I am using the ShrewSoft VPN client to connect to the MFE via VPN. It works sometimes and other times it does not. I have a couple of other people testing this as well with the same results. I am using certificates along with XAUTH via Active Directory. Sometimes it works great just as intended other times not at all and sometimes it will connect but never show an established connection. I do see the following errors in the audits on occasion:
2013-03-26 12:36:21 -0700 f_isakmp_daemon a_vpn t_error p_major
pid: 1685 logid: 0 cmd: 'ikmpd' hostname: VERWALL.vertech.local
cky_i: de8336d5c8e7c3f7 cky_r: 2e6f31073ec80284 msg_id: 9b8e93ff
local_gw: xx.xx.xx.xx remote_gw: xx.xx.xx.xx
information: [detailed info]
QUICK_MODE exchange processing failed
invalid request for QUICK_MODE exchange, no IKE SA exists which matches request
I am not sure why it only works intermittently. Has anyone else had troubles like this? I am wondering if it is a ShrewSoft thing or a MFE problem. Has anyone been successful using ShrewSoft consistently without issues? If so what version? My MFE is v8.3
My personal suggestion would be to try a less complex authentication method to start with (pre-shared key instead of the certificate) and see if this increases reliability. If it does, it could be something to do with the certificates you are using.
You can also consider increasing the logging level for the ISAKMP service as this may help you to understand better why the Firewall believes there is no matching security association at that time - the suggestion being that the Shrewsoft client is sending different information to what the Firewall is expecting and, as a result, it cannot match the request to any configured SA. By increasing the logging on ISAKMP it could tell you a bit more about what is going on. Once you've established a possible cause you can then return the logging level back to normal.
While I don't believe it is officially supported by McAfee, I think you will find there are a couple of KB articles concerning the configuration and use of the Shrewsoft client and I'm pretty sure I've seen it being discussed in this forum previously. Type "Shrewsoft" into the search field in the top right-hand corner of the forum and it should return all the revious discssions on this subject.
Message was edited by: PhilM on 27/03/13 08:39:30 GMT
I have read through that post before. I am required to use single certificate with XAUTH to authenticate users against Active Directory. Like I said it works some of the time and others it does not. Not sure what the deal is. I will enable verbose logging and see what it shows.