64bit vpn client for Cisco vpn router with RSA Certificate Authen

Status
Not open for further replies.
N

netgirl

Beta member
Messages
1
I'm looking for a vpn client for a 64bit Operating System that would work with Cisco.

My vpn gateway is Cisco router that is configured for RSA+xAuth.

So far I've tried NCP entry client, Greenbow vpn client, ShrewSoft vpn client. I'm able to get the connection working with pre-shared keys. However, I'm having problems with getting Certificate authentication working. I've tried using the same certificate with Cisco vpn client and I get connected. When I use the same certificate with the 3 other vpn clients, there seems to be a problem with issuer certificate. Any help will be appreciated!

Here's debug from the router:

2098146: Jul 17 2009 09:28:20.285: ISAKMP.0. AM Fragmentation supported
2098147: Jul 17 2009 09:28:20.285: ISAKMP.0. processing vendor id payload
2098148: Jul 17 2009 09:28:20.285: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 83 mismatch
2098149: Jul 17 2009 09:28:20.285: ISAKMP.0. processing vendor id payload
2098150: Jul 17 2009 09:28:20.285: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 2 mismatch
2098151: Jul 17 2009 09:28:20.285: ISAKMP.0. processing vendor id payload
2098152: Jul 17 2009 09:28:20.285: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 175 mismatch
2098153: Jul 17 2009 09:28:20.285: ISAKMP.0.found peer pre-shared key matching
10.21.103.1
2098154: Jul 17 2009 09:28:20.285: ISAKMP.0. local preshared key found
2098155: Jul 17 2009 09:28:20.285: ISAKMP.0. Authentication by xauth preshared
2098156: Jul 17 2009 09:28:20.289: ISAKMP.0.Checking ISAKMP transform 1 agains
t priority 1 policy
2098157: Jul 17 2009 09:28:20.289: ISAKMP: encryption 3DES-CBC
2098158: Jul 17 2009 09:28:20.289: ISAKMP: hash SHA
2098159: Jul 17 2009 09:28:20.289: ISAKMP: default group 2
2098160: Jul 17 2009 09:28:20.289: ISAKMP: auth XAUTHInitRSA
2098161: Jul 17 2009 09:28:20.289: ISAKMP: life type in seconds
2098162: Jul 17 2009 09:28:20.289: ISAKMP: life duration (VPI) of 0x0 0x1
0x51 0x80
2098163: Jul 17 2009 09:28:20.289: ISAKMP.0.atts are acceptable. Next payload
is 0
2098164: Jul 17 2009 09:28:20.289: ISAKMP.0.Acceptable atts:actual life: 0
2098165: Jul 17 2009 09:28:20.289: ISAKMP.0.Acceptable atts:life: 0
2098166: Jul 17 2009 09:28:20.289: ISAKMP.0.Fill atts in sa vpi_length:4
2098167: Jul 17 2009 09:28:20.289: ISAKMP.0.Fill atts in sa life_in_seconds:86
400
2098168: Jul 17 2009 09:28:20.289: CRYPTO_PKI: Identity not specified for sessio
n E0541
2098169: Jul 17 2009 09:28:20.289: ISAKMP.0.Returning Actual lifetime: 86400
2098170: Jul 17 2009 09:28:20.289: ISAKMP.0.:Started lifetime timer: 86400.

2098171: Jul 17 2009 09:28:20.289: ISAKMP.0. processing vendor id payload
2098172: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 21 mismatch
2098173: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID is XAUTH
2098174: Jul 17 2009 09:28:20.289: ISAKMP.0. processing vendor id payload
2098175: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 221 mismatch
2098176: Jul 17 2009 09:28:20.289: ISAKMP.0. processing vendor id payload
2098177: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 168 mismatch
2098178: Jul 17 2009 09:28:20.289: ISAKMP.0. processing vendor id payload
2098179: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 123 mismatch
2098180: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID is NAT-T v2
2098181: Jul 17 2009 09:28:20.289: ISAKMP.0. processing vendor id payload
2098182: Jul 17 2009 09:28:20.289: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 157 mismatch
2098183: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID is NAT-T v3
2098184: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098185: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 69 mismatch
2098186: Jul 17 2009 09:28:20.293: ISAKMP (0. vendor ID is NAT-T RFC 3947
2098187: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098188: Jul 17 2009 09:28:20.293: ISAKMP.0. processing IKE frag vendor id pay
load
2098189: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID is IKE Fragmentation
2098190: Jul 17 2009 09:28:20.293: ISAKMP.0. MM Fragmentation supported
2098191: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098192: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID is DPD
2098193: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098194: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 237 mismatch
2098195: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098196: Jul 17 2009 09:28:20.293: ISAKMP.0. processing IKE frag vendor id pay
load
2098197: Jul 17 2009 09:28:20.293: ISAKMP.0. AM Fragmentation supported
2098198: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098199: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 83 mismatch
2098200: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098201: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 2 mismatch
2098202: Jul 17 2009 09:28:20.293: ISAKMP.0. processing vendor id payload
2098203: Jul 17 2009 09:28:20.293: ISAKMP.0. vendor ID seems Unity/DPD but maj
or 175 mismatch
2098204: Jul 17 2009 09:28:20.293: ISAKMP.0.Input = IKE_MESG_INTERNAL, IKE_PRO
CESS_MAIN_MODE
2098205: Jul 17 2009 09:28:20.293: ISAKMP.0.Old State = IKE_R_MM1 New State =
IKE_R_MM1

