<div dir="ltr">Some update on this...<div><br></div><div>I finally managed to put this to work. I made the following changes.</div><div><br></div><div>Client</div><div>NAT Traversal: force-rfc (this one was already set)</div>
<div><br></div><div>Phase 1</div><div>Exchange Type: aggressive</div><div>DH Exchange: group 2</div><div><br></div><div>Phase 2</div><div>Transform Algorithm: esp-aes</div><div>Transform Key Length: 128</div><div>HMAC Algorithm: md5</div>
<div>PFS Exchange: group 2</div><div>Compress Algorithm: disabled</div><div><br></div><div>So far it's handling well, with no drops. I'm very happy with Shrew client as it's not as invasive as Cisco VPN client.</div>
<div><br></div><div>:)</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 31 July 2013 13:53, Goncalo Oliveira <span dir="ltr"><<a href="mailto:goncalo@minkan.net" target="_blank">goncalo@minkan.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm trying to connect to a Cisco 3000 VPN Concentrator (if I'm not mistaken). I'm attaching the logs again.<div>
<br></div><div>The lab gateway seems like a good idea.<br><div><br></div><div>Cheers.</div>
</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On 30 July 2013 20:52, Jim Harle <span dir="ltr"><<a href="mailto:vpn@technicolor.com" target="_blank">vpn@technicolor.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The “latest” (still two years old) Cisco 64-bit client is 5.0.07.0440, and can be download from here <a href="http://www.asc.edu/downloads/CiscoVPN/Windows/" target="_blank">http://www.asc.edu/downloads/CiscoVPN/Windows/</a>, not that it will change anything, but it’s the version I was testing with under Windows 8 x64. My main complaint with the Cisco client, is it sets the MTU to 1300 on all of your adapters, not just its own virtual one. The Shrew client uses a 1380 MTU (by default) for only its virtual adapter. Not that this has anything to do with your problem.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What type of device are you connecting through for Internet? I don’t think the iked.log came through on your original post – I’d like to see it.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In about a week I’ll have a Cisco ASA gateway set up in a lab environment – perhaps you could try connecting to it after it’s provisioned, just to see if you experience the same symptoms with a different gateway.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Jim<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Goncalo Oliveira [mailto:<a href="mailto:goncalo@minkan.net" target="_blank">goncalo@minkan.net</a>] <br>
<b>Sent:</b> Tuesday, July 30, 2013 7:26 AM<br><b>To:</b> Harle Jim<br><b>Cc:</b> <a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a></span></p><div><div><br><b>Subject:</b> Re: [vpn-help] Cisco VPN<u></u><u></u></div>
</div><p></p><div><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi Jim,<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks for replying. I have tried using both 32-bit and 64-bit, version 5.0.07.0240. 64-bit is always dropping and sometimes it just stops working - had to re-install. The 32-bit is a bit more stable but still it's not very natural to windows 8 and is unstable.<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I was hoping I could replace it with Shrew client, it looks very good and the drivers hassle is cleaner. However, it's not going for phase 2. I already tried using 'force-rfc' on NAT traversal.<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I do know that even Cisco client dropped the first time it tried to connect; it would only work at the second attempt, don't know if that can be helpful in anyway.<u></u><u></u></p>
</div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Any thoughts?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div>
</div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p><div><p class="MsoNormal">On 29 July 2013 19:45, Jim Harle <<a href="mailto:vpn@technicolor.com" target="_blank">vpn@technicolor.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"><div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What problems are you having with the Cisco client, and which version is it? 32-bit or 64-bit?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regarding the Shrew client, have you tried setting the NAT traversal to ‘force-rfc’ ?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:vpn-help-bounces@lists.shrew.net" target="_blank">vpn-help-bounces@lists.shrew.net</a> [<a href="mailto:vpn-help-bounces@lists.shrew.net" target="_blank">mailto:vpn-help-bounces@lists.shrew.net</a>] <b>On Behalf Of </b>Goncalo Oliveira<br>
