Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Unable to establish IPSec tunnel between ShrewSoft VPN Client and Cisco

Hello,

I'm trying to establish an IPSec tunnel between ShrewSoft VPN Client v2.1.0 and Cisco 2611 in Lab environment, but with no luck. The debug shows that  the preshared authentication doesn't match (see the attached files). Cisco VPN IP is 172.16.0.1, the host IP - 192.168.0.2, no NAT is configured in Lab environment. I checked both Cisco and VPN client Phase 1 - Phase 2 parameters and preshared key several times and they seem to match (see shrewsoft screenshots). I also tried configuring IPSec using dynamic crypto maps and got the same error. But if I set an IP address as the Local Identity string instead of VPN group and also set the IP parameters statically in ShrewSoft, it connects successfully. Could you please advise any solution or point to the mistake I've made? Maybe you could also post a working shrewsoft vpn client configuration?   

  • VPN
Everyone's tags (2)
4 REPLIES
Silver

Re: Unable to establish IPSec tunnel between ShrewSoft VPN Clien

Sorry I don't know about the VPN client you are using, but I wonder if you are missing the ISAKMP pre-shared key under the crypto isakmp client configuration group VPN statement on your router.  HTH

New Member

Re: Unable to establish IPSec tunnel between ShrewSoft VPN Clien

Thanks for the advice. I tried specifying pre-shared key parameter inside crypto isakmp client configuration group VPN, but that didn't help also. It is very strange, because Cisco and Shrewsoft IPSec client can't negotiate phase 1 pre-shared key parameter using isakmp profile and vpn group. Maybe Cisco doesn't find pre-shared key and it is possible to somehow specify in crypto isakmp policy to search for pre-shared key in a certain profile?

Silver

Re: Unable to establish IPSec tunnel between ShrewSoft VPN Clien

I ran some tests in my lab with your configuration and the Cisco VPN client and ran into the same issue with the ISAKMP policy never matching.

I think what you need at mimimum is the isakmp authorization list statement, relating to a method list, under your isakmp profile.  What I set up was the following, using local authorization:

aaa authorization network default local

crypto isakmp profile TEST

isakmp authorization list default

If you want the client to have to authenticate, you also add a method list for authentication, and add the following to your isakmp profile, as an example, using local authentication.

aaa authentication default local

crypto isakmp profile TEST

cleint authentication list default

I would also put a "tunnel source" command under your VTI.

HTH

New Member

Re: Unable to establish IPSec tunnel between ShrewSoft VPN Clien

I finally configured the tunnel between ShrewSoft and Cisco 2811. I used dynamic crypto map with client authentication & authorization options as described here http://www.fredshack.com/docs/vpnios.html. Unfortunately I couldn't configure it with ISAKMP profile and Virtual-Template interface. I think it's something to do with the order Cisco tries to negotiate phase 1 parameters. Anyway thanks for your advice and lab testing.

2344
Views
0
Helpful
4
Replies
This widget could not be displayed.