Thank you for your reply. I attach Shrew IKE logs below. It looks like there`s some problem with validating remote(vpn gateway certificate)? I don`t know why, and what can be the cause. I have to admit that knowledge about PKI is not my advantage. Maybe I import wrong certificate to the client? I have 3 Certificate Authorities: Root CA, Servers CA and Users CA in my company.
Thanks in advance Lukas ________________________________ Logs: 11/10/05 08:25:37 ii : ipc client process thread begin ... 11/10/05 08:25:37 <A : peer config add message 11/10/05 08:25:37 DB : peer added ( obj count = 1 ) 11/10/05 08:25:37 ii : local address 77.114.186.12 selected for peer 11/10/05 08:25:37 DB : tunnel added ( obj count = 1 ) 11/10/05 08:25:37 <A : proposal config message 11/10/05 08:25:37 <A : proposal config message 11/10/05 08:25:37 <A : client config message 11/10/05 08:25:37 <A : xauth username message 11/10/05 08:25:37 <A : xauth password message 11/10/05 08:25:37 <A : remote cert 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' message 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\RootCA\hutmenCA.pem' loaded 11/10/05 08:25:37 <A : local cert 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' message 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_public.crt' loaded 11/10/05 08:25:37 <A : local key 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' message 11/10/05 08:25:37 ii : 'C:\Users\itl1\Documents\Certyfikaty\Hutmen\Certyfikaty osobiste\lt_private.crt' loaded 11/10/05 08:25:37 <A : peer tunnel enable message 11/10/05 08:25:37 ii : obtained x509 cert subject ( 185 bytes ) 11/10/05 08:25:37 DB : new phase1 ( ISAKMP initiator ) 11/10/05 08:25:37 DB : exchange type is aggressive 11/10/05 08:25:37 DB : 77.114.186.12:500 <-> 89.171.80.182:500 11/10/05 08:25:37 DB : b76545efc9d94204:0000000000000000 11/10/05 08:25:37 DB : phase1 added ( obj count = 1 ) 11/10/05 08:25:37 >> : security association payload 11/10/05 08:25:37 >> : - proposal #1 payload 11/10/05 08:25:37 >> : -- transform #1 payload 11/10/05 08:25:37 >> : -- transform #2 payload 11/10/05 08:25:37 >> : -- transform #3 payload 11/10/05 08:25:37 >> : -- transform #4 payload 11/10/05 08:25:37 >> : -- transform #5 payload 11/10/05 08:25:37 >> : -- transform #6 payload 11/10/05 08:25:37 >> : -- transform #7 payload 11/10/05 08:25:37 >> : -- transform #8 payload 11/10/05 08:25:37 >> : -- transform #9 payload 11/10/05 08:25:37 >> : -- transform #10 payload 11/10/05 08:25:37 >> : -- transform #11 payload 11/10/05 08:25:37 >> : -- transform #12 payload 11/10/05 08:25:37 >> : -- transform #13 payload 11/10/05 08:25:37 >> : -- transform #14 payload 11/10/05 08:25:37 >> : -- transform #15 payload 11/10/05 08:25:37 >> : -- transform #16 payload 11/10/05 08:25:37 >> : -- transform #17 payload 11/10/05 08:25:37 >> : -- transform #18 payload 11/10/05 08:25:37 >> : key exchange payload 11/10/05 08:25:37 >> : nonce payload 11/10/05 08:25:37 >> : cert request payload 11/10/05 08:25:37 >> : identification payload 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports XAUTH 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports nat-t ( draft v00 ) 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports nat-t ( draft v01 ) 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports nat-t ( draft v02 ) 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports nat-t ( draft v03 ) 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports nat-t ( rfc ) 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local supports DPDv1 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local is SHREW SOFT compatible 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local is NETSCREEN compatible 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local is SIDEWINDER compatible 11/10/05 08:25:37 >> : vendor id payload 11/10/05 08:25:37 ii : local is CISCO UNITY compatible 11/10/05 08:25:37 >= : cookies b76545efc9d94204:0000000000000000 11/10/05 08:25:37 >= : message 00000000 11/10/05 08:25:37 -> : send IKE packet 77.114.186.12:500 -> 89.171.80.182:500 ( 1342 bytes ) 11/10/05 08:25:37 DB : phase1 resend event scheduled ( ref count = 2 ) 11/10/05 08:25:38 <- : recv IKE packet 89.171.80.182:500 -> 77.114.186.12:500 ( 2067 bytes ) 11/10/05 08:25:38 DB : phase1 found 11/10/05 08:25:38 ii : processing phase1 packet ( 2067 bytes ) 11/10/05 08:25:38 =< : cookies b76545efc9d94204:837a14a15df49646 11/10/05 08:25:38 =< : message 00000000 11/10/05 08:25:38 << : security association payload 11/10/05 08:25:38 << : - propsal #1 payload 11/10/05 08:25:38 << : -- transform #13 payload 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != aes ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : unmatched isakmp proposal/transform 11/10/05 08:25:38 ii : cipher type ( 3des != blowfish ) 11/10/05 08:25:38 ii : matched isakmp proposal #1 transform #13 11/10/05 08:25:38 ii : - transform = ike 11/10/05 08:25:38 ii : - cipher type = 3des 11/10/05 08:25:38 ii : - key length = default 11/10/05 08:25:38 ii : - hash type = md5 11/10/05 08:25:38 ii : - dh group = modp-1024 11/10/05 08:25:38 ii : - auth type = xauth-initiator-rsa 11/10/05 08:25:38 ii : - life seconds = 86400 11/10/05 08:25:38 ii : - life kbytes = 0 11/10/05 08:25:38 << : key exchange payload 11/10/05 08:25:38 << : nonce payload 11/10/05 08:25:38 << : identification payload 11/10/05 08:25:38 ii : phase1 id target is any 11/10/05 08:25:38 ii : phase1 id match 11/10/05 08:25:38 ii : received = asn1-dn CN=hutmenasa 11/10/05 08:25:38 << : certificate payload 11/10/05 08:25:38 << : signature payload 11/10/05 08:25:38 << : cert request payload 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : peer is CISCO UNITY compatible 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : peer supports XAUTH 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : peer supports DPDv1 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : peer supports nat-t ( draft v02 ) 11/10/05 08:25:38 << : nat discovery payload 11/10/05 08:25:38 << : nat discovery payload 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : unknown vendor id ( 20 bytes ) 11/10/05 08:25:38 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3 c0000000 11/10/05 08:25:38 << : vendor id payload 11/10/05 08:25:38 ii : unknown vendor id ( 16 bytes ) 11/10/05 08:25:38 0x : 1f07f70e aa6514d3 b0fa9654 2a500100 11/10/05 08:25:38 ii : nat discovery - remote address is translated 11/10/05 08:25:38 ii : switching to src nat-t udp port 4500 11/10/05 08:25:38 ii : switching to dst nat-t udp port 4500 11/10/05 08:25:38 == : DH shared secret ( 128 bytes ) 11/10/05 08:25:38 == : SETKEYID ( 16 bytes ) 11/10/05 08:25:38 == : SETKEYID_d ( 16 bytes ) 11/10/05 08:25:38 == : SETKEYID_a ( 16 bytes ) 11/10/05 08:25:38 == : SETKEYID_e ( 16 bytes ) 11/10/05 08:25:38 == : cipher key ( 32 bytes ) 11/10/05 08:25:38 == : cipher iv ( 8 bytes ) 11/10/05 08:25:38 >> : certificate payload 11/10/05 08:25:38 == : phase1 hash_i ( computed ) ( 16 bytes ) 11/10/05 08:25:38 >> : signature payload 11/10/05 08:25:38 >> : nat discovery payload 11/10/05 08:25:38 >> : nat discovery payload 11/10/05 08:25:38 >= : cookies b76545efc9d94204:837a14a15df49646 11/10/05 08:25:38 >= : message 00000000 11/10/05 08:25:38 >= : encrypt iv ( 8 bytes ) 11/10/05 08:25:38 == : encrypt packet ( 1865 bytes ) 11/10/05 08:25:38 == : stored iv ( 8 bytes ) 11/10/05 08:25:38 DB : phase1 resend event canceled ( ref count = 1 ) 11/10/05 08:25:38 -> : send NAT-T:IKE packet 77.114.186.12:4500 -> 89.171.80.182:4500 ( 1900 bytes ) 11/10/05 08:25:38 ii : fragmented packet to 1514 bytes ( MTU 1500 bytes ) 11/10/05 08:25:38 ii : fragmented packet to 434 bytes ( MTU 1500 bytes ) 11/10/05 08:25:38 ii : added hutmen_users_CA.crt to x509 store 11/10/05 08:25:38 ii : unable to get issuer certificate(2) at depth:1 11/10/05 08:25:38 ii : subject :/DC=pl/DC=hutmen/CN=Hutmen S.A. Uzytkownicy 11/10/05 08:25:38 !! : unable to verify remote peer certificate 11/10/05 08:25:38 ii : sending peer DELETE message 11/10/05 08:25:38 ii : - 77.114.186.12:4500 -> 89.171.80.182:4500 11/10/05 08:25:38 ii : - isakmp spi = b76545efc9d94204:837a14a15df49646 11/10/05 08:25:38 ii : - data size 0 11/10/05 08:25:38 >> : hash payload 11/10/05 08:25:38 >> : delete payload 