:01:12 >> : nonce payload<br>10/12/01 23:01:12 >> : cert request payload<br>
10/12/01 23:01:12 >> : identification payload<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports XAUTH<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports nat-t ( draft v00 )<br>
10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports nat-t ( draft v01 )<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports nat-t ( draft v02 )<br>
10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports nat-t ( draft v03 )<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local supports nat-t ( rfc )<br>10/12/01 23:01:12 >> : vendor id payload<br>
10/12/01 23:01:12 ii : local supports DPDv1<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local is SHREW SOFT compatible<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local is NETSCREEN compatible<br>
10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local is SIDEWINDER compatible<br>10/12/01 23:01:12 >> : vendor id payload<br>10/12/01 23:01:12 ii : local is CISCO UNITY compatible<br>10/12/01 23:01:12 >= : cookies 4bb4816e147a3ab7:0000000000000000<br>
10/12/01 23:01:12 >= : message 00000000<br>10/12/01 23:01:12 -> : send IKE packet <a href="http://192.168.1.101:500">192.168.1.101:500</a> -> xxx.xxx.xxx.xxx:500 ( 1231 bytes )<br>10/12/01 23:01:12 DB : phase1 resend event scheduled ( ref count = 2 )<br>
10/12/01 23:01:17 -> : resend 1 phase1 packet(s) <a href="http://192.168.1.101:500">192.168.1.101:500</a> -> xxx.xxx.xxx.xxx:500<br>10/12/01 23:01:22 -> : resend 1 phase1 packet(s) <a href="http://192.168.1.101:500">192.168.1.101:500</a> -> xxx.xxx.xxx.xxx:500<br>
10/12/01 23:01:27 -> : resend 1 phase1 packet(s) <a href="http://192.168.1.101:500">192.168.1.101:500</a> -> xxx.xxx.xxx.xxx:500<br>10/12/01 23:01:32 ii : resend limit exceeded for phase1 exchange<br>10/12/01 23:01:32 ii : phase1 removal before expire time<br>
10/12/01 23:01:32 DB : phase1 deleted ( obj count = 0 )<br>10/12/01 23:01:32 DB : policy not found<br>10/12/01 23:01:32 DB : policy not found<br>10/12/01 23:01:32 DB : policy not found<br>10/12/01 23:01:32 DB : policy not found<br>
10/12/01 23:01:32 DB : tunnel stats event canceled ( ref count = 1 )<br>10/12/01 23:01:32 DB : removing tunnel config references<br>10/12/01 23:01:32 DB : removing tunnel phase2 references<br>10/12/01 23:01:32 DB : removing tunnel phase1 references<br>
10/12/01 23:01:32 DB : tunnel deleted ( obj count = 0 )<br>10/12/01 23:01:32 DB : removing all peer tunnel refrences<br>10/12/01 23:01:32 DB : peer deleted ( obj count = 0 )<br>10/12/01 23:01:32 ii : ipc client process thread exit ...<br>
<br>Any help would be appreciated.<br><br>