robclarke41
asked on
Shrew Soft VPN client Cisco ASA
Hi All,
We are currently using the Cisco VPN Client version 5.0.07.0410 with a Cisco ASA 5510. This has all bee working fine but now Cisco are no longer supporting it we want to change to the Open Source Shrew Soft client.
I have installed the Shrew Soft client on a laptop and imported a .pcf file which all worked fine. I then started the connection and entered my credentials. The connection failed and the following appeared in the ASA logs :Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)
and
QM FSM error (P2 struct &0xadf5fa30, mess id 0xf5efa104)!
Does any one have any ideas what this is? I thought as it works with the Cisco VPN client all I would need to do was import the .pcf file and away?
Thanks for any help!
We are currently using the Cisco VPN Client version 5.0.07.0410 with a Cisco ASA 5510. This has all bee working fine but now Cisco are no longer supporting it we want to change to the Open Source Shrew Soft client.
I have installed the Shrew Soft client on a laptop and imported a .pcf file which all worked fine. I then started the connection and entered my credentials. The connection failed and the following appeared in the ASA logs :Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)
and
QM FSM error (P2 struct &0xadf5fa30, mess id 0xf5efa104)!
Does any one have any ideas what this is? I thought as it works with the Cisco VPN client all I would need to do was import the .pcf file and away?
Thanks for any help!
ASKER
I did have a look in here but couldn't see what the problem could be, I thought the Shrew Soft client could do anything the Cisco VPN client could do?
Well, almost. Some types of encryption don't seem to work. If you're lucky (like I was once :) you just import the pcf file and it works..... But not always.
Could you post a (sanitized) config of the ASA so we can have a look?
Could you post a (sanitized) config of the ASA so we can have a look?
ASKER
Sure, here you go
hostname XXXciscoasa
domain-name adroot.xxx.co.uk
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 194.x.x.x 255.255.255.0 standby 194.x.x.x
!
interface Ethernet0/1
nameif LAN
security-level 50
ip address 192.168.1.252 255.255.255.0 standby 192.168.1.251
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.7
management-only
!
boot system disk0:/xxx.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup management
dns server-group DefaultDNS
domain-name adroot.xxx.co.uk
same-security-traffic permit intra-interface
object network obj-192.168.11.0
subnet 192.168.11.0 255.255.255.0
object network obj-192.168.1.128
subnet 192.168.1.128 255.255.255.224
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.206
host 192.168.1.206
object network obj-192.168.1.181
host 192.168.1.181
object network obj-192.168.1.196
host 192.168.1.196
object network obj-192.168.1.199
host 192.168.1.199
object network obj-192.168.1.252
host 192.168.1.252
object network obj-192.168.1.194
host 192.168.1.194
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.240
object network obj-192.168.1.152
subnet 192.168.1.152 255.255.255.248
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.213
host 192.168.1.213
object network obj-192.168.1.174
host 192.168.1.174
description Efes Web server
pager lines 25
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging monitor debugging
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@xxx.co.uk
logging recipient-address FirewallLogs@xxx.co.uk level errors
logging class auth mail warnings
logging class np mail warnings
logging class sys mail warnings
logging class vpdn mail warnings
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool XXX_VPN_POOL 192.168.11.1-192.168.11.25
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/xxx
asdm history enable
arp timeout 14400
nat (LAN,WAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,WAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (LAN,LAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,LAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (management,any) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (management,any) source static any any destination static obj-192.168.10.0 obj-192.168.10.0
nat (management,any) source static any any destination static obj-192.168.1.152 obj-192.168.1.152
!
object network obj-192.168.11.0
nat (WAN,WAN) dynamic interface
object network obj-192.168.1.206
nat (LAN,WAN) static 194.x.x.x
object network obj-192.168.1.181
nat (LAN,WAN) static 192.168.1.57
object network obj-192.168.1.196
nat (LAN,WAN) static 192.168.1.11
object network obj-192.168.1.199
nat (LAN,WAN) static 192.168.1.49
object network obj-192.168.1.252
nat (LAN,WAN) static 192.168.1.252 no-proxy-arp route-lookup
object network obj-192.168.1.194
nat (LAN,WAN) static 192.168.1.44
object network obj_any
nat (LAN,WAN) dynamic interface
object network obj_any-01
nat (LAN,WAN) dynamic obj-0.0.0.0
object network obj_any-02
nat (management,WAN) dynamic interface
object network obj_any-03
nat (management,WAN) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,LAN) dynamic obj-0.0.0.0
object network obj-192.168.1.213
nat (LAN,WAN) static 192.168.1.58
object network obj-192.168.1.174
nat (LAN,WAN) static 192.168.1.48
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server XXX_Auth_Servers protocol radius
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.203
key *****
radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.207
key *****
radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.178
key *****
radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host LAN 192.168.1.211 community ***** version 2c
snmp-server location xxx
snmp-server contact XXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 10 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 enable management
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.211 255.255.255.255 LAN
telnet timeout 5
ssh x.x.x.xxxx 255.255.255.255 WAN
ssh timeout 60
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
hostname XXXciscoasa
domain-name adroot.xxx.co.uk
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 194.x.x.x 255.255.255.0 standby 194.x.x.x
!
interface Ethernet0/1
nameif LAN
security-level 50
ip address 192.168.1.252 255.255.255.0 standby 192.168.1.251
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.7
management-only
!
boot system disk0:/xxx.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup management
dns server-group DefaultDNS
domain-name adroot.xxx.co.uk
same-security-traffic permit intra-interface
object network obj-192.168.11.0
subnet 192.168.11.0 255.255.255.0
object network obj-192.168.1.128
subnet 192.168.1.128 255.255.255.224
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.206
host 192.168.1.206
object network obj-192.168.1.181
host 192.168.1.181
object network obj-192.168.1.196
host 192.168.1.196
object network obj-192.168.1.199
host 192.168.1.199
object network obj-192.168.1.252
host 192.168.1.252
object network obj-192.168.1.194
host 192.168.1.194
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.240
object network obj-192.168.1.152
subnet 192.168.1.152 255.255.255.248
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.213
host 192.168.1.213
object network obj-192.168.1.174
host 192.168.1.174
description Efes Web server
pager lines 25
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging monitor debugging
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@xxx.co.uk
logging recipient-address FirewallLogs@xxx.co.uk level errors
logging class auth mail warnings
logging class np mail warnings
logging class sys mail warnings
logging class vpdn mail warnings
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool XXX_VPN_POOL 192.168.11.1-192.168.11.25
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/xxx
asdm history enable
arp timeout 14400
nat (LAN,WAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,WAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (LAN,LAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,LAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (management,any) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (management,any) source static any any destination static obj-192.168.10.0 obj-192.168.10.0
nat (management,any) source static any any destination static obj-192.168.1.152 obj-192.168.1.152
!
object network obj-192.168.11.0
nat (WAN,WAN) dynamic interface
object network obj-192.168.1.206
nat (LAN,WAN) static 194.x.x.x
object network obj-192.168.1.181
nat (LAN,WAN) static 192.168.1.57
object network obj-192.168.1.196
nat (LAN,WAN) static 192.168.1.11
object network obj-192.168.1.199
nat (LAN,WAN) static 192.168.1.49
object network obj-192.168.1.252
nat (LAN,WAN) static 192.168.1.252 no-proxy-arp route-lookup
object network obj-192.168.1.194
nat (LAN,WAN) static 192.168.1.44
object network obj_any
nat (LAN,WAN) dynamic interface
object network obj_any-01
nat (LAN,WAN) dynamic obj-0.0.0.0
object network obj_any-02
nat (management,WAN) dynamic interface
object network obj_any-03
nat (management,WAN) dynamic obj-0.0.0.0
object network obj_any-04
nat (management,LAN) dynamic obj-0.0.0.0
object network obj-192.168.1.213
nat (LAN,WAN) static 192.168.1.58
object network obj-192.168.1.174
nat (LAN,WAN) static 192.168.1.48
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server XXX_Auth_Servers protocol radius
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.203
key *****
radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.207
key *****
radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.178
key *****
radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host LAN 192.168.1.211 community ***** version 2c
snmp-server location xxx
snmp-server contact XXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 10 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 enable management
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.211 255.255.255.255 LAN
telnet timeout 5
ssh x.x.x.xxxx 255.255.255.255 WAN
ssh timeout 60
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
ASKER
Ok I seem to have it sorted by setting the encryption and authentication settings manually as opposed to auto. However the ASA logs are now showing:
3 Mar 29 2012 11:24:18 Group = COMPUTER, Username = test, IP = x.x.x.x, Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)
I seem to have full connectivity but need to get this error cleared, any ideas?
3 Mar 29 2012 11:24:18 Group = COMPUTER, Username = test, IP = x.x.x.x, Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)
I seem to have full connectivity but need to get this error cleared, any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I checked the error with Cisco - apparently it is informational and nothing to worry about. Plus the Cisco VPN client does it too.
Ehr, that's correct. I thought you just wanted to get rid of that notification. Never mind, thx for the points.
Have a look at:
http://www.shrew.net/support/wiki/HowtoCiscoAsa
To see what is needed.