Solved

Shrew Soft VPN client Cisco ASA

Posted on 2012-03-29
8
2,641 Views
Last Modified: 2012-03-29
Hi All,

We are currently using the Cisco VPN Client version 5.0.07.0410 with a Cisco ASA 5510.  This has all bee working fine but now Cisco are no longer supporting it we want to change to the Open Source Shrew Soft client.

I have installed the Shrew Soft client on a laptop and imported a .pcf file which all worked fine.  I then started the connection and entered my credentials.  The connection failed and the following appeared in the ASA logs :Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)

and

QM FSM error (P2 struct &0xadf5fa30, mess id 0xf5efa104)!

Does any one have any ideas what this is? I thought as it works with the Cisco VPN client all I would need to do was import the .pcf file and away?

Thanks for any help!
0
Comment
Question by:robclarke41
  • 4
  • 4
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37780808
That could mean that the ipsec proposals in the asa aren't the ones the client can take.

Have a look at:
http://www.shrew.net/support/wiki/HowtoCiscoAsa

To see what is needed.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781020
I did have a look in here but couldn't see what the problem could be, I thought the Shrew Soft client could do anything the Cisco VPN client could do?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781028
Well, almost. Some types of encryption don't seem to work. If you're lucky (like I was once :) you just import the pcf file and it works..... But not always.

Could you post a (sanitized) config of the ASA so we can have a look?
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781092
Sure, here you go


hostname XXXciscoasa
domain-name adroot.xxx.co.uk
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 194.x.x.x 255.255.255.0 standby 194.x.x.x
!
interface Ethernet0/1
 nameif LAN
 security-level 50
 ip address 192.168.1.252 255.255.255.0 standby 192.168.1.251
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.7
 management-only
!
boot system disk0:/xxx.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup management
dns server-group DefaultDNS
 domain-name adroot.xxx.co.uk
same-security-traffic permit intra-interface
object network obj-192.168.11.0
 subnet 192.168.11.0 255.255.255.0
object network obj-192.168.1.128
 subnet 192.168.1.128 255.255.255.224
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.206
 host 192.168.1.206
object network obj-192.168.1.181
 host 192.168.1.181
object network obj-192.168.1.196
 host 192.168.1.196
object network obj-192.168.1.199
 host 192.168.1.199
object network obj-192.168.1.252
 host 192.168.1.252
object network obj-192.168.1.194
 host 192.168.1.194
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj-192.168.10.0
 subnet 192.168.10.0 255.255.255.240
object network obj-192.168.1.152
 subnet 192.168.1.152 255.255.255.248
object network obj_any-02
 subnet 0.0.0.0 0.0.0.0
object network obj_any-03
 subnet 0.0.0.0 0.0.0.0
object network obj_any-04
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.213
 host 192.168.1.213
object network obj-192.168.1.174
 host 192.168.1.174
 description Efes Web server
 
pager lines 25
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging monitor debugging
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@xxx.co.uk
logging recipient-address FirewallLogs@xxx.co.uk level errors
logging class auth mail warnings
logging class np mail warnings
logging class sys mail warnings
logging class vpdn mail warnings
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool XXX_VPN_POOL 192.168.11.1-192.168.11.254 mask 255.255.255.0
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/xxx
asdm history enable
arp timeout 14400
nat (LAN,WAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,WAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (LAN,LAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,LAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (management,any) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (management,any) source static any any destination static obj-192.168.10.0 obj-192.168.10.0
nat (management,any) source static any any destination static obj-192.168.1.152 obj-192.168.1.152
!
object network obj-192.168.11.0
 nat (WAN,WAN) dynamic interface
object network obj-192.168.1.206
 nat (LAN,WAN) static 194.x.x.x
object network obj-192.168.1.181
 nat (LAN,WAN) static 192.168.1.57
object network obj-192.168.1.196
 nat (LAN,WAN) static 192.168.1.11
object network obj-192.168.1.199
 nat (LAN,WAN) static 192.168.1.49
object network obj-192.168.1.252
 nat (LAN,WAN) static 192.168.1.252 no-proxy-arp route-lookup
object network obj-192.168.1.194
 nat (LAN,WAN) static 192.168.1.44
object network obj_any
 nat (LAN,WAN) dynamic interface
object network obj_any-01
 nat (LAN,WAN) dynamic obj-0.0.0.0
object network obj_any-02
 nat (management,WAN) dynamic interface
object network obj_any-03
 nat (management,WAN) dynamic obj-0.0.0.0
object network obj_any-04
 nat (management,LAN) dynamic obj-0.0.0.0
object network obj-192.168.1.213
 nat (LAN,WAN) static 192.168.1.58
object network obj-192.168.1.174
 nat (LAN,WAN) static 192.168.1.48
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXX_Auth_Servers protocol radius
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.203
 key *****
 radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.207
 key *****
 radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.178
 key *****
 radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host LAN 192.168.1.211 community ***** version 2c
snmp-server location xxx
snmp-server contact XXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 10 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 enable management
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet 192.168.1.211 255.255.255.255 LAN
telnet timeout 5
ssh x.x.x.xxxx 255.255.255.255 WAN
ssh timeout 60
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:robclarke41
ID: 37781131
Ok I seem to have it sorted by setting the encryption and authentication settings manually as opposed to auto.  However the ASA logs are now showing:

3      Mar 29 2012      11:24:18                                    Group = COMPUTER, Username = test, IP = x.x.x.x, Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)

I seem to have full connectivity but need to get this error cleared, any ideas?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37781230
Try this:

I solved this issue setting to “group 2¿ the Phase 2->PFS exchange value in my settings.
Source: http://www.nic-nac-project.de/~jose/241/notes/shrew-an-alternative-to-cisco-vpn-client/
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781269
Thanks, I checked the error with Cisco - apparently it is informational and nothing to worry about. Plus the Cisco VPN client does it too.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781278
Ehr, that's correct. I thought you just wanted to get rid of that notification. Never mind, thx for the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Network Connection 5 34
site to site tunnel not autostarting 5 35
Windows 10 VPN? 6 44
mini spy rotating camera 3 16
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now