03-10-2010 09:31 AM - edited 02-21-2020 04:32 PM
Hello,
I'm trying to establish an IPSec tunnel between ShrewSoft VPN Client v2.1.0 and Cisco 2611 in Lab environment, but with no luck. The debug shows that the preshared authentication doesn't match (see the attached files). Cisco VPN IP is 172.16.0.1, the host IP - 192.168.0.2, no NAT is configured in Lab environment. I checked both Cisco and VPN client Phase 1 - Phase 2 parameters and preshared key several times and they seem to match (see shrewsoft screenshots). I also tried configuring IPSec using dynamic crypto maps and got the same error. But if I set an IP address as the Local Identity string instead of VPN group and also set the IP parameters statically in ShrewSoft, it connects successfully. Could you please advise any solution or point to the mistake I've made? Maybe you could also post a working shrewsoft vpn client configuration?
03-10-2010 10:36 AM
Sorry I don't know about the VPN client you are using, but I wonder if you are missing the ISAKMP pre-shared key under the crypto isakmp client configuration group VPN statement on your router. HTH
03-14-2010 04:52 AM
Thanks for the advice. I tried specifying pre-shared key parameter inside crypto isakmp client configuration group VPN, but that didn't help also. It is very strange, because Cisco and Shrewsoft IPSec client can't negotiate phase 1 pre-shared key parameter using isakmp profile and vpn group. Maybe Cisco doesn't find pre-shared key and it is possible to somehow specify in crypto isakmp policy to search for pre-shared key in a certain profile?
03-15-2010 09:08 AM
I ran some tests in my lab with your configuration and the Cisco VPN client and ran into the same issue with the ISAKMP policy never matching.
I think what you need at mimimum is the isakmp authorization list statement, relating to a method list, under your isakmp profile. What I set up was the following, using local authorization:
aaa authorization network default local
crypto isakmp profile TEST
isakmp authorization list default
If you want the client to have to authenticate, you also add a method list for authentication, and add the following to your isakmp profile, as an example, using local authentication.
aaa authentication default local
crypto isakmp profile TEST
cleint authentication list default
I would also put a "tunnel source" command under your VTI.
HTH
03-19-2010 03:45 AM
I finally configured the tunnel between ShrewSoft and Cisco 2811. I used dynamic crypto map with client authentication & authorization options as described here http://www.fredshack.com/docs/vpnios.html. Unfortunately I couldn't configure it with ISAKMP profile and Virtual-Template interface. I think it's something to do with the order Cisco tries to negotiate phase 1 parameters. Anyway thanks for your advice and lab testing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide