Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Shrew Soft VPN client Cisco ASA

Posted on 2012-03-29
8
Medium Priority
?
2,939 Views
Last Modified: 2012-03-29
Hi All,

We are currently using the Cisco VPN Client version 5.0.07.0410 with a Cisco ASA 5510.  This has all bee working fine but now Cisco are no longer supporting it we want to change to the Open Source Shrew Soft client.

I have installed the Shrew Soft client on a laptop and imported a .pcf file which all worked fine.  I then started the connection and entered my credentials.  The connection failed and the following appeared in the ASA logs :Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)

and

QM FSM error (P2 struct &0xadf5fa30, mess id 0xf5efa104)!

Does any one have any ideas what this is? I thought as it works with the Cisco VPN client all I would need to do was import the .pcf file and away?

Thanks for any help!
0
Comment
Question by:robclarke41
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37780808
That could mean that the ipsec proposals in the asa aren't the ones the client can take.

Have a look at:
http://www.shrew.net/support/wiki/HowtoCiscoAsa

To see what is needed.
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781020
I did have a look in here but couldn't see what the problem could be, I thought the Shrew Soft client could do anything the Cisco VPN client could do?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781028
Well, almost. Some types of encryption don't seem to work. If you're lucky (like I was once :) you just import the pcf file and it works..... But not always.

Could you post a (sanitized) config of the ASA so we can have a look?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Author Comment

by:robclarke41
ID: 37781092
Sure, here you go


hostname XXXciscoasa
domain-name adroot.xxx.co.uk
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 194.x.x.x 255.255.255.0 standby 194.x.x.x
!
interface Ethernet0/1
 nameif LAN
 security-level 50
 ip address 192.168.1.252 255.255.255.0 standby 192.168.1.251
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 standby 192.168.2.7
 management-only
!
boot system disk0:/xxx.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN
dns domain-lookup LAN
dns domain-lookup management
dns server-group DefaultDNS
 domain-name adroot.xxx.co.uk
same-security-traffic permit intra-interface
object network obj-192.168.11.0
 subnet 192.168.11.0 255.255.255.0
object network obj-192.168.1.128
 subnet 192.168.1.128 255.255.255.224
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.1.206
 host 192.168.1.206
object network obj-192.168.1.181
 host 192.168.1.181
object network obj-192.168.1.196
 host 192.168.1.196
object network obj-192.168.1.199
 host 192.168.1.199
object network obj-192.168.1.252
 host 192.168.1.252
object network obj-192.168.1.194
 host 192.168.1.194
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj-192.168.10.0
 subnet 192.168.10.0 255.255.255.240
object network obj-192.168.1.152
 subnet 192.168.1.152 255.255.255.248
object network obj_any-02
 subnet 0.0.0.0 0.0.0.0
object network obj_any-03
 subnet 0.0.0.0 0.0.0.0
object network obj_any-04
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.213
 host 192.168.1.213
object network obj-192.168.1.174
 host 192.168.1.174
 description Efes Web server
 
pager lines 25
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging monitor debugging
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@xxx.co.uk
logging recipient-address FirewallLogs@xxx.co.uk level errors
logging class auth mail warnings
logging class np mail warnings
logging class sys mail warnings
logging class vpdn mail warnings
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool XXX_VPN_POOL 192.168.11.1-192.168.11.254 mask 255.255.255.0
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/xxx
asdm history enable
arp timeout 14400
nat (LAN,WAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,WAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (LAN,LAN) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (LAN,LAN) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.11.0 obj-192.168.11.0 no-proxy-arp route-lookup
nat (management,any) source static any any destination static obj-192.168.1.128 obj-192.168.1.128
nat (management,any) source static any any destination static obj-192.168.10.0 obj-192.168.10.0
nat (management,any) source static any any destination static obj-192.168.1.152 obj-192.168.1.152
!
object network obj-192.168.11.0
 nat (WAN,WAN) dynamic interface
object network obj-192.168.1.206
 nat (LAN,WAN) static 194.x.x.x
object network obj-192.168.1.181
 nat (LAN,WAN) static 192.168.1.57
object network obj-192.168.1.196
 nat (LAN,WAN) static 192.168.1.11
object network obj-192.168.1.199
 nat (LAN,WAN) static 192.168.1.49
object network obj-192.168.1.252
 nat (LAN,WAN) static 192.168.1.252 no-proxy-arp route-lookup
object network obj-192.168.1.194
 nat (LAN,WAN) static 192.168.1.44
object network obj_any
 nat (LAN,WAN) dynamic interface
object network obj_any-01
 nat (LAN,WAN) dynamic obj-0.0.0.0
object network obj_any-02
 nat (management,WAN) dynamic interface
object network obj_any-03
 nat (management,WAN) dynamic obj-0.0.0.0
object network obj_any-04
 nat (management,LAN) dynamic obj-0.0.0.0
object network obj-192.168.1.213
 nat (LAN,WAN) static 192.168.1.58
object network obj-192.168.1.174
 nat (LAN,WAN) static 192.168.1.48
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXX_Auth_Servers protocol radius
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.203
 key *****
 radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.207
 key *****
 radius-common-pw *****
aaa-server XXX_Auth_Servers (LAN) host 192.168.1.178
 key *****
 radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host LAN 192.168.1.211 community ***** version 2c
snmp-server location xxx
snmp-server contact XXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dyn1 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 10 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic dyn1
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 enable management
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet 192.168.1.211 255.255.255.255 LAN
telnet timeout 5
ssh x.x.x.xxxx 255.255.255.255 WAN
ssh timeout 60
console timeout 0
vpn-sessiondb max-other-vpn-limit 250
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781131
Ok I seem to have it sorted by setting the encryption and authentication settings manually as opposed to auto.  However the ASA logs are now showing:

3      Mar 29 2012      11:24:18                                    Group = COMPUTER, Username = test, IP = x.x.x.x, Mismatch: Overriding phase 2 DH Group(DH group 0) with phase 1 group(DH group 2)

I seem to have full connectivity but need to get this error cleared, any ideas?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37781230
Try this:

I solved this issue setting to “group 2¿ the Phase 2->PFS exchange value in my settings.
Source: http://www.nic-nac-project.de/~jose/241/notes/shrew-an-alternative-to-cisco-vpn-client/
0
 
LVL 1

Author Comment

by:robclarke41
ID: 37781269
Thanks, I checked the error with Cisco - apparently it is informational and nothing to worry about. Plus the Cisco VPN client does it too.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37781278
Ehr, that's correct. I thought you just wanted to get rid of that notification. Never mind, thx for the points.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question