Hi Matthew I can't use Hybrid because Cisco configuration requests Mutual. I tried using Trace utility, but it seems to me it is not working on W7 (64bit). Anyway form VPN Client I'm getting output: attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured server cert configured client cert configured client key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... in meanwhile VPN Server logging is reporting gateway was unable to choose correct VPN Profile (that normally is recognized form certificate OU field). Please note I'm using same certificate that is working fine with same VPN server and Cisco VPN Client. Thank you very much about your help Stefano
________________________________ Da: Matthew Grooms [mailto:[email protected]] Inviato: mer 24/03/2010 17.13 A: Stefano Lassi Cc: [email protected] Oggetto: Re: [vpn-help] Shrew and RSA authentication with Cisco devices On 3/17/2010 7:19 AM, Stefano Lassi wrote: > Hi > I'm using, with very good success, Shrew VPN Client in order to connect > Cisco VPN gateways (IOS, ASA/PIX, VPN3000), using PSK authentication. > Now, I'm trying to connect to same Cisco VPN gateways using Ibrid (RSA + > XAuth) authentication, without success. > Main problem I got is Cisco VPN Server seem not recognizing VPN Group > (profile), normally specified using certificate OU field. > I tested few different client authentication "Identification Type" > options (ASN.1, Key Identifier, etc.) without success: Cisco gateways > report no "group association" were present from client request. > Somebody has got some hints how configure Shrew VPN Client to > correctelly propose right OU field <-> VPN profile association to Cisco > VPN Gateways (correct OU mapping is already correctelly in place on VPN > servers, because they are working fine with RSA authentication against > Cisco VPN Clients ...). > Thank you very much and see you soon > Stefano > Stefano, For Cisco Hybrid, you should not use Mutual RSA + Xauth. Use Hybrid RSA + XAuth instead. If you need Mutual RSA + Xauth and that isn't working, can you provide log output from the client and the gateway? -Matthew
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
