Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Shrew Network Client

    IPsec
    5
    19
    29190
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fastcon68 last edited by

      I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.  I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

      I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

      RC

      1 Reply Last reply Reply Quote 0
      • M
        msonic last edited by

        I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

        I have also made a tutorial of this , i can mail it to you if you want.
        perhaps this will help you.

        ;)

        Ronald

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          @fastcon68:

          I am trying to get the mobile IPSEC vpn client (Shrew) setup and running.  I can't get the tunnel and and running.   I thought I saw a really detailed how to with screen shots on the fourm, but can't find the posting.

          I have tried with version 1.2.3 and just not getting anywhere.  I really would like to get this working so I can close some open ports on my firewall.  Let me know wht I need to post and I will get out there tonight.

          The howto that I wrote is on the Wiki, there may be another one floating around on the Forum somewhere.

          This is the one I use, and it worked fine for me:
          http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

          1 Reply Last reply Reply Quote 0
          • F
            fastcon68 last edited by

            I used the Pf-Sense setup doc and i am recieving the following:

            May 6 20:08:55 racoon: INFO: received Vendor ID: DPD
            May 6 20:08:55 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
            May 6 20:08:55 racoon: INFO: received Vendor ID: RFC 3947
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
            May 6 20:08:55 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
            May 6 20:08:55 racoon: INFO: begin Aggressive mode.
            May 6 20:08:55 racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.196.xxx.72[500]

            Any Thoughts?
            RC

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Those are all normal messages and do not indicate any problem.

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68 last edited by

                I keep getting a error stating 'invalid message from gateway.  Any additional thoughts?
                RC

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  I don't recall exactly what might have caused that error, except that it was a settings mismatch of some kind. I think it was in the authentication/phase 1 settings, but I don't have that one noted down anywhere. It sounds familiar though.

                  Some other errors are covered here:
                  http://doc.pfsense.org/index.php/IPSec_Troubleshooting

                  1 Reply Last reply Reply Quote 0
                  • K
                    kangbobon last edited by

                    @msonic:

                    I had it configured today at a client of mine, works like a charm. als 1.2.3 RC1 version+shrew 2.2 alpha release

                    I have also made a tutorial of this , i can mail it to you if you want.
                    perhaps this will help you.

                    ;)

                    Ronald

                    please ronald,can you email me to kangbobon@yahoo.com, i will be thankfull for your help

                    1 Reply Last reply Reply Quote 0
                    • F
                      fastcon68 last edited by

                      I am still working on this and have gotten alittle bit further.

                      racoon: [Remote Connection]: INFO: respond new phase 1 negotiation: XXX.17.XXX.204[500]<=>XXX.196.XXX.72[500]
                      May 7 20:16:33 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
                      May 7 20:16:33 racoon: INFO: received Vendor ID: DPD
                      May 7 20:16:33 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                      May 7 20:16:33 racoon: INFO: begin Aggressive mode.

                      I only have a few options in pf-sense and email is not one of them per the orginal IPSec Road Warrior(http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To).    I have My Identifier's as My IP address, IP Address, Domain Name, User FQDM, and Dymanic DNS in PF-Sense.

                      In Shrew Soft VPN we have IP Address, Domain Name, User FQDM, and Dymanic DNS .  I thinkn I close to getting this working but need a little more guidance.  Any thoughts?

                      RC

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        Make sure on the pfSense side, that you add a PSK for the client on the "Pre-Shared Keys" tab. If you are typing a PSK into a tunnel, you're in the wrong place. There is no box for a PSK on the Mobile Tunnels tab where you setup the pfSense side in that howto.

                        When adding a key to the Pre-Shared Keys tab, just type an e-mail address in the "Identifier" box, and then make up a PSK, then click save.

                        Make sure both sides are set to Aggressive mode, especially the Shrew Soft client. The Shew Soft client hides some identifier options (Like the one you need – "Key identifier") unless you are in the proper mode (Aggressive/Main).

                        1 Reply Last reply Reply Quote 0
                        • F
                          fastcon68 last edited by

                          Hurray!  ;D  I finally got the connection to the fw1.  I have a internal network of 192.168.14.0/24 and have the shrew client set to 192.168.18.0/24.

                          I added a few rules got 1 ping throught still connected but not recieveing and packets.
                          Still plugging away at it.  I really want to get this working for proof of concept and also It something else I can offer to my customers for remote access without them having invest in expensive solutions.

                          My next challenge is the open vpn client.  Test everything I have at my disposal.
                          RC

                          1 Reply Last reply Reply Quote 0
                          • F
                            fastcon68 last edited by

                            I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

                            RC

                            1 Reply Last reply Reply Quote 0
                            • jimp
                              jimp Rebel Alliance Developer Netgate last edited by

                              @fastcon68:

                              I got the client working,  I am able to connect to my internal network  ;D.  Now I have about 6 internal internal vpn's that I would like connect to from remote.  Has anyone done anything like that?

                              You may be able to make it work. I've had mixed luck with using parallel tunnels to accomplish that kind of scenario.

                              http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets

                              I ended up going with OpenVPN for that particular task since, as it can be routed, it worked much easier.

                              The multiple-subnet issue for IPSec has been taken care of pretty well on 2.0, but that is still alpha.

                              1 Reply Last reply Reply Quote 0
                              • F
                                fastcon68 last edited by

                                I am planning to post a link to my web server this weekend with a how too setup PF-Sense mobile support.  This will be be with 1.2.3 rc1 with the new ipsec widget.  I try to get that done this weekend.  I post a link.  I planning lot's of screen shots and critical information that was a little shake to understand the fisrt time through.  Any think this will be helpful.

                                RC

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kingtux last edited by

                                  what kind of rules are need? I am able to connect but can't pass traffice through tunnel?

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    fastcon68 last edited by

                                    kingtux,
                                    I created a few rules, but here was what I

                                    Protocols    Remote Subnet                    Detination Subnet                               
                                    TCP/UDP  192.168.18.0/24  *  192.168.xx.0/24  *  *      RoadWarrior 
                                    ICMP         192.168.18.0/24         * 192.168.xx.0/24         * *   RoadWarrior

                                    • 192.168.18.0/24  * 192.168.xx.0/24  * *   RoadWarrior

                                    This is what I have created, It's overkill I know but it's working.

                                    RC

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kingtux last edited by

                                      Thanks i will give that a try and report back…thanks for taking the time to post!

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fastcon68 last edited by

                                        The shrew client is a IPSEC client.  Add your standard IPSEC rules, here is what I added:
                                        Proto           Source                       Port Destination           Port Gw Description
                                        TCP/UDP 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior
                                        ICMP           192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

                                        • 192.168.18.0/24 * 192.168.xx.0/24 * * RoadWarrior

                                        make sure that your Souce is different from than the Destination.
                                        RC

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kingtux last edited by

                                          Thanks that worked!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post

                                          Products

                                          • Platform Overview
                                          • TNSR
                                          • pfSense
                                          • Appliances

                                          Services

                                          • Training
                                          • Professional Services

                                          Support

                                          • Subscription Plans
                                          • Contact Support
                                          • Product Lifecycle
                                          • Documentation

                                          News

                                          • Media Coverage
                                          • Press
                                          • Events

                                          Resources

                                          • Blog
                                          • FAQ
                                          • Find a Partner
                                          • Resource Library
                                          • Security Information

                                          Company

                                          • About Us
                                          • Careers
                                          • Partners
                                          • Contact Us
                                          • Legal
                                          Our Mission

                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                          Subscribe to our Newsletter

                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                          © 2021 Rubicon Communications, LLC | Privacy Policy