2098206: Jul 17 2009 09:28:20.297: ISAKMP.0.sending IKE_FRAG vendor ID
2098207: Jul 17 2009 09:28:20.297: ISAKMP.0. constructed NAT-T vendor-rfc3947
ID
2098208: Jul 17 2009 09:28:20.297: ISAKMP.0. sending packet to 10.21.103.1 my_
port 500 peer_port 500 (R) MM_SA_SETUP
2098209: Jul 17 2009 09:28:20.297: ISAKMP.0.Sending an IKE IPv4 Packet.
2098210: Jul 17 2009 09:28:20.297: ISAKMP.0.Input = IKE_MESG_INTERNAL, IKE_PRO
CESS_COMPLETE
2098211: Jul 17 2009 09:28:20.297: ISAKMP.0.Old State = IKE_R_MM1 New State =
IKE_R_MM2

2098212: Jul 17 2009 09:28:20.321: ISAKMP (0. received packet from 10.21.103.1
dport 500 sport 500 Global (R) MM_SA_SETUP
2098213: Jul 17 2009 09:28:20.321: ISAKMP.0.Input = IKE_MESG_FROM_PEER, IKE_MM
_EXCH
2098214: Jul 17 2009 09:28:20.321: ISAKMP.0.Old State = IKE_R_MM2 New State =
IKE_R_MM3

2098215: Jul 17 2009 09:28:20.321: ISAKMP.0. processing KE payload. message ID
= 0
2098216: Jul 17 2009 09:28:20.377: ISAKMP.0. processing NONCE payload. message
ID = 0
2098217: Jul 17 2009 09:28:20.377: ISAKMP.1071. processing CERT_REQ payload. m
essage ID = 0
2098218: Jul 17 2009 09:28:20.377: ISAKMP.1071. peer wants a CT_X509_SIGNATURE
cert
2098219: Jul 17 2009 09:28:20.381: ISAKMP.1071. issuer not specified in cert r
equest
2098220: Jul 17 2009 09:28:20.381: ISAKMP:received payload type 20
2098221: Jul 17 2009 09:28:20.381: ISAKMP (1071. His hash no match - this node
outside NAT
2098222: Jul 17 2009 09:28:20.381: ISAKMP:received payload type 20
2098223: Jul 17 2009 09:28:20.381: ISAKMP (1071. No NAT Found for self or peer
2098224: Jul 17 2009 09:28:20.381: ISAKMP.1071.Input = IKE_MESG_INTERNAL, IKE_
PROCESS_MAIN_MODE
2098225: Jul 17 2009 09:28:20.381: ISAKMP.1071.Old State = IKE_R_MM3 New Stat
e = IKE_R_MM3

2098226: Jul 17 2009 09:28:20.381: ISAKMP (1071. constructing CERT_REQ for issu
er cn=Flipper,dc=domain,dc=hac
2098227: Jul 17 2009 09:28:20.381: ISAKMP.1071. sending packet to 10.21.103.1
my_port 500 peer_port 500 (R) MM_KEY_EXCH
2098228: Jul 17 2009 09:28:20.381: ISAKMP.1071.Sending an IKE IPv4 Packet.
2098229: Jul 17 2009 09:28:20.381: ISAKMP.1071.Input = IKE_MESG_INTERNAL, IKE_
PROCESS_COMPLETE
2098230: Jul 17 2009 09:28:20.381: ISAKMP.1071.Old State = IKE_R_MM3 New Stat
e = IKE_R_MM4

2098231: Jul 17 2009 09:28:20.457: ISAKMP (1071. received packet from 10.21.103
.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
2098232: Jul 17 2009 09:28:20.457: ISAKMP.1071.Input = IKE_MESG_FROM_PEER, IKE
_MM_EXCH
2098233: Jul 17 2009 09:28:20.457: ISAKMP.1071.Old State = IKE_R_MM4 New Stat
e = IKE_R_MM5

