I'm trying to connect to what I think is a Cisco gateway using Shrew 2.1.7. The Cisco client works fine, but local LAN traffic has been disabled by the sysadmin which is a dealbreaker for me.
The Cisco GUI uses a .pcf file and .p12 certificate to connect. I used OpenSSL to extract the client and CA certs and client private key from the PKCS#12 file. I get the following output in the connect dialogue when connecting: config loaded for site 'xxxxxx' configuring client settings ... attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured server cert configured client cert configured client key configured bringing up tunnel ... negotiation timout occurred tunnel disabled detached from key daemon ... ------------------------------------------------------------------------------------- The redacted .pcf file looks like this: [main] Description=VPN connexion Host=xxx.xxx.xxx.xxx AuthType=3 GroupName= GroupPwd= enc_GroupPwd= EnableISPConnect=0 ISPConnectType=0 ISPConnect=Mobile Connect ISPPhonebook=C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk ISPCommand= Username= SaveUserPassword=0 UserPassword= enc_UserPassword= NTDomain= EnableBackup=0 BackupServer= EnableMSLogon=1 MSLogonType=0 EnableNat=1 TunnelingMode=0 TcpTunnelingPort=10000 CertStore=1 CertName=client CertPath= CertSubjectName=cn=client,ou=xxxxx,o=xxxxxxxxxxxxxxxxx,st=xxxxxxxxxxxx,c=xx CertSerialHash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SendCertChain=0 PeerTimeout=90 EnableLocalLAN=0 ------------------------------------------------------------------------------------- The trace output is as follows: 10/12/01 23:00:57 ## : IKE Daemon, ver 2.1.7 10/12/01 23:00:57 ## : Copyright 2010 Shrew Soft Inc. 10/12/01 23:00:57 ## : This product linked OpenSSL 0.9.8h 28 May 2008 10/12/01 23:00:57 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 10/12/01 23:00:57 ii : rebuilding vnet device list ... 10/12/01 23:00:57 ii : device ROOT\VNET\0000 disabled 10/12/01 23:00:57 ii : network process thread begin ... 10/12/01 23:00:57 ii : pfkey process thread begin ... 10/12/01 23:00:57 ii : ipc server process thread begin ... 10/12/01 23:01:12 ii : ipc client process thread begin ... 10/12/01 23:01:12 <A : peer config add message 10/12/01 23:01:12 DB : peer added ( obj count = 1 ) 10/12/01 23:01:12 ii : local address 192.168.1.101 selected for peer 10/12/01 23:01:12 DB : tunnel added ( obj count = 1 ) 10/12/01 23:01:12 <A : proposal config message 10/12/01 23:01:12 <A : proposal config message 10/12/01 23:01:12 <A : client config message 10/12/01 23:01:12 <A : xauth username message 10/12/01 23:01:12 <A : xauth password message 10/12/01 23:01:12 <A : remote cert 'C:\Documents and Settings\xxxx\Desktop\server.pem' message 10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\server.pem' loaded 10/12/01 23:01:12 <A : local cert 'C:\Documents and Settings\xxxx\Desktop\clientcert.pem' message 10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\clientcert.pem' loaded 10/12/01 23:01:12 <A : local key 'C:\Documents and Settings\xxxx\Desktop\clientkey.pem' message 10/12/01 23:01:12 ii : 'C:\Documents and Settings\xxxx\Desktop\clientkey.pem' loaded 10/12/01 23:01:12 <A : peer tunnel enable message 10/12/01 23:01:12 ii : obtained x509 cert subject ( 106 bytes ) 10/12/01 23:01:12 DB : new phase1 ( ISAKMP initiator ) 10/12/01 23:01:12 DB : exchange type is aggressive 10/12/01 23:01:12 DB : 192.168.1.101:500 <-> xxx.xxx.xxx.xxx:500 10/12/01 23:01:12 DB : 4bb4816e147a3ab7:0000000000000000 