4. Shrewsoft VPN Client - couple of notes for Mutual RSA (to avoid waste of time)

Shrewsoft VPN Client - couple of notes for Mutual RSA (to avoid waste of time)

  • D
    Banned

    After wasting a couple of hours with this darned thing, here's a couple of warnings for those who are trying to use Mutual RSA/Mutual RSA + xauth with Shrew Soft VPN Client

    • do NOT use any intermediate CA for the Phase 1 "My Certificate" - it will not work no matter what. They never fixed the darned bug properly.
    • even if you don't use an intermediate CA, it still will NOT work until you've produced a PKCS12 keystore for the Server Certificate Authority File.

    To get the darned thing working, you can proceed somehow like this:

    • export the cert of the CA used for IPsec (CA.crt)
    • export the IPsec cert itself (IPsec.crt)
    • export the IPsec key (IPsec.key)
    • produce the PKCS12 keystore:
    
openssl pkcs12 -export -chain -CAfile CA.crt -in IPsec.crt -inkey IPsec.key -out IPsec.p12
    • use that for Authentication - Credentials -  Server Certificate Authority File.

    Shame on you, Shrew Soft.  ::)  >:(

    0
  • Rebel Alliance Developer Netgate

    In the pfSense cert manager you can export the ca+cert+key as a .p12 natively. It's the third down arrow ("v") in the cert manager list.

    The author of the Shrew Soft client (mgrooms) used to be a pfSense dev and last I heard he's pretty responsive and willing to fix things.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy