Unable to establish IPSec tunnel between ShrewSoft VPN Client and Cisco

Unanswered Question
Mar 10th, 2010
User Badges:


I'm trying to establish an IPSec tunnel between ShrewSoft VPN Client v2.1.0 and Cisco 2611 in Lab environment, but with no luck. The debug shows that  the preshared authentication doesn't match (see the attached files). Cisco VPN IP is, the host IP -, no NAT is configured in Lab environment. I checked both Cisco and VPN client Phase 1 - Phase 2 parameters and preshared key several times and they seem to match (see shrewsoft screenshots). I also tried configuring IPSec using dynamic crypto maps and got the same error. But if I set an IP address as the Local Identity string instead of VPN group and also set the IP parameters statically in ShrewSoft, it connects successfully. Could you please advise any solution or point to the mistake I've made? Maybe you could also post a working shrewsoft vpn client configuration?   

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
slmansfield Wed, 03/10/2010 - 10:36
User Badges:
  • Silver, 250 points or more

Sorry I don't know about the VPN client you are using, but I wonder if you are missing the ISAKMP pre-shared key under the crypto isakmp client configuration group VPN statement on your router.  HTH

laotalax579 Sun, 03/14/2010 - 04:52
User Badges:

Thanks for the advice. I tried specifying pre-shared key parameter inside crypto isakmp client configuration group VPN, but that didn't help also. It is very strange, because Cisco and Shrewsoft IPSec client can't negotiate phase 1 pre-shared key parameter using isakmp profile and vpn group. Maybe Cisco doesn't find pre-shared key and it is possible to somehow specify in crypto isakmp policy to search for pre-shared key in a certain profile?

slmansfield Mon, 03/15/2010 - 09:08
User Badges:
  • Silver, 250 points or more

I ran some tests in my lab with your configuration and the Cisco VPN client and ran into the same issue with the ISAKMP policy never matching.

I think what you need at mimimum is the isakmp authorization list statement, relating to a method list, under your isakmp profile.  What I set up was the following, using local authorization:

aaa authorization network default local

crypto isakmp profile TEST

isakmp authorization list default

If you want the client to have to authenticate, you also add a method list for authentication, and add the following to your isakmp profile, as an example, using local authentication.

aaa authentication default local

crypto isakmp profile TEST

cleint authentication list default

I would also put a "tunnel source" command under your VTI.


laotalax579 Fri, 03/19/2010 - 03:45
User Badges:

I finally configured the tunnel between ShrewSoft and Cisco 2811. I used dynamic crypto map with client authentication & authorization options as described here http://www.fredshack.com/docs/vpnios.html. Unfortunately I couldn't configure it with ISAKMP profile and Virtual-Template interface. I think it's something to do with the order Cisco tries to negotiate phase 1 parameters. Anyway thanks for your advice and lab testing.


This Discussion

Related Content