10/12/01 23:01:12 DB : phase1 added ( obj count = 1 ) 10/12/01 23:01:12 >> : security association payload 10/12/01 23:01:12 >> : - proposal #1 payload 10/12/01 23:01:12 >> : -- transform #1 payload 10/12/01 23:01:12 >> : -- transform #2 payload 10/12/01 23:01:12 >> : -- transform #3 payload 10/12/01 23:01:12 >> : -- transform #4 payload 10/12/01 23:01:12 >> : -- transform #5 payload 10/12/01 23:01:12 >> : -- transform #6 payload 10/12/01 23:01:12 >> : -- transform #7 payload 10/12/01 23:01:12 >> : -- transform #8 payload 10/12/01 23:01:12 >> : -- transform #9 payload 10/12/01 23:01:12 >> : -- transform #10 payload 10/12/01 23:01:12 >> : -- transform #11 payload 10/12/01 23:01:12 >> : -- transform #12 payload 10/12/01 23:01:12 >> : -- transform #13 payload 10/12/01 23:01:12 >> : -- transform #14 payload 10/12/01 23:01:12 >> : -- transform #15 payload 10/12/01 23:01:12 >> : -- transform #16 payload 10/12/01 23:01:12 >> : -- transform #17 payload 10/12/01 23:01:12 >> : -- transform #18 payload 10/12/01 23:01:12 >> : key exchange payload 10/12/01 23:01:12 >> : nonce payload 10/12/01 23:01:12 >> : cert request payload 10/12/01 23:01:12 >> : identification payload 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports XAUTH 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports nat-t ( draft v00 ) 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports nat-t ( draft v01 ) 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports nat-t ( draft v02 ) 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports nat-t ( draft v03 ) 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports nat-t ( rfc ) 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local supports DPDv1 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local is SHREW SOFT compatible 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local is NETSCREEN compatible 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local is SIDEWINDER compatible 10/12/01 23:01:12 >> : vendor id payload 10/12/01 23:01:12 ii : local is CISCO UNITY compatible 10/12/01 23:01:12 >= : cookies 4bb4816e147a3ab7:0000000000000000 10/12/01 23:01:12 >= : message 00000000 10/12/01 23:01:12 -> : send IKE packet 192.168.1.101:500 -> xxx.xxx.xxx.xxx:500 ( 1231 bytes ) 10/12/01 23:01:12 DB : phase1 resend event scheduled ( ref count = 2 ) 10/12/01 23:01:17 -> : resend 1 phase1 packet(s) 192.168.1.101:500 -> xxx.xxx.xxx.xxx:500 10/12/01 23:01:22 -> : resend 1 phase1 packet(s) 192.168.1.101:500 -> xxx.xxx.xxx.xxx:500 10/12/01 23:01:27 -> : resend 1 phase1 packet(s) 192.168.1.101:500 -> xxx.xxx.xxx.xxx:500 10/12/01 23:01:32 ii : resend limit exceeded for phase1 exchange 10/12/01 23:01:32 ii : phase1 removal before expire time 10/12/01 23:01:32 DB : phase1 deleted ( obj count = 0 ) 10/12/01 23:01:32 DB : policy not found 10/12/01 23:01:32 DB : policy not found 10/12/01 23:01:32 DB : policy not found 10/12/01 23:01:32 DB : policy not found 10/12/01 23:01:32 DB : tunnel stats event canceled ( ref count = 1 ) 10/12/01 23:01:32 DB : removing tunnel config references 10/12/01 23:01:32 DB : removing tunnel phase2 references 10/12/01 23:01:32 DB : removing tunnel phase1 references 10/12/01 23:01:32 DB : tunnel deleted ( obj count = 0 ) 10/12/01 23:01:32 DB : removing all peer tunnel refrences 10/12/01 23:01:32 DB : peer deleted ( obj count = 0 ) 10/12/01 23:01:32 ii : ipc client process thread exit ... Any help would be appreciated.
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
