[Openswan Users] Shrew Soft VPN Client (freeware)

Jacco de Leeuw jacco2 at dds.nl
Sun Nov 19 12:04:31 EST 2006 

> Has anyone tried the Shrew Soft VPN Client for Windows 2000/XP?
> It's freeware and has a lot of IPsec features, but for some
> reason I can't get it to *not* use Mode-Cfg...

The following post was brought to my attention:
http://lists.shrew.net/pipermail/vpn-help/2006-October/000610.html

I had disabled all ModeCfg settings mentioned in that post, except one:
"PFS Exchange" was not disabled because I figured that PFS had nothing
to do with ModeCfg (correct me if I'm wrong). Disabling PFS fixed the
issue.

I believe this IPsec client is a welcome addition to the list of clients
for Windows. There are tons of options that you can tweak. It may not
be the easiest client to configure but it has a VPN import option,
so you can provide users with a ready-made configuration.

The Shrew Soft VPN Client can be downloaded for free (as in free beer) from:
http://www.shrew.net/?page=software

A few notes:

- The Shrew Soft VPN Client supports a number of authentication options,
   including XAUTH. There are security issues with hybrid mode XAUTH
   (which is the default in the client) so I did not look into it.

- I've tested with a PSK ("Mutual PSK") and certificates ("Mutual RSA").
   For certificates I had to increase the maximum packet size (default:
   540 bytes) to something higher, like 1200. Another thing was that the
   certificate filenames were not passed correctly by the fileselector,
   so I had to enter the filenames manually. Could be a bug.

- The client supports virtual adapters so you get an internal IP
   address. The address can be set manually but the client can also
   retrieve it and other settings such as DNS and WINS automatically
   with ModeCfg. I have not tried this.

- When you click "Connect" an ISAKMP SA is established but Quick Mode
   is only initiated when you attempt to access the remote network.

- The client announces a vendor ID "Cisco-Unity", which is a bit peculiar.

I'm attaching a simple configuration for a single road warrior with PSK
authentication. In this example the public IP address of the Openswan
server is 192.168.0.10 and the internal network located behind it is
192.168.3.0/24. The single client is assigned internal IP address
192.168.3.2.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.secrets
Url: http://lists.openswan.org/pipermail/users/attachments/20061119/b61aa6f0/attachment.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: SHREWPSK.conf
Url: http://lists.openswan.org/pipermail/users/attachments/20061119/b61aa6f0/attachment-0001.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 192.168.0.10.vpn
Url: http://lists.openswan.org/pipermail/users/attachments/20061119/b61aa6f0/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: secure
Url: http://lists.openswan.org/pipermail/users/attachments/20061119/b61aa6f0/attachment-0003.pl

More information about the Users mailing list