<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML - wstępnie sformatowany Znak";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.Stylwiadomocie-mail17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTML-wstpniesformatowanyZnak
{mso-style-name:"HTML - wstępnie sformatowany Znak";
mso-style-priority:99;
mso-style-link:"HTML - wstępnie sformatowany";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=PL link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Hi, <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I have encountered the same problem with
Mutual RSA + XAUTH authentication. My client version is 2.1.7 and I use it with
ASA 5505 (soft ver.6.2) with mutual PSK authentication. Cisco ASA is configured
the same as in this tutorial: <o:p></o:p></span></p>
<p class=MsoNormal><a
href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml"><span
lang=EN-US>http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml</span></a><o:p></o:p></p>
<p class=MsoNormal><span lang=EN-US>I also have Microsoft`s CA. It works
perfectly with Cisco VPN Client but doesn`t with Shrew. Has any of you used
such dual authentication with success? I have tried probably every option in access
manager and I don`t know if there`s any bug in access manager or my
configuration is wrong.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Logs from ASA are as following:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-6-302015:
Built inbound UDP connection 250884 for outside:95.41.84.136/4500
(95.41.84.136/4500) to identity:172.18.1.16/4500 (172.18.1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>.16/4500)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-6-713172:
Group = Uzytkownicy, IP = 95.41.84.136, Automatic NAT Detection Status:
Remote end is NOT behind a NAT device This<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> end IS behind a NAT device<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-6-717022:
Certificate was successfully validated. serial number: 626A0CC20004000000AD,
subject name: ea=lukasz.trzewiczek@hutmen.pl,c<o:p></o:p></span></p>
<p class=MsoNormal>n=<C5>\201ukasz
Trzewiczek,ou=FI,ou=DG,ou=Hutmen,ou=Uzytkownicy,dc=hutmen,dc=pl.<o:p></o:p></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-6-717028:
Certificate chain was successfully validated with warning, revocation status
was not checked.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-5-713050:
Group = Uzytkownicy, IP = 95.41.84.136, Connection terminated for peer .
Reason: Peer Terminate Remote Proxy N/A, Local Pr<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>oxy N/A<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-3-713902:
Group = Uzytkownicy, IP = 95.41.84.136, Removing peer from peer table failed,
no match!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-4-713903:
Group = Uzytkownicy, IP = 95.41.84.136, Error: Unable to remove PeerTblEntry<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 29 09:06:22 hutmenasa %ASA-4-113019:
Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: ,
Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> Reason: Unknown<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Any help will be appreciated.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Regards<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Lukas<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>On 3/17/2010 7:19 AM, Stefano Lassi wrote:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Hi<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> I'm using, with very good success, Shrew
VPN Client in order to connect<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Cisco VPN gateways (IOS, ASA/PIX,
VPN3000), using PSK authentication.<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Now, I'm trying to connect to same Cisco
VPN gateways using Ibrid (RSA +<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> XAuth) authentication, without success.<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Main problem I got is Cisco VPN Server
seem not recognizing VPN Group<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> (profile), normally specified using
certificate OU field.<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> I tested few different client
authentication "Identification Type"<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> options (ASN.1, Key Identifier, etc.)
without success: Cisco gateways<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> report no "group association"
were present from client request.<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Somebody has got some hints how configure
Shrew VPN Client to<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> correctelly propose right OU field
<-> VPN profile association to Cisco<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> VPN Gateways (correct OU mapping is
already correctelly in place on VPN<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> servers, because they are working fine
with RSA authentication against<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Cisco VPN Clients ...).<o:p></o:p></i></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Thank you very much and see you soon<o:p></o:p></i></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><i> Stefano<o:p></o:p></i></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";
color:black;background:white'>><o:p> </o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>