Shrewsoft VPN Client - couple of notes for Mutual RSA (to avoid waste of time)

  • Banned

    After wasting a couple of hours with this darned thing, here's a couple of warnings for those who are trying to use Mutual RSA/Mutual RSA + xauth with Shrew Soft VPN Client

    • do NOT use any intermediate CA for the Phase 1 "My Certificate" - it will not work no matter what. They never fixed the darned bug properly.
    • even if you don't use an intermediate CA, it still will NOT work until you've produced a PKCS12 keystore for the Server Certificate Authority File.

    To get the darned thing working, you can proceed somehow like this:

    • export the cert of the CA used for IPsec (CA.crt)
    • export the IPsec cert itself (IPsec.crt)
    • export the IPsec key (IPsec.key)
    • produce the PKCS12 keystore:
    openssl pkcs12 -export -chain -CAfile CA.crt -in IPsec.crt -inkey IPsec.key -out IPsec.p12
    • use that for Authentication - Credentials -  Server Certificate Authority File.

    Shame on you, Shrew Soft.  ::)  >:(

  • Rebel Alliance Developer Netgate

    In the pfSense cert manager you can export the ca+cert+key as a .p12 natively. It's the third down arrow ("v") in the cert manager list.

    The author of the Shrew Soft client (mgrooms) used to be a pfSense dev and last I heard he's pretty responsive and willing to fix things.

Log in to reply