1 2 3 Previous Next 29 Replies Latest reply: Aug 21, 2013 6:46 AM by dpbpc62 RSS

    ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1

    dpbpc62

      I'm having an issue with the ShrewSoft VPN Client using XAuth to RADIUS (securid)

       

      In the VPN Definition for XAuth you have to use remote identities, does this mean you have to create all the users that will be using RSA token's.

       

      Like I said I'm having trouble connecting the dots... I can get the ShrewSoft to work with certificates, but have little to no documentation on using XAuth and RADIUS.

       

      Has anyone out there use the MFE vpn with XAuth/RADIUS?

       

      Thank

       

      Dana

        • 1. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
          mtuma

          Hello,

           

          If you have configured and successfully setup ShrewSoft with certificates, then adding XAUTH should be pretty easy. All you need to do is configure the following:

           

          Network>VPN Configuration>ISAKMP Server and make sure you have the correct XAUTH Method configured.

           

          In the VPN definition itself, make sure you select a Method with XAUTH in it. If you are using XAUTH and single certificate then no identities are necessary.

           

          Configure ShrewSoft to use XAUTH.

           

          If the Authenticator is configured properly then it should prompt you and should be able to authenticate and get in to the VPN.

           

           

          FYI, the identities are totally independent of XAUTH authentication. You do not need to create users for all the people with tokens.

           

          -Matt

          • 2. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
            dpbpc62

            Thanks Matt, I will go and test this out

            • 3. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
              dpbpc62

              Hey Matt,

               

              OK, not something weird is happening, I'm not getting passed phase 1, below is the error from a showaudit -k

               

              2013-08-02 12:26:58 -0400 f_isakmp_daemon a_vpn t_debug p_minor
              pid: 3066 logid: 0 cmd: 'ikmpd' hostname: fw.ca
              information: ##### - in udp_read

               

              2013-08-02 12:26:58 -0400 f_isakmp_daemon a_vpn t_debug p_minor
              pid: 3066 logid: 0 cmd: 'ikmpd' hostname: fw.ca
              information: ##### - in exchange_error

               

              2013-08-02 12:26:58 -0400 f_isakmp_daemon a_vpn t_debug p_minor
              pid: 3066 logid: 0 cmd: 'ikmpd' hostname: fw.ca
              information: ##### - in process_error_queue

               

              2013-08-02 12:26:58 -0400 f_isakmp_daemon a_vpn t_error p_major
              pid: 3066 logid: 0 cmd: 'ikmpd' hostname: fw.ca
              cky_i: 721abdea8a3de098 cky_r: 0000000000000000 local_gw: x.x.x.x
              remote_gw: x.x.x.x
              information: [detailed info]
                [error]
                  AGGRESSIVE_MODE exchange processing failed
                [error]
                  Received exchange type (AGGRESSIVE_MODE) not supported by policy, packet dropped

               

              It is weird because I do have a ISAKMP Server rule.

               

              Not sure what is going on.

               

              Dana

              • 4. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                mtuma

                Hello,

                 

                Those messages are actually indicating that the ISAKMP server has recieved a VPN negotiation attempt, so your ACL rule is just fine.

                 

                What it seems to be saying is that it recieved an Aggressive mode request and the firewall is setup to only allow main mode? Can you double check the "Advanced" tab of the VPN?

                 

                -Matt

                • 5. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                  dpbpc62

                  You are correct, but when I force the ShrewSoft VPN client to use Main Mode I still get an error

                   

                  2013-08-02 13:31:14 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                  pid: 3759 logid: 0 cmd: 'ikmpd' hostname: fwca

                  information: ##### - in udp_read

                   

                  2013-08-02 13:31:14 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                  pid: 3759 logid: 0 cmd: 'ikmpd' hostname: fwca

                  information: ##### - in exchange_error

                   

                  2013-08-02 13:31:14 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                  pid: 3759 logid: 0 cmd: 'ikmpd' hostname: fwca

                  information: ##### - in process_error_queue

                   

                  2013-08-02 13:31:14 -0400 f_isakmp_daemon a_vpn t_error p_major

                  pid: 3759 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                  cky_i: f55637e3f131f495 cky_r: 0000000000000000 local_gw: x.x.x.x

                  remote_gw: x.x.x.x

                  information: [detailed info]

                    [error]

                      MAIN_MODE exchange processing failed

                    [error]

                      Received exchange type (MAIN_MODE) not supported by policy, packet dropped

                  • 6. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                    dpbpc62

                    Scratch my last.... in the VPN Configuration I was using IKE v2.... changed it and now getting a 'gateway authentication error' right away.1-0

                    • 7. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                      dpbpc62

                      OK making it to phase 2 but still getting the "gateway authentication error"

                       

                      Below is a showaudit -k

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      msg_id: 38854b1f local_gw: x.x.x.x remote_gw: x.x.x.x

                      information: ##### - exchange unref 1->0 for INFORMATIONAL(0x831bc00)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      msg_id: 38854b1f local_gw: x.x.x.x remote_gw: x.x.x.x

                      information: ##### - in exch_destroy(0x831bc00)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - session unref 2->1 for session: vpn-Certificates (0x820e390)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ##### - exchange unref 1->0 for MAIN_MODE(0x831b300)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ##### - in exch_delete(0x831b300)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ##### - exchange ref 0->1 for MAIN_MODE(0x831b300)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - in process_error_queue

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_info p_major

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: [detailed info]

                        [info]

                          XAUTH exchange terminated - IKE SA terminated

                      [MAIN_MODE]

                        VPN: vpn-Certificates, CKY_I: |6d8d49a911bcf3ce|, CKY_R:

                        |4985108a75d58f3f|, references: 1

                        [state info]

