Some update on this... I finally managed to put this to work. I made the following changes.
Client NAT Traversal: force-rfc (this one was already set) Phase 1 Exchange Type: aggressive DH Exchange: group 2 Phase 2 Transform Algorithm: esp-aes Transform Key Length: 128 HMAC Algorithm: md5 PFS Exchange: group 2 Compress Algorithm: disabled So far it's handling well, with no drops. I'm very happy with Shrew client as it's not as invasive as Cisco VPN client. :) On 31 July 2013 13:53, Goncalo Oliveira <[email protected]> wrote: > I'm trying to connect to a Cisco 3000 VPN Concentrator (if I'm not > mistaken). I'm attaching the logs again. > > The lab gateway seems like a good idea. > > Cheers. > > > On 30 July 2013 20:52, Jim Harle <[email protected]> wrote: > >> The “latest” (still two years old) Cisco 64-bit client is 5.0.07.0440, >> and can be download from here >> http://www.asc.edu/downloads/CiscoVPN/Windows/, not that it will change >> anything, but it’s the version I was testing with under Windows 8 x64. My >> main complaint with the Cisco client, is it sets the MTU to 1300 on all of >> your adapters, not just its own virtual one. The Shrew client uses a 1380 >> MTU (by default) for only its virtual adapter. Not that this has anything >> to do with your problem.**** >> >> ** ** >> >> What type of device are you connecting through for Internet? I don’t >> think the iked.log came through on your original post – I’d like to see it. >> **** >> >> ** ** >> >> In about a week I’ll have a Cisco ASA gateway set up in a lab environment >> – perhaps you could try connecting to it after it’s provisioned, just to >> see if you experience the same symptoms with a different gateway.**** >> >> ** ** >> >> -Jim**** >> >> ** ** >> >> *From:* Goncalo Oliveira [mailto:[email protected]] >> *Sent:* Tuesday, July 30, 2013 7:26 AM >> *To:* Harle Jim >> *Cc:* [email protected] >> >> *Subject:* Re: [vpn-help] Cisco VPN**** >> >> ** ** >> >> Hi Jim,**** >> >> ** ** >> >> Thanks for replying. I have tried using both 32-bit and 64-bit, version >> 5.0.07.0240. 64-bit is always dropping and sometimes it just stops working >> - had to re-install. The 32-bit is a bit more stable but still it's not >> very natural to windows 8 and is unstable.**** >> >> ** ** >> >> I was hoping I could replace it with Shrew client, it looks very good and >> the drivers hassle is cleaner. However, it's not going for phase 2. I >> already tried using 'force-rfc' on NAT traversal.**** >> >> ** ** >> >> I do know that even Cisco client dropped the first time it tried to >> connect; it would only work at the second attempt, don't know if that can >> be helpful in anyway.**** >> >> ** ** >> >> ** ** >> >> Any thoughts?**** >> >> ** ** >> >> ** ** >> >> On 29 July 2013 19:45, Jim Harle <[email protected]> wrote:**** >> >> What problems are you having with the Cisco client, and which version is >> it? 32-bit or 64-bit?**** >> >> **** >> >> Regarding the Shrew client, have you tried setting the NAT traversal to >> ‘force-rfc’ ?**** >> >> **** >> >> *From:* [email protected] [ >> mailto:[email protected]<[email protected]>] >> *On Behalf Of *Goncalo Oliveira >> *Sent:* Monday, July 29, 2013 7:23 AM >> *To:* [email protected] >> *Subject:* Re: [vpn-help] Cisco VPN**** >> >> **** >> >> Any ideas, anyone?**** >> >> **** >> >> On 23 July 2013 14:15, Goncalo Oliveira <[email protected]> wrote:**** >> >> Hi there,**** >> >> **** >> >> We've been working with Cisco VPN Client 5.0 for some time, though, after >> installing windows 8 this is not a stable option. So, Shrew came to the >> rescue. The login to the VPN is made through group authentication, so the >> configurations are as follows**** >> >> **** >> >> General**** >> >> Remote host**** >> >> Host name or IP address: our provider vpn host name**** >> >> Auto configuration: ike config pull**** >> >> Local host**** >> >> virtual adapter**** >> >> **** >> >> Client**** >> >> Firewall**** >> >> NAT Traversal: enable**** >> >> IKE fragmentation: enable**** >> >> Other options**** >> >> Enable dead peer detection: unchecked**** >> >> **** >> >> Name resolution**** >> >> DNS, automatically**** >> >> WINS off**** >> >> **** >> >> Authentication**** >> >> Method: Mutual PSK + XAuth**** >> >> Local identity**** >> >> Identification type: Key identifier**** >> >> Key ID string: our group name identifier**** >> >> Remote identity**** >> >> Identification type: any (also tried IP address)**** >> >> Credentials**** >> >> Pre shared key: our group password**** >> >> **** >> >> Phase1**** >> >> Exchange type: aggressive**** >> >> DH Exchange: group 2**** >> >> **** >> >> Phase 2**** >> >> PFS Exchange: group 2 (also tried auto and disabled)**** >> >> **** >> >> **** >> >> **** >> >> Phase 1 seems to go well, but phase 2 not so well, keeps writing 'config >> resend event schedule'.**** >> >> I'm attaching the iked.log, as there might be something useful there.**** >> >> **** >> >> Can anyone help me out on this?**** >> >> **** >> >> Thanks.**** >> >> Best regards >> **** >> >> **** >> >> **** >> >> -- >> Gonçalo Oliveira **** >> >> >> >> **** >> >> **** >> >> -- >> Gonçalo Oliveira **** >> >> >> >> **** >> >> ** ** >> >> -- >> Gonçalo Oliveira **** >> > > > > -- > Gonçalo Oliveira > -- Gonçalo Oliveira
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
