Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shrew Network Client

    Scheduled Pinned Locked Moved IPsec
    19 Posts 5 Posters 30.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fastcon68
      last edited by

      I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.  I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

      I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

      RC

      1 Reply Last reply Reply Quote 0
      • M
        msonic
        last edited by

        I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

        I have also made a tutorial of this , i can mail it to you if you want.
        perhaps this will help you.

        ;)

        Ronald

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          @fastcon68:

          I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.   I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

          I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

          The howto that I wrote is on the Wiki, there may be another one floating around on the Forum somewhere.

          This is the one I use, and it worked fine for me:
          http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • F
            fastcon68
            last edited by

            I used the Pf-Sense setup doc and i am recieving the following:

            May 6 20:08:55 racoon: INFO: received Vendor ID: DPD
            May 6 20:08:55 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            May 6 20:08:55 racoon: INFO: received Vendor ID: RFC 3947
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
            May 6 20:08:55 racoon: INFO: begin Aggressive mode.
            May 6 20:08:55 racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.196.xxx.72[500]

            Any Thoughts?
            RC

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Those are all normal messages and do not indicate any problem.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68
                last edited by

                I keep getting a error stating 'invalid message from gateway.  Any additional thoughts?
                RC

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I don't recall exactly what might have caused that error, except that it was a settings mismatch of some kind. I think it was in the authentication/phase 1 settings, but I don't have that one noted down anywhere. It sounds familiar though.

                  Some other errors are covered here:
                  http://doc.pfsense.org/index.php/IPSec_Troubleshooting

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • K
                    kangbobon
                    last edited by

                    @msonic:

                    I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

                    I have also made a tutorial of this , i can mail it to you if you want.
                    perhaps this will help you.

                    ;)

                    Ronald

                    please ronald,can you email me to kangbobon@yahoo.com, i will be thankfull for your help

                    1 Reply Last reply Reply Quote 0
                    • F
                      fastcon68
                      last edited by

                      I am still working on this and have gotten alittle bit further.

                      racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: XXX.17.XXX.204[500]<=>XXX.196.XXX.72[500]
                      May 7 20:16:33 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
                      May 7 20:16:33 racoon: INFO: received Vendor ID: DPD
                      May 7 20:16:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                      May 7 20:16:33 racoon: INFO: begin Aggressive mode.

                      I only have a few options in pf-sense and email is not one of them per the orginal IPSec Road Warrior(http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To).    I have My Identifier's as My IP address, IP Address, Domain Name, User FQDM, and Dymanic DNS in PF-Sense.

                      In Shrew Soft VPN we have IP Address, Domain Name, User FQDM, and Dymanic DNS .  I thinkn I close to getting this working but need a little more guidance.  Any thoughts?

                      RC

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Make sure on the pfSense side, that you add a PSK for the client on the "Pre-Shared Keys" tab. If you are typing a PSK into a tunnel, you're in the wrong place. There is no box for a PSK on the Mobile Tunnels tab where you setup the pfSense side in that howto.

                        When adding a key to the Pre-Shared Keys tab, just type an e-mail address in the "Identifier" box, and then make up a PSK, then click save.

                        Make sure both sides are set to Aggressive mode, especially the Shrew Soft client. The Shew Soft client hides some identifier options (Like the one you need – "Key identifier") unless you are in the proper mode (Aggressive/Main).

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • F
                          fastcon68
                          last edited by

                          Hurray!  ;D  I finally got the connection to the fw1.  I have a internal network of 192.168.14.0/24 and have the shrew client set to 192.168.18.0/24.

                          I added a few rules got 1 ping throught still connected but not recieveing and packets.
                          Still plugging away at it.  I really want to get this working for proof of concept and also It something else I can offer to my customers for remote access without them having invest in expensive solutions.

                          My next challenge is the open vpn client.  Test everything I have at my disposal.
                          RC

                          1 Reply Last reply Reply Quote 0
                          • F
                            fastcon68
                            last edited by

                            I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

                            RC

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              @fastcon68:

                              I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

                              You may be able to make it work. I've had mixed luck with using parallel tunnels to accomplish that kind of scenario.

                              http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

                              I ended up going with OpenVPN for that particular task since, as it can be routed, it worked much easier.

                              The multiple-subnet issue for IPSec has been taken care of pretty well on 2.0, but that is still alpha.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • F
                                fastcon68
                                last edited by

                                I am planning to post a link to my web server this weekend with a how too setup PF-Sense mobile support.  This will be be with 1.2.3 rc1 with the new ipsec widget.  I try to get that done this weekend.  I post a link.  I planning lot's of screen shots and critical information that was a little shake to understand the fisrt time through.  Any think this will be helpful.

                                RC

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kingtux
                                  last edited by

                                  what kind of rules are need? I am able to connect but can't pass traffice through tunnel?

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    fastcon68
                                    last edited by

                                    kingtux,
                                    I created a few rules, but here was what I

                                    Protocols    Remote Subnet                    Detination Subnet                               
                                    TCP/UDP  192.168.18.0/24  *  192.168.xx.0/24  *  *      RoadWarrior 
                                    ICMP         192.168.18.0/24         * 192.168.xx.0/24         * *   RoadWarrior

                                    • 192.168.18.0/24  * 192.168.xx.0/24  * *   RoadWarrior

                                    This is what I have created, It's overkill I know but it's working.

                                    RC

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kingtux
                                      last edited by

                                      Thanks i will give that a try and report back…thanks for taking the time to post!

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fastcon68
                                        last edited by

                                        The shrew client is a IPSEC client.  Add your standard IPSEC rules, here is what I added:
                                        Proto           Source                       Port Destination           Port Gw Description
                                        TCP/UDP 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior
                                        ICMP           192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

                                        • 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

                                        make sure that your Souce is different from than the Destination.
                                        RC

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kingtux
                                          last edited by

                                          Thanks that worked!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.