                          init/resp: RESPONDER, condition: DYING,

                          state_mask: ACL_CHECK_PASSED|SEND_CR|SEND_CERT|CRYPTO_ACTIVE|RETRY_ON_DUP,

                          state: IDLE

                        [retry info]

                          counter: 0, num_trans: 2, total_time: 2, total_deviation: 0,

                          timestamp_out: 1375467237, timestamp_in: 1375467237

                        [local gateway] id_type: IPV4_ADDR(1), id_string: x.x.x.x, id_proto: 0,

                          id_port: 0, id_data: |cdc15114|

                        [remote gateway] id_type: IPV4_ADDR(1), id_string: x.x.x.x, id_proto: 0,

                          id_port: 0, id_data: |c0a8005b|

                        [exchange policy]

                          protocol: IKE,

                          options: [DYNAMIC|XAUTH|LEASED_IP|INITIAL_CONTACT|NO_STRICT_ID_MATCHING],

                          version: 1, local authentication: RSA_SIG_I_XAUTH,

                          remote authentication: RSA_SIG_I_XAUTH, encryption: AES:256, integ: MD5,

                          DH group: 2

                        [IKE info]

                          allocations: 0

                          [local identity]

                            id_type: ASN1_DN(9), id_string: CN=fw.ca, id_proto: 0,

                            id_port: 0, id_data:

                            |3020311e301c0603550403131566772d703033702e7363632d6373632e67632e6361|

                          [remote identity]

                            id_type: ASN1_DN(9),

                      ...(cont)...

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_info p_major

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ...(cont)...

                            id_string: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca,

                            id_proto: 0, id_port: 0, id_data:

                            |305d310b3009060355040613026361310b3009060355040813026f6e310c300a06035504071303 6f7474310b3009060355040a130267633110300e060355040b13077363632d637363311430120603 550403130b73636376706e7573657273|

                          vendor ids: SIDEWINDER|XAUTH|NATT_RFC|NATT_DRAFT3|NATT_DRAFT2A

                          [chosen proposal]

                            protocol: IKE

                              protocol: IKE,

                              options: [DYNAMIC|LEASED_IP|INITIAL_CONTACT|NO_STRICT_ID_MATCHING],

                              version: 1, local authentication: RSA_SIG_I_XAUTH,

                              remote authentication: RSA_SIG_I_XAUTH, encryption: AES:256,

                              integ: MD5, DH group: 2

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ##### - exchange unref 1->0 for MAIN_MODE(0x831b300)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates cky_i: 6d8d49a911bcf3ce cky_r: 4985108a75d58f3f

                      local_gw: x.x.x.x remote_gw: x.x.x.x

                      remote_id: CN=vpnusers,OU=vpn,O=al,L=ott,ST=on,C=ca

                      information: ##### - in exch_destroy(0x831b300)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - session unref 1->0 for session: vpn-Certificates (0x820e390)

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - in vpn_session_destroy: vpn-Certificates

                       

                      2013-08-02 14:13:57 -0400 f_isakmp_daemon a_vpn t_info p_major

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      vpn_name: vpn-Certificates local_gw: x.x.x.x remote_gw: x.x.x.x

                      information: Session termination -

                      [session details]

                        vpn_name: vpn-Certificates, state: DEAD

                        [local gateway] id_type: IPV4_ADDR(1), id_string: x.x.x.x, id_proto: 0,

                          id_port: 500, id_data: |cdc15114|

                        [remote gateway] id_type: IPV4_ADDR(1), id_string: x.x.x.x, id_proto: 0,

                          id_port: 500, id_data: |c0a8005b|

                        [phase1 config]

                          vpn: vpn-Certificates, position: 2, address pool: vpn IP Pool

                          [XAUTH params]

                            [warders] Password

                          [policy]

                            exchange: MAIN_MODE, protocol: IKE,

                            options: [DYNAMIC|XAUTH|LEASED_IP|INITIAL_CONTACT|NO_STRICT_ID_MATCHING],

                            version: 1, local authentication: RSA_SIG_I_XAUTH|RSA_SIG_R_XAUTH,

                            remote authentication: RSA_SIG_I_XAUTH|RSA_SIG_R_XAUTH,

                            encryption: DES|3DES|AES:128|AES:256, integ: MD5|SHA1, DH group: 1|2|5

                        [phase2 config]

                          vpn: vpn-Certificates, position: 2

                          [policy]

                            protocol: ESP, zone: 2, options: [DYNAMIC|FORCED_REKEY], version: 1,

                            encryption: DES|3DES|CAST|AES:128|AES:256, integ: MD5|SHA1, ESN: OFF,

                            encapsulation: TUNNEL

                       

                      2013-08-02 14:14:12 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - in vpn_session_abort(0x820e320): !DYNAMIC!

                       

                      2013-08-02 14:14:12 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - session unref 1->0 for session: !DYNAMIC! (0x820e320)

                       

                      2013-08-02 14:14:12 -0400 f_isakmp_daemon a_vpn t_debug p_minor

                      pid: 1698 logid: 0 cmd: 'ikmpd' hostname: fw.ca

                      information: ##### - in vpn_session_destroy: !DYNAMIC!

                      • 8. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                        mtuma

                        Where did you see the error "gateway authentication error"? was it on the client?

                         

                        Does Shrewsoft ever prompt you for credentials?

                         

                        -Matt

                        • 9. Re: ShrewSoft VPN Client and RSA Securid (RADIUS and XAuth) with MFE v8.3.1
                          dpbpc62

                          Yes I get the error in the ShrewSoft client... and yes it does I put in the username/password then it prompts me for the client cert password, and the error comes back very fast, but on the firewall I get to phase 2, and no tunnel

                           

                          Dana

                          1 2 3 Previous Next