cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3284
Views
0
Helpful
4
Replies

Unable to establish IPSec tunnel between ShrewSoft VPN Client and Cisco

laotalax579
Level 1
Level 1

Hello,

I'm trying to establish an IPSec tunnel between ShrewSoft VPN Client v2.1.0 and Cisco 2611 in Lab environment, but with no luck. The debug shows that  the preshared authentication doesn't match (see the attached files). Cisco VPN IP is 172.16.0.1, the host IP - 192.168.0.2, no NAT is configured in Lab environment. I checked both Cisco and VPN client Phase 1 - Phase 2 parameters and preshared key several times and they seem to match (see shrewsoft screenshots). I also tried configuring IPSec using dynamic crypto maps and got the same error. But if I set an IP address as the Local Identity string instead of VPN group and also set the IP parameters statically in ShrewSoft, it connects successfully. Could you please advise any solution or point to the mistake I've made? Maybe you could also post a working shrewsoft vpn client configuration?   

4 Replies 4

slmansfield
Level 4
Level 4

Sorry I don't know about the VPN client you are using, but I wonder if you are missing the ISAKMP pre-shared key under the crypto isakmp client configuration group VPN statement on your router.  HTH

Thanks for the advice. I tried specifying pre-shared key parameter inside crypto isakmp client configuration group VPN, but that didn't help also. It is very strange, because Cisco and Shrewsoft IPSec client can't negotiate phase 1 pre-shared key parameter using isakmp profile and vpn group. Maybe Cisco doesn't find pre-shared key and it is possible to somehow specify in crypto isakmp policy to search for pre-shared key in a certain profile?

I ran some tests in my lab with your configuration and the Cisco VPN client and ran into the same issue with the ISAKMP policy never matching.

I think what you need at mimimum is the isakmp authorization list statement, relating to a method list, under your isakmp profile.  What I set up was the following, using local authorization:

aaa authorization network default local

crypto isakmp profile TEST

isakmp authorization list default

If you want the client to have to authenticate, you also add a method list for authentication, and add the following to your isakmp profile, as an example, using local authentication.

aaa authentication default local

crypto isakmp profile TEST

cleint authentication list default

I would also put a "tunnel source" command under your VTI.

HTH

I finally configured the tunnel between ShrewSoft and Cisco 2811. I used dynamic crypto map with client authentication & authorization options as described here http://www.fredshack.com/docs/vpnios.html. Unfortunately I couldn't configure it with ISAKMP profile and Virtual-Template interface. I think it's something to do with the order Cisco tries to negotiate phase 1 parameters. Anyway thanks for your advice and lab testing.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: