ASA IPSec with Shrewsoft

This guide provides information that can be used to configure a Cisco PIX/ASA device running firmware version 7.x to support IPsec VPN client connectivity. If you have a PIX device running firmware version 6.x, please consult the HowtoCiscoPix. The Shrew Soft VPN Client has been tested with Cisco products to ensure interoperability.


The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.

Gateway Configuration

This example assumes you have knowledge of the Cisco ASA gateway command line configuration interface. For more information, please consult your Cisco product documentation.


Two network interfaces are configured. The outside interface has a static public IP address of which faces the internet. The inside interface has a static private IP address that faces the internal private network. The default gateway is configured as via the outside interface.

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2

Access List

An access lists must be configured to define the IPSec policies. This is expressed with the source matching the local private network(s) and the destination matching any as the VPN client address will be assigned by the gateway.

object-group network group-inside-vpnclient
 description All inside accessible networks
access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any

Address Pool

The IP address pool must be configured. Clients will be assigned private network addresses from a pool of

ip local pool ippool-vpnclient mask

User Authentication

User authentication must be configured to support IKE extended authentication ( XAuth ). In this example, we use define user accounts locally on the ASA. It is possible to pass this authentication to a radius or an LDAP account server using the Cisco AAA authentication mechanism. For more information, please consult your cisco product documentation.

aaa authentication ssh console LOCAL username bill password XXX encrypted username bob password XXX encrypted

IPsec Parameters

A transform set and dynamic IPsec crypto map must be configured to support client VPN connections. The dynamic crypto map is then assigned to a standard crypto map and bound to the outside (public) interface.

crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside

ISAKMP Parameters

The ISAKMP protocol must be enabled on the outside (public) interface and an ISAKMP policy must be configured. NAT Traversal is also enabled to allow clients to communicate effectively when their peer address is being translated. The keep alive packet rate is set to 20 seconds.

crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp nat-traversal 20
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

Group Policy

A group policy must be configured to provide the client with dynamic configuration information.

group-policy group-policy-default internal
group-policy group-policy-default attributes
 banner value Welcome to the ciscoasa
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec
 password-storage disable
 re-xauth disable
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value
 split-dns value

Tunnel Group

A tunnel group must be configured to define the VPN Client tunnel parameters. It is created using the type ipsec-ra for IPsec remote access. The client uses the tunnel group name as its FQDN identity value and the tunnel group pre-shared-key as its pre-shared key value.

tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
 address-pool ippool-vpnclient
 default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
 pre-shared-key mypresharedkey

Client Configuration

The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.

General Tab

The Remote Host section must be configured. The Host Name or IP Address is defined as to match the ASA outside ( public ) interface address. The Auto Configuration mode should be set to ike config pull.

Phase 1 Tab

The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the ASA ISAKMP policy definition.

Authentication Tab

The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.

Local Identity Tab

The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of “vpnclient” to match the ASA tunnel group name.

Remote Identity Tab

The Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the ASA ISAKMP identity parameter.

Credentials Tab

The Credentials Pre Shared Key is defined as “mypresharedkey” to match the ASA tunnel group pre-shared-key.