Does anyone have the IPSEC VPN WITH Shrew vpnclient working?



  • This is more of a poll really, I'm curious to see how many people have an ipsec vpn (mobile user type) using the shrew VPN client working. I have tried several times with the same results and wonder how many people have this working on version 1.2.2.
    Thanks,
    Pat



  • I've done this a few times following one of the howtos. Target box was 1.2.2, but I upgraded to 1.2.3 RC2 so I could have Nat-T available.

    Edit for clarity: Worked on 1.2.2, worked after upgrading to 1.2.3 RC2



  • Got it up and running no issues.  It works!  I also OpenVPN also up and running.
    RC



  • @dotdash:

    I've done this a few times following one of the howtos. Target box was 1.2.2, but I upgraded to 1.2.3 RC2 so I could have Nat-T available.

    Edit for clarity: Worked on 1.2.2, worked after upgrading to 1.2.3 RC2

    If i well understand : with the NAT-T feature brought on v1.2.3RC2, it's finally possible to connect from any LAN (behind a router) ?

    Furthermore, how do you people setup pfSense/IPsec/Shrew in order to manage roadwarrior pools ?

    I don't remember have seen "dhcp pools" for the roadwarrior clients…

    Or perharps, it's necessary to specify each roadwarrior's address ?

    Thank you,

    Sincerely,


  • Rebel Alliance Developer Netgate

    It works fine when following the doc I wrote:
    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Not sure if any method of automatically assigning far side addresses works. I've only ever got it to work with hardcoded addresses.



  • @jimp:

    It works fine when following the doc I wrote:
    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Not sure if any method of automatically assigning far side addresses works. I've only ever got it to work with hardcoded addresses.

    Sorry, i had already read it but hadn't seen the part :

    "The client address range should be a subnet of IP addresses that is not in use on any current interface. It cannot overlap any existing network that pfSense can reach directly."

    Perfect  ;D.

    Once more : i'm sorry to ask it again, but i just want a clear confirmation :

    I read that dotdash use with success, ShrewSoft with actual v1.2.2.

    But without NAT-T (not present in pfSense v1.2.2), i don't see the usefulness of Mobile IPSec…

    Or perharps, i misunderstood something about mobile ipsec / nat-t ??

    Thank you very much for your answers,

    Sincerely,


  • Rebel Alliance Developer Netgate

    While NAT-T does help Mobile IPsec work in more scenarios, it already works fine in plenty of other places.

    I've had mobile IPsec clients working for customers for quite a while now, even without NAT-T. I think I started using it with pfSense 1.2.1.

    You can also use mobile tunnels for pfsense-to-pfsense IPsec, if one end is on a dynamic IP, though now you can use dyndns hostnames for the remote peer address so that isn't needed quite so much.

    It can be used for any IPsec connection you need where one side is static and the other end is somewhere unknown.



  • Just review my setting and I hav staticly assigned address only.  Right now it looks like mobile clients have to use staticly addresses.  Hopefully in release 2.0 they will have DHCP for moblie road warriors.
    RC



  • yes, DHCP on IPSEC would be really helpful. i'm surprised the DHCP server doesn't have a tab for IPSEC already. it must be possible to do this without the gui. does anyone have any advice on this?



  • @jimp:

    While NAT-T does help Mobile IPsec work in more scenarios, it already works fine in plenty of other places.

    I've had mobile IPsec clients working for customers for quite a while now, even without NAT-T. I think I started using it with pfSense 1.2.1.

    You can also use mobile tunnels for pfsense-to-pfsense IPsec, if one end is on a dynamic IP, though now you can use dyndns hostnames for the remote peer address so that isn't needed quite so much.

    It can be used for any IPsec connection you need where one side is static and the other end is somewhere unknown.

    Oh OK ! I finally understood : it helps but isn't necessary…

    Thank you !


Log in to reply