Shrewsoft VPN Client - couple of notes for Mutual RSA (to avoid waste of time)
-
After wasting a couple of hours with this darned thing, here's a couple of warnings for those who are trying to use Mutual RSA/Mutual RSA + xauth with Shrew Soft VPN Client
- do NOT use any intermediate CA for the Phase 1 "My Certificate" - it will not work no matter what. They never fixed the darned bug properly.
- even if you don't use an intermediate CA, it still will NOT work until you've produced a PKCS12 keystore for the Server Certificate Authority File.
To get the darned thing working, you can proceed somehow like this:
- export the cert of the CA used for IPsec (CA.crt)
- export the IPsec cert itself (IPsec.crt)
- export the IPsec key (IPsec.key)
- produce the PKCS12 keystore:
openssl pkcs12 -export -chain -CAfile CA.crt -in IPsec.crt -inkey IPsec.key -out IPsec.p12- use that for Authentication - Credentials - Server Certificate Authority File.
Shame on you, Shrew Soft. ::) >:(
-
In the pfSense cert manager you can export the ca+cert+key as a .p12 natively. It's the third down arrow ("v") in the cert manager list.
The author of the Shrew Soft client (mgrooms) used to be a pfSense dev and last I heard he's pretty responsive and willing to fix things.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.