[Vpn-help] PIX + Shrew Soft Client Config

Marc Goldburg mgoldburg at assia-inc.com
Fri Nov 2 00:10:33 CDT 2007 

With Matthew's help, I now have the Shrew Soft client v2.0.2 working 
reliably with a PIX501 running PIX release 6.3.  The configs for both 
the PIX and the client are attached below in the hope that they'll be 
useful to others.

The setup is as follows.

    * PIX protecting single inside net of 172.17/16.
    * VPN clients are assigned addresses from 172.18.0/24
    * PIX external address is 1.1.1.2
    * PIX's main function is handling remote client VPN connections from
      the outside (e.g., PIX does not provide dhcpd service for inside
      machines, router-router tunnels, ...)
    * auto policy config for the client from the PIX for split tunnel,
      split DNS and inside topology
    * per-user VPN access usernames and passwords locally authenticated
      at PIX using XAUTH

The only two parameters that need to be changed in the client config are 
the following.

    s:network-host:1.1.1.2   [change to your PIX's outside address]
    s:auth-mutual-psk:PreSharedKey  [change to the vpngroup password from PIX]
      

Good luck!

------------------ CUT HERE ---------------

! inside interface on 172.17/16 net.  Outside interface is 1.1.1.2 with 
! default gateway of 1.1.1.1
hostname rc-pix501-1
domain-name abc.com
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 1.1.1.2  255.255.255.224
ip address inside 172.17.0.6 255.255.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
mtu outside 1500
mtu inside 1500
! in2out access list describes traffic from inside to vpn clients
! who will eventually be assigned Class C addresses in 172.18.0
names
access-list in2out permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.255.0 
! unencrypted traffic from the inside to the outside world will
! have the PIX's external IP address.  First nat command says don't nat traffic
! from inside machines to VPN clients
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
! set up local authentication for these two users (will be used by XAUTH)
aaa-server LOCAL protocol local 
username bill password XXX encrypted privilege 2
username bob password XXX encrypted privilege 2
! ip address pool for assignments to VPN clients
ip local pool clientpool 172.18.0.2-172.18.0.11 mask 255.255.255.0
! enable AES256+MD5 ISAKMP on outside interface with pre-shared key
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
! disable access control checking on traffic within IPSEC tunnels and enable
! AES256+MD5 transforms.  "... authentication LOCAL" enables XAUTH
sysopt connection permit-ipsec
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac 
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL 
crypto map outside_map interface outside
! vpngroup defines IP address pool and DNS/routing information that will be 
! pulled down by client.  "remoteClient" is the key identifier for the 
! client's local identity
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 172.17.0.2
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password PreSharedKey
! PIX boilerplate follows
enable password XXX encrypted
passwd XXX encrypted
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
ip audit info action alarm
ip audit attack action alarm
pdm location 172.17.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
http server enable
http 172.17.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 172.17.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
------------------ CUT HERE ---------------
n:network-ike-port:500
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:1
s:network-host:1.1.1.2
s:client-auto-mode:pull
s:client-iface:virtual
s:client-ip-addr:0.0.0.0
s:client-ip-mask:0.0.0.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-wins-addr:0.0.0.0
s:client-dns-addr:0.0.0.0
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-server-type:address
s:ident-client-data:remoteClient
s:auth-mutual-psk:PreSharedKey
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
------------------ CUT HERE ---------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071101/4a76c10c/attachment-0001.html>

More information about the vpn-help mailing list