Shrew Network Client



  • I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.  I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

    I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

    RC



  • I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

    I have also made a tutorial of this , i can mail it to you if you want.
    perhaps this will help you.

    ;)

    Ronald


  • Rebel Alliance Developer Netgate

    @fastcon68:

    I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.   I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

    I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

    The howto that I wrote is on the Wiki, there may be another one floating around on the Forum somewhere.

    This is the one I use, and it worked fine for me:
    http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To



  • I used the Pf-Sense setup doc and i am recieving the following:

    May 6 20:08:55 racoon: INFO: received Vendor ID: DPD
    May 6 20:08:55 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 6 20:08:55 racoon: INFO: received Vendor ID: RFC 3947
    May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    May 6 20:08:55 racoon: INFO: begin Aggressive mode.
    May 6 20:08:55 racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.196.xxx.72[500]

    Any Thoughts?
    RC


  • Rebel Alliance Developer Netgate

    Those are all normal messages and do not indicate any problem.



  • I keep getting a error stating 'invalid message from gateway.  Any additional thoughts?
    RC


  • Rebel Alliance Developer Netgate

    I don't recall exactly what might have caused that error, except that it was a settings mismatch of some kind. I think it was in the authentication/phase 1 settings, but I don't have that one noted down anywhere. It sounds familiar though.

    Some other errors are covered here:
    http://doc.pfsense.org/index.php/IPSec_Troubleshooting



  • @msonic:

    I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

    I have also made a tutorial of this , i can mail it to you if you want.
    perhaps this will help you.

    ;)

    Ronald

    please ronald,can you email me to kangbobon@yahoo.com, i will be thankfull for your help



  • I am still working on this and have gotten alittle bit further.

    racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: XXX.17.XXX.204[500]<=>XXX.196.XXX.72[500]
    May 7 20:16:33 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    May 7 20:16:33 racoon: INFO: received Vendor ID: DPD
    May 7 20:16:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 7 20:16:33 racoon: INFO: begin Aggressive mode.

    I only have a few options in pf-sense and email is not one of them per the orginal IPSec Road Warrior(http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To).    I have My Identifier's as My IP address, IP Address, Domain Name, User FQDM, and Dymanic DNS in PF-Sense.

    In Shrew Soft VPN we have IP Address, Domain Name, User FQDM, and Dymanic DNS .  I thinkn I close to getting this working but need a little more guidance.  Any thoughts?

    RC


  • Rebel Alliance Developer Netgate

    Make sure on the pfSense side, that you add a PSK for the client on the "Pre-Shared Keys" tab. If you are typing a PSK into a tunnel, you're in the wrong place. There is no box for a PSK on the Mobile Tunnels tab where you setup the pfSense side in that howto.

    When adding a key to the Pre-Shared Keys tab, just type an e-mail address in the "Identifier" box, and then make up a PSK, then click save.

    Make sure both sides are set to Aggressive mode, especially the Shrew Soft client. The Shew Soft client hides some identifier options (Like the one you need – "Key identifier") unless you are in the proper mode (Aggressive/Main).



  • Hurray!  ;D  I finally got the connection to the fw1.  I have a internal network of 192.168.14.0/24 and have the shrew client set to 192.168.18.0/24.

    I added a few rules got 1 ping throught still connected but not recieveing and packets.
    Still plugging away at it.  I really want to get this working for proof of concept and also It something else I can offer to my customers for remote access without them having invest in expensive solutions.

    My next challenge is the open vpn client.  Test everything I have at my disposal.
    RC



  • I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

    RC


  • Rebel Alliance Developer Netgate

    @fastcon68:

    I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

    You may be able to make it work. I've had mixed luck with using parallel tunnels to accomplish that kind of scenario.

    http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

    I ended up going with OpenVPN for that particular task since, as it can be routed, it worked much easier.

    The multiple-subnet issue for IPSec has been taken care of pretty well on 2.0, but that is still alpha.



  • I am planning to post a link to my web server this weekend with a how too setup PF-Sense mobile support.  This will be be with 1.2.3 rc1 with the new ipsec widget.  I try to get that done this weekend.  I post a link.  I planning lot's of screen shots and critical information that was a little shake to understand the fisrt time through.  Any think this will be helpful.

    RC



  • what kind of rules are need? I am able to connect but can't pass traffice through tunnel?



  • kingtux,
    I created a few rules, but here was what I

    Protocols    Remote Subnet                    Detination Subnet                               
    TCP/UDP  192.168.18.0/24  *  192.168.xx.0/24  *  *      RoadWarrior 
    ICMP         192.168.18.0/24         * 192.168.xx.0/24         * *   RoadWarrior

    • 192.168.18.0/24  * 192.168.xx.0/24  * *   RoadWarrior

    This is what I have created, It's overkill I know but it's working.

    RC



  • Thanks i will give that a try and report back…thanks for taking the time to post!



  • The shrew client is a IPSEC client.  Add your standard IPSEC rules, here is what I added:
    Proto           Source                       Port Destination           Port Gw Description
    TCP/UDP 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior
    ICMP           192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

    • 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

    make sure that your Souce is different from than the Destination.
    RC



  • Thanks that worked!


Log in to reply