11/10/05 08:25:38 == : new informational hash ( 16 bytes ) 11/10/05 08:25:38 == : new informational iv ( 8 bytes ) 11/10/05 08:25:38 >= : cookies b76545efc9d94204:837a14a15df49646 11/10/05 08:25:38 >= : message 889de6b1 11/10/05 08:25:38 >= : encrypt iv ( 8 bytes ) 11/10/05 08:25:38 == : encrypt packet ( 76 bytes ) 11/10/05 08:25:38 == : stored iv ( 8 bytes ) 11/10/05 08:25:38 -> : send NAT-T:IKE packet 77.114.186.12:4500 -> 89.171.80.182:4500 ( 108 bytes ) 11/10/05 08:25:38 ii : phase1 removal before expire time 11/10/05 08:25:38 DB : phase1 deleted ( obj count = 0 ) 11/10/05 08:25:38 DB : policy not found 11/10/05 08:25:38 DB : policy not found 11/10/05 08:25:38 DB : tunnel stats event canceled ( ref count = 1 ) 11/10/05 08:25:38 DB : removing tunnel config references 11/10/05 08:25:38 DB : removing tunnel phase2 references 11/10/05 08:25:38 DB : removing tunnel phase1 references 11/10/05 08:25:38 DB : tunnel deleted ( obj count = 0 ) 11/10/05 08:25:38 DB : removing all peer tunnel refrences 11/10/05 08:25:38 DB : peer deleted ( obj count = 0 ) 11/10/05 08:25:38 ii : ipc client process thread exit ... ______________________________ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kevin VPN Sent: Wednesday, October 05, 2011 4:16 AM To: [email protected] Subject: Re: [vpn-help] R: Shrew and RSA authentication with Cisco devices On 10/03/2011 03:01 AM, Trzewiczek Łukasz wrote: > Hi, > > I have encountered the same problem with Mutual RSA + > XAUTH authentication. My client version is 2.1.7 and I use it > with ASA 5505 (soft ver.6.2) with mutual PSK authentication. > Cisco ASA is configured the same as in this tutorial: > > http://www.cisco.com/en/US/products/ps6120/ > products_configuration_example09186a0080930f21.shtml > > I also have Microsoft`s CA. It works perfectly with Cisco VPN > Client but doesn`t with Shrew. Has any of you used such dual > authentication with success? I have tried probably every option > in access manager and I don`t know if there`s any bug in access > manager or my configuration is wrong. > > Logs from ASA are as following: > > Sep 29 09:06:22 hutmenasa %ASA-6-302015: Built inbound UDP > connection 250884 for outside:95.41.84.136/4500 (95.41.84.136/4500) > to identity:172.18.1.16/4500 (172.18.1.16/4500) > > Sep 29 09:06:22 hutmenasa %ASA-6-713172: Group = Uzytkownicy, > IP = 95.41.84.136, Automatic NAT Detection Status: Remote end > is NOT behind a NAT device This end IS behind a NAT device > > Sep 29 09:06:22 hutmenasa %ASA-6-717022: Certificate was > successfully validated. serial number: 626A0CC20004000000AD, > subject name: [email protected], > cn=<C5>\201ukasz Trzewiczek,ou=FI,ou=DG,ou=Hutmen,ou=Uzytkownicy, > dc=hutmen,dc=pl. > > Sep 29 09:06:22 hutmenasa %ASA-6-717028: Certificate chain was > successfully validated with warning, revocation status was not > checked. > > Sep 29 09:06:22 hutmenasa %ASA-5-713050: Group = Uzytkownicy, > IP = 95.41.84.136, Connection terminated for peer . Reason: Peer > Terminate Remote Proxy N/A, Local Proxy N/A > ... > Any help will be appreciated. > Hi Lukas, To me it looks like Shrew has terminated the connection, based on the ASA reporting "Peer Terminate". Can you produce a Shrew log using these instructions to see if helps us: http://www.shrew.net/support/wiki/BugReportVpnWindows _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help Hutmen Spółka Akcyjna z siedzibą we Wrocławiu przy ul. Grabiszyńskiej 241, 53 - 234 Wrocław wpisana do rejestru prowadzonego przez Sąd Rejonowy dla Wrocławia - Fabrycznej, VI Wydział Gospodarczy, pod numerem KRS 0000036660, NIP 896-000-01-96, wysokość kapitału zakładowego i kapitału wpłaconego - 255.962.700 złotych. www.hutmen.pl _________________________________________________________________________________________________ Hutmen S.A., a joint stock company seated ul. Grabiszynska 241, 53-234 Wroclaw, Poland, registered by the District Court for Wroclaw-Fabryczna, 6th Commercial Division, National Court Register No. 0000036660, VAT No. PL 8960000196, share capital and paid-in capital PLN 255.962.700 _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
