Well, it appears I've answered my own question, so I'll post the answer here for posterity.
It appears the problem is that 8.3(2) is very buggy WRT IPSec and NAT. There were a few suspiciously familiar-sounding bugs in the "fixed" list for the latest interim release - none mentioned ShrewSoft, of course, but the Mac OS IPSec/L2TP client was mentioned. So, I upgraded to 8.3(2)37 and my problems vanished. Based on the number of bug fixes that are in 8.2(5) but are *not* in 8.3(2), I'd advise anyone who is upgrading to 8.3 to go directly to the latest interim release. It's still a mystery why the Mac OS X and vpnc clients were able to connect (but suffered occasional connection drops), whereas the ShrewSoft client was completely stymied - perhaps they have some mechanism to detect and/or attempt to avoid NAT collisions? Hope this saves someone else a headache. On Thu, Mar 28, 2013 at 8:58 PM, Cory Bell <[email protected]> wrote: > Further investigation leads me to believe this may be NAT or NAT-T > related - it appears that the first ShrewSoft client to connect from > behind a NAT router is able to establish a VPN session. Any subsequent > sessions will fail. I've tried the various NAT-T settings in the > client, to no avail - "enabled" is what we had been using previously > and seemed to work fine. > > I've also noticed that, while multiple vpnc and Mac OS X clients are > able to connect from behind a single NAT router, we have been > experiencing connection drops much more frequently since the upgrade > to 8.3(2). There does not seem to be any clear pattern to when the > disconnects occur, but multiple clients are affected when they do. > > On Tue, Mar 26, 2013 at 7:31 AM, Cory Bell <[email protected]> wrote: >> VPN Client Version: 2.1.7-release and 2.2.0-rc-2 >> Windows OS Version: 7 >> Gateway Make/Model: Cisco ASA >> Gateway OS Version: 8.3(2) >> >> I've got a couple of ASAs that were both on 8.2(5) and working fine >> with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and >> now the ShrewSoft client can no longer connect. I'm aware of the >> "unidirectional" nat exclusion issue in 8.3(2) and have already >> corrected it. The official Cisco client is able to connect, as is vpnc >> on Linux and the integrated Cisco-compatible client in Mac OS X. The >> same ShrewSoft clients that can't connect to the 8.3(2) ASA can still >> connect to the 8.2(5) ASA (the tunnel-groups are identical). >> >> There's nothing exotic about my configuration, just your standard >> IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually >> identical to the Cisco ASA example on the Support page, except that >> the example is from a pretty old ASA version. >> >> I see two different failure modes - sometimes the ASA shows a "Failure >> during phase 1 rekeying attempt due to collision" error and >> immediately sends a DELETE to the client, at which point the >> connection is terminated. Other times, the client will seemingly hang >> after sending multiple config requests. I also gave the ShrewSoft >> 2.2.0-rc-2 client a try, and it behaves exactly the same. >> >> Cisco TAC was about as helpful as you might expect, so I'm hoping >> someone else has been through this and had better luck. I'm happy to >> provide sanitized logs if it will help identify the issue. Thanks! _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