<b>Sent:</b> Monday, July 29, 2013 7:23 AM<br><b>To:</b> <a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a><br><b>Subject:</b> Re: [vpn-help] Cisco VPN</span><u></u><u></u></p><p class="MsoNormal">
<u></u><u></u></p></div><div><p class="MsoNormal">Any ideas, anyone?<u></u><u></u></p></div><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p><div><p class="MsoNormal">On 23 July 2013 14:15, Goncalo Oliveira <<a href="mailto:goncalo@minkan.net" target="_blank">goncalo@minkan.net</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><div><p class="MsoNormal">Hi there,<u></u><u></u></p>
<div><div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">We've been working with Cisco VPN Client 5.0 for some time, though, after installing windows 8 this is not a stable option. So, Shrew came to the rescue. The login to the VPN is made through group authentication, so the configurations are as follows<u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">General<u></u><u></u></p></div><div><p class="MsoNormal">Remote host<u></u><u></u></p></div><div><p class="MsoNormal">Host name or IP address: our provider vpn host name<u></u><u></u></p>
</div><div><p class="MsoNormal">Auto configuration: ike config pull<u></u><u></u></p></div><div><p class="MsoNormal">Local host<u></u><u></u></p></div><div><p class="MsoNormal">virtual adapter<u></u><u></u></p></div><div>
<p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Client<u></u><u></u></p></div><div><p class="MsoNormal">Firewall<u></u><u></u></p></div><div><p class="MsoNormal">NAT Traversal: enable<u></u><u></u></p>
</div><div><p class="MsoNormal">IKE fragmentation: enable<u></u><u></u></p></div><div><p class="MsoNormal">Other options<u></u><u></u></p></div><div><p class="MsoNormal">Enable dead peer detection: unchecked<u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Name resolution<u></u><u></u></p></div><div><p class="MsoNormal">DNS, automatically<u></u><u></u></p></div><div><p class="MsoNormal">WINS off<u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Authentication<u></u><u></u></p></div><div><p class="MsoNormal">Method: Mutual PSK + XAuth<u></u><u></u></p></div><div><p class="MsoNormal">
Local identity<u></u><u></u></p></div><div><p class="MsoNormal">Identification type: Key identifier<u></u><u></u></p></div><div><p class="MsoNormal">Key ID string: our group name identifier<u></u><u></u></p></div><div><p class="MsoNormal">
Remote identity<u></u><u></u></p></div><div><p class="MsoNormal">Identification type: any (also tried IP address)<u></u><u></u></p></div><div><p class="MsoNormal">Credentials<u></u><u></u></p></div><div><p class="MsoNormal">
Pre shared key: our group password<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Phase1<u></u><u></u></p></div><div><p class="MsoNormal">Exchange type: aggressive<u></u><u></u></p>
</div><div><p class="MsoNormal">DH Exchange: group 2<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Phase 2<u></u><u></u></p></div><div><p class="MsoNormal">PFS Exchange: group 2 (also tried auto and disabled)<u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Phase 1 seems to go well, but phase 2 not so well, keeps writing 'config resend event schedule'.<u></u><u></u></p>
</div><div><p class="MsoNormal">I'm attaching the iked.log, as there might be something useful there.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Can anyone help me out on this?<u></u><u></u></p>
</div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Thanks.<u></u><u></u></p></div><div><p class="MsoNormal">Best regards<span style="color:#888888"><br clear="all"></span><u></u><u></u></p>
<div><p class="MsoNormal"><span style="color:#888888"> </span><u></u><u></u></p></div></div></div></div><div><p class="MsoNormal"> <u></u><u></u></p></div><p class="MsoNormal">-- <br>Gonçalo Oliveira <u></u><u></u></p></div>
</div></div></blockquote></div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"> <u></u><u></u></p></div><p class="MsoNormal">-- <br>Gonçalo Oliveira <u></u><u></u></p></div></div></div>
</div></div></blockquote></div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <br>Gonçalo Oliveira <u></u><u></u></p></div></div></div>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Gonçalo Oliveira
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Gonçalo Oliveira
</div>