2098234: Jul 17 2009 09:28:20.461: ISAKMP.1071. processing ID payload. message
ID = 0
2098235: Jul 17 2009 09:28:20.461: ISAKMP (1071. ID payload
next-payload : 6
type : 11
group id : vpnclient
protocol : 0
port : 0
length : 17
2098236: Jul 17 2009 09:28:20.461: ISAKMP.0.: peer matches VPNclient profile
2098237: Jul 17 2009 09:28:20.461: ISAKMP.1071).Re)Setting client xauth list C
lientAuth and state
2098238: Jul 17 2009 09:28:20.461: ISAKMP/xauth: initializing AAA request
2098239: Jul 17 2009 09:28:20.461: ISAKMP.1071. processing CERT payload. messa
ge ID = 0
2098240: Jul 17 2009 09:28:20.461: ISAKMP.1071. processing a CT_X509_SIGNATURE
cert
2098241: Jul 17 2009 09:28:20.461: CRYPTO_PKI: Adding peer certificate
2098242: Jul 17 2009 09:28:20.469: CRYPTO_PKI: Added x509 peer certificate - (15
94) bytes
2098243: Jul 17 2009 09:28:20.469: ISAKMP.1071. peer's pubkey is cached
2098244: Jul 17 2009 09:28:20.469: CRYPTO_PKI: Found public key in hash table. B
ypassing certificate validation
2098245: Jul 17 2009 09:28:20.477: CRYPTO_PKI: Validation TP is holdac
2098246: Jul 17 2009 09:28:20.477: CRYPTO_PKI: Certificate validation succeeded
2098247: Jul 17 2009 09:28:20.481: ISAKMP.1071.Profile has no keyring, abortin
g key search
2098248: Jul 17 2009 09:28:20.481: ISAKMP.1071).Re)Setting client xauth list C
lientAuth and state
2098249: Jul 17 2009 09:28:20.481: ISAKMP/xauth: initializing AAA request
2098250: Jul 17 2009 09:28:20.481: ISAKMP.1071. processing SIG payload. messag
e ID = 0
2098251: Jul 17 2009 09:28:20.501: ISAKMP.1071.SA authentication status:
authenticated
2098252: Jul 17 2009 09:28:20.501: ISAKMP.1071.SA has been authenticated with
10.21.103.1
2098253: Jul 17 2009 09:28:20.501: ISAKMP.1071.Input = IKE_MESG_INTERNAL, IKE_
PROCESS_MAIN_MODE
2098254: Jul 17 2009 09:28:20.501: ISAKMP.1071.Old State = IKE_R_MM5 New Stat
e = IKE_R_MM5

2098255: Jul 17 2009 09:28:20.501: ISAKMP.1071.Unable to get router cert or ro
uterdoes not have a cert: needed to find DN!
2098256: Jul 17 2009 09:28:20.501: ISAKMP.1071.SA is doing RSA signature authe
ntication plus XAUTH using id type ID_FQDN
2098257: Jul 17 2009 09:28:20.501: ISAKMP (1071. ID payload
next-payload : 6
type : 2
FQDN name : holdac.test.com
protocol : 17
port : 500
length : 31
2098258: Jul 17 2009 09:28:20.501: ISAKMP.1071.Total payload length: 31
2098259: Jul 17 2009 09:28:20.501: ISAKMP (1071. no cert chain to send to peer
2098260: Jul 17 2009 09:28:20.501: ISAKMP (1071. peer did not specify issuer an
d no suitable profile found
2098261: Jul 17 2009 09:28:20.501: ISAKMP (1071. FSM action returned error: 2
2098262: Jul 17 2009 09:28:20.501: ISAKMP.1071.Input = IKE_MESG_INTERNAL, IKE_
PROCESS_COMPLETE
2098263: Jul 17 2009 09:28:20.501: ISAKMP.1071.Old State = IKE_R_MM5 New Stat
e = IKE_P1_COMPLETE

2098264: Jul 17 2009 09:28:40.182: %FW-6-DROP_PKT: Dropping tcp session 65.125.1
91.100:32858 157.166.224.106:80 due to RST inside current window with ip ident
30265 tcpflags 0x5014 seq.no 3526103546 ack 2067010721
2098265: Jul 17 2009 09:29:16.844: %FW-6-DROP_PKT: Dropping tcp session 66.92.56
.3:25 65.125.191.70:42722 due to Stray Segment with ip ident 14040 tcpflags 0x
8010 seq.no 3580505202 ack 3872983390
 
Status
Not open for further replies.

Similar threads

cg1
Cisco Easy VPN connects but no traffic
Replies
0
Views
2K
cg1
cg1
I
  • Locked
Thinking about changing my GPU
Replies
3
Views
933
acerinpa
acerinpa
I
A virus I Cant get rid of.
2
Replies
12
Views
5K
jr_sanford
J
H
  • Locked
Log for analysis, please
Replies
1
Views
6K
KSoD
KSoD
B
  • Locked
Why is my PC slowing down?
Replies
2
Views
2K
Sheepykins
S
Back
Top Bottom