Shrew VPN Client setup examples

Forum|Forum|14 years ago
February 28, 2012
4 replies
6726 views

Greetings all, I' m trying to get the Shrew VPN client to connect to my ftg60C with little success. I' ve tried the example config from http://www.shrew.net/support/wiki/HowtoFortigate with no luck. Anyone else using this client that has a working config you' d be willing to share? Thanks!

emnoc

New Member

Shrew works fine, did you review all of the client configurations and ensure 100% that your client are configured for proper xauth,psk and ciphers? Rebuild your psk on the client, enable the correct xauth+psk or whatever methods, and lastly ensure the client' s id-peer. On the ciphers, I typically avoid anything that says " auto" and set these to be the exact encryption ciphers.

whansonAuthor

New Member

I' m sure it does work fine.... That' s why I' m trying to use it... I asked if anyone would be willing to share their config. The DHCP server settings have me confused, what is the default gateway supposed to be? I' m just looking for more samples to try and sort this out. I' m surprised there is only one configuration sample out there on the net. Can it be run in Interface mode instead, or is the Policy mode with IPSEC DHCP the only way to make it tick?

emnoc

New Member

The cfg in your reference should be all that you need and works. Back to the client, it' s tricky if you don' t understand the shrew net items, hence make sure you match the client to what your FGT is setup as and the point that I tried to make reference to from above. If your FGT is configured correctly, than any ipsec client should work down to your iPhone or Android phone. Instead of us sharing or plain vanilla vpnclient configuration, why don' t you post your config so we can see what you have or do no have setup? or at least tell us what your doing ? xauth+psk certs etc... We can only guess at this point? Also if you feel the configs are good ( shrew client and FGT ) than the shrew client has a great debugging feature and kinda make it' s idiot proof as for determining what' s the issue(s) are. bad psk failed on xauth etc... good luck

whansonAuthor

New Member

A fresh start and a new day seemed to do the trick... I got it working this morning in interface mode. I' ll give you some history and config summary. I currently have 3 site-site policy based VPNs setup, an interface dial-up VPN for iPhones, and the interface SSL-VPN setup for users to access via the web. I' m interested in using the Shrew client because the SSL-VPN is proving to be " too complicated' for some of my users. I love how clean and simple the iPhone VPN is, and have emulated that. I' ll post the code I' m using now:

config vpn ipsec phase1-interface      edit " vpnSHREWint"           set type dynamic          set interface " wan1"           set dhgrp 2          set xauthtype auto          set mode aggressive          set mode-cfg enable          set proposal 3des-md5 aes256-md5          set authusrgrp " vpnShrewUsers"           set ipv4-start-ip 192.168.113.1          set ipv4-end-ip 192.168.113.254          set ipv4-netmask 255.255.255.0          set ipv4-dns-server1 192.168.100.11          set ipv4-dns-server2 192.168.100.3          set ipv4-split-include " lanLocal"           set unity-support disable          set psksecret ENC v/R36ZHyKgVwpUZ4g8/ISaoqtffvw41bhRQ      next  end    config vpn ipsec phase2-interface      edit " p2SHREWint"           set pfs disable          set phase1name " vpnSHREWint"           set proposal 3des-md5 aes256-md5          set keylifeseconds 3600      next  end    config router static      edit 1          set comment " Default Route"           set device " wan1"           set gateway x.x.x.x      next      edit 2          set device " ssl.root"           set dst 192.168.111.0 255.255.255.0      next      edit 3          set device " iPhoneVPN"           set dst 192.168.112.0 255.255.255.0      next      edit 4          set device " vpnSHREWint"           set dst 192.168.113.0 255.255.255.0      next  end      config firewall policy      edit 21          set srcintf " vpnSHREWint"           set dstintf " internal"               set srcaddr " VPN-shrew"               set dstaddr " lanLocal"           set action accept          set schedule " always"               set service " ANY"       next      edit 22          set srcintf " internal"           set dstintf " vpnSHREWint"               set srcaddr " lanLocal"               set dstaddr " VPN-shrew"           set action accept          set schedule " always"               set service " ANY"       next

My Shrew Client config is attached. Works great today, don' t know what I was missing yesterday. Staring at it too long, most likely. Let me know what you think. Thanks, Wes

Yw67883.gif

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded