Shrew Network Client

fastcon68

I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.  I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

RC

msonic

I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

I have also made a tutorial of this , i can mail it to you if you want.
perhaps this will help you.

;)

Ronald

jimp

@fastcon68:

I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.   I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

The howto that I wrote is on the Wiki, there may be another one floating around on the Forum somewhere.

This is the one I use, and it worked fine for me:
http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

fastcon68

I used the Pf-Sense setup doc and i am recieving the following:

May 6 20:08:55 racoon: INFO: received Vendor ID: DPD
May 6 20:08:55 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 6 20:08:55 racoon: INFO: received Vendor ID: RFC 3947
May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 6 20:08:55 racoon: INFO: begin Aggressive mode.
May 6 20:08:55 racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.196.xxx.72[500]

Any Thoughts?
RC

jimp

Those are all normal messages and do not indicate any problem.

fastcon68

I keep getting a error stating 'invalid message from gateway.  Any additional thoughts?
RC

jimp

I don't recall exactly what might have caused that error, except that it was a settings mismatch of some kind. I think it was in the authentication/phase 1 settings, but I don't have that one noted down anywhere. It sounds familiar though.

Some other errors are covered here:
http://doc.pfsense.org/index.php/IPSec_Troubleshooting

kangbobon

@msonic:

I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

I have also made a tutorial of this , i can mail it to you if you want.
perhaps this will help you.

;)

Ronald

please ronald,can you email me to kangbobon@yahoo.com, i will be thankfull for your help

fastcon68

I am still working on this and have gotten alittle bit further.

racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: XXX.17.XXX.204[500]<=>XXX.196.XXX.72[500]
May 7 20:16:33 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
May 7 20:16:33 racoon: INFO: received Vendor ID: DPD
May 7 20:16:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 7 20:16:33 racoon: INFO: begin Aggressive mode.

I only have a few options in pf-sense and email is not one of them per the orginal IPSec Road Warrior(http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To).    I have My Identifier's as My IP address, IP Address, Domain Name, User FQDM, and Dymanic DNS in PF-Sense.

In Shrew Soft VPN we have IP Address, Domain Name, User FQDM, and Dymanic DNS .  I thinkn I close to getting this working but need a little more guidance.  Any thoughts?

RC

jimp

Make sure on the pfSense side, that you add a PSK for the client on the "Pre-Shared Keys" tab. If you are typing a PSK into a tunnel, you're in the wrong place. There is no box for a PSK on the Mobile Tunnels tab where you setup the pfSense side in that howto.

When adding a key to the Pre-Shared Keys tab, just type an e-mail address in the "Identifier" box, and then make up a PSK, then click save.

Make sure both sides are set to Aggressive mode, especially the Shrew Soft client. The Shew Soft client hides some identifier options (Like the one you need – "Key identifier") unless you are in the proper mode (Aggressive/Main).

fastcon68

Hurray!  ;D  I finally got the connection to the fw1.  I have a internal network of 192.168.14.0/24 and have the shrew client set to 192.168.18.0/24.

I added a few rules got 1 ping throught still connected but not recieveing and packets.
Still plugging away at it.  I really want to get this working for proof of concept and also It something else I can offer to my customers for remote access without them having invest in expensive solutions.

My next challenge is the open vpn client.  Test everything I have at my disposal.
RC

fastcon68

I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

RC

jimp

@fastcon68:

I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

You may be able to make it work. I've had mixed luck with using parallel tunnels to accomplish that kind of scenario.

http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

I ended up going with OpenVPN for that particular task since, as it can be routed, it worked much easier.

The multiple-subnet issue for IPSec has been taken care of pretty well on 2.0, but that is still alpha.

fastcon68

I am planning to post a link to my web server this weekend with a how too setup PF-Sense mobile support.  This will be be with 1.2.3 rc1 with the new ipsec widget.  I try to get that done this weekend.  I post a link.  I planning lot's of screen shots and critical information that was a little shake to understand the fisrt time through.  Any think this will be helpful.

RC

kingtux

what kind of rules are need? I am able to connect but can't pass traffice through tunnel?

fastcon68

kingtux,
I created a few rules, but here was what I

Protocols    Remote Subnet                    Detination Subnet                               
TCP/UDP  192.168.18.0/24  *  192.168.xx.0/24  *  *      RoadWarrior 
ICMP         192.168.18.0/24         * 192.168.xx.0/24         * *   RoadWarrior

• 192.168.18.0/24  * 192.168.xx.0/24  * *   RoadWarrior

This is what I have created, It's overkill I know but it's working.

RC

kingtux

Thanks i will give that a try and report back…thanks for taking the time to post!

fastcon68

The shrew client is a IPSEC client.  Add your standard IPSEC rules, here is what I added:
Proto           Source                       Port Destination           Port Gw Description
TCP/UDP 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior
ICMP           192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

• 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

make sure that your Souce is different from than the Destination.
RC

kingtux

Thanks that worked!