Thursday, November 8, 2012

Shrew Soft VPN Client with Juniper/Netscreen IPSEC

[Originally posted July 30, 2010]

Shrew Soft's VPN client is free and remarkably cross-platform. I needed it for Windows 7 notebooks. While there's already a nice write-up on how to configure a preshared key with XAuth scheme, my particular situation called for separate preshared keys for each user and no XAuth. So that's the (relatively!) simple setup I'll be documenting here.

A bit of history: Juniper Networks purchased Netscreen in '04. The Netscreen brand continued to be used on Firewall/VPN devices for several years following that (which is when I earned technical certification on them), but these are now simply Juniper "Secure Services Gateway[s]." I'll call the device the "firewall" to stay neutral. Screenshots are from a NS5GT; details may vary slightly.


Sample Parameters

Obviously, these won't actually work. The 'X's stand for unspecified numerical values.

192.168.1.0 /24 — Business LAN
10.X.X.X — Firewall public IP
roadwarrior — User name
corporation.inc — Business URL
1234567895 — roadwarrior's preshared key


Routing

Routing on the Netscreen should already be set up unless this is the first VPN configured on the firewall. Something along these lines should work:

untrust-vr entry
IP/Netmask — 192.168.1.0 /24
Gateway — trust-vr
Interface — -

trust-vr entry
IP/Netmask — 192.168.1.0 /24
Gateway — 0.0.0.0
Interface — ethernet1

And if there isn't already a name for the LAN subnet, add it to Objects->Addresses->List->Trust->New.

Address Name — corporation.inc LAN
IP/Netmask — 192.168.1.0 /24
Zone — Trust


User Setup

Objects->Users->Local->New

User Name — roadwarrior
Status — Enable
IKE User — Checked
IKE ID Type — Auto
IKE Identity — roadwarrior@corporation.inc



Phase 1 Setup

VPNs->AutoKey Advanced->Gateway->New

Gateway Name — roadwarrior P1
Security Level — Standard
Remote Gateway Type — Dialup User
User — roadwarrior
Preshared Key — 1234567895
Use As Seed — Unchecked
Outgoing Interface — ethernet3


Click Advanced.

Mode (Initiator) — Aggressive
Enable NAT Traversal — Checked
UDP Checksum — Unchecked
Keepalive Frequency — 20
[Authentication Section] — None


Click Return, then Ok.


Phase 2 Setup

VPNs->AutoKey IKE->New

VPN Name — roadwarrior P2
Security Level — Custom
Remote Gateway — roadwarrior P1


Click Advanced.

Security Level — Custom
Phase 2 Proposals:
* nopfs-esp-3des-md5
* nopfs-esp-3des-sha
* nopfs-esp-aes128-md5
* nopfs-esp-aes128-sha
Replay Protection — Checked
...the rest of the settings on this page shouldn't need changing from default:
Transport Mode — Unchecked
Bind to — None
Proxy-ID — Unchecked
Local (and Remote) IP/Netmask — 0.0.0.0 / [blank]
Service — Any
VPN Group — None
VPN Monitor — Unchecked
Source Interface — Default
Destination IP — 0.0.0.0
Optimized — Unchecked
Rekey — Unchecked


Click Return, then Ok.


Policy Setup

Policies.

From: Untrust
To: Trust
Click New.

Source Address — Dial-Up VPN
Destination Address — corporation.inc LAN
Service — Any
Action — Tunnel
Tunnel [VPN] — roadwarrior P2
Tunnel [L2TP] — None


Click Ok.


Shrew Soft Access Manager — General Tab

Host Name or IP Address — 10.X.X.X (True value at Network->Interfaces->edit[ethernet3]->IP Address)
Port — 500
Auto Configuration — disabled
Address Method — Use an existing adapter and current address


Shrew Soft Access Manager — Client Tab

NAT Traversal — enable
NAT Traversal Port — 4500
Keep-alive Packet rate — 15
IKE Fragmentation — enable
Maximum Packet size — 540

Enable Dead Peer Detection — Checked
Enable ISAKMP Failure Notifications — Checked


Shrew Soft Access Manager — Name Resolution Tab

All unchecked. Of course this sort of thing can be set up if you prefer. I'm using it for a simple case which does not need DNS.


Shrew Soft Access Manager — Authentication Tab

Authentication — Mutual PSK

Local Identity subtab
Identification Type — User Fully Qualified Domain Name
UFQDN String — roadwarrior@corporation.inc


Remote Identity subtab
Identification Type — IP Address
Address String — [blank]
Use a discovered remote host address — Checked


Credentials subtab
Preshared Key — 1234567895


Shrew Soft Access Manager — Phase 1 Tab

Exchange Type — aggressive
DH Exchange — group 2
Cipher Algorithm — auto
Hash Algorithm — auto
Key Life Time limit — 86400
Key Life Data limit — 0
Enable Check Point Compatible Vender ID — Unchecked


Shrew Soft Access Manager — Phase 2 Tab

Transform Algorithm — auto
HMAC Algorithm — auto
PFS Exchange — disabled
Compress Algorithm — disabled
Key Life Time limit — 3600
Key Life Data limit — 0


Shrew Soft Access Manager — Policy Tab

Maintain Persistent Security Associations — Unchecked
Obtain Topology Automatically or Tunnel All — Unchecked

Click Add.
Type — Include
Address — 192.168.1.0
Netmask — 255.255.255.0


Click Ok, then Save.


...now try connecting. When it fails the first time, check the log entries on the firewall. When those are unclear, see the blog post immediate prior to this one on detailed VPN troubleshooting.

No comments:

Post a Comment