Afternoon All,
We have been using our ASAs with a Mutual PSK + XAuth authentication scheme for a few years, with a spread of clients between the official Cisco VPN client and the Shrewsoft client (mainly used by 64bit users). We have a requirement to implement two-factor authentication on our client VPNs for our PCIDSS compliance, so we are implementing a client certificate based authentication scheme rather than the mutual PSK, the XAuth in this case is integrated with Active Directory via RADIUS. After some fiddling about I have been able to use client certificates to provide the initial authentication with the Cisco client, the OU specified in the certificate is matched to a tunnel group (VPNAdminUsers) configured on the ASA, which is then passed through to the RADIUS server which authenticates the user in our AD. I imported the working PCF from the Cisco client into the Shrewsoft client, but have been singularly unsuccessful in connecting the VPN from the Shrewsoft client. When I imported the PCF it explained I would have to import the certificates manually, so I: - Exported the CA certificate from Microsoft Certificate Services as Base64 with the default .CER extension, I renamed this file to a .PEM file and chose this for the Server Certificate Authority file - Exported my client certificate from the local certificate store in PKCS12 format with a .pfx extension with the private key included, I chose this file for both the Client Certificate File and the Client Private Key File. The Client seemed happy with this and prompted me for the certificate key password when I tried to connect. To eliminate this as the problem I then took the PKCS12 file and converted it using OpenSSL to a PEM and KEY file and used those instead of the PFX file - the client seemed fine with this as well. I am confident all the transform sets are configured correctly, they work perfectly if the tunnel is reconfigured back to use Mutual PSK rather than XAuth. When I try and connect the VPN, the tunnel fails to establish when negotiating the initial connection, the firewall logs: Group = VPNAdminUsers, IP = X, No preshared key configured for group Group = VPNAdminUsers, IP = X, Can't find a valid tunnel group, aborting Group = VPNAdminUsers, IP = X, Removing peer from peer table failed, no match! It is picking up the correct tunnel group from the subject OU in the client certificate, or at least certainly seems to be, it is the only place VPNAdminUsers is mentioned anywhere in the Shrewsoft configuration. I don't understand why it is looking for a preshared key though, the client certificate is meant to be used instead of a PSK for the initial negotiation. Is anyone able to shed any light on this for me? TLDR is I'm trying to use a Windows CA to provide Mutual RSA authentication, works perfectly from the Cisco client but the Shrewsoft one doesn't, I can't see anything obviously wrong with my configuration so am at a bit of a loss. Any help that you folks can provide would be greatly appreciated. Thanks,
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
