[Vpn-help] Help needed to configure Windows client
mgrooms at shrew.net
Tue Apr 22 09:18:50 CDT 2008
Mustafa Jamil wrote:
> Hello folks.
Thanks for your interest in the Shrew Soft VPN Client.
> I am an IPSec newbie (which explains why I'm having to post on this list) that is trying to map configuration between what I enter in /etc/ipsec.conf on a linux system and what goes into the GUI in the ShrewSoft VPN Client. I'm failing to get anywhere.
Sorry for the delayed response. I just returned from a 6 week hiatus.
Now that I am back, client development work will resume and I will be
more active on the mailing list.
> Here's my (very simple) ipsec.conf:
> As you can tell, I'm using AH to authenticate, and ESP to encrypt, data between two hosts in transport mode. The keys are manually provided in the file, so no IKE processing is necessary.
> If my destination host is a linux box, enabling this configuration is trivial: I just copy this file to that machine, switch the in/out params in the policy statements, and voila - things work.
The major problem here is that the Shrew Soft VPN Client is designed
from the ground up to use IKE to negotiate IPsec connectivity. You will
need to install racoon or Strong/OpenSWAN to support client connections.
BTW: The ESP protocol handles message encryption as well as message
authentication so there is little point to doing AH+ESP. AH does not
support message encryption and is typically only used for situations
where message authentication is desired but one side of the connection
doesn't support ESP w/o encryption. Another thing that makes ESP more
attractive is that it is much better defined for use with protocol
extensions such as NAT Traversal.
> But I'm baffled with how to enable this simple configuration through the Windows ShrewSoft VPN Client GUI.
I can see why its confusing. The client does not support manually keyed
connections. This is very insecure as there is no peer authentication
and or dynamic keying. This is what IKE is for :)
> Can someone please help me out?
Yes. Please start by having a look at the vpn client administrators
guide on the Shrew Soft web site. It provides examples and instruction
on how to install and configure ipsec tools on a *nix host for client
connectivity. Please make sure you use the ipsec tools 0.7 version or
Pay close attention to the following sections ...
Using the VPN Client
Using the VPN Client
\VPN Gateway Configuration
\*Configuring IPsec Tools*
> P.S. Separate question: does the Unix client work on the BSD-derived Mac OS X Mach kernel?
The short answer is that a Mac OSX port does not currently exist.
Here are some notes: Although 99% of the code should work out of the
box, the client currently relies on the standard tun/tap interface
which, as far as I know, is not supported on the OSX platform. There is
a 3rd party effort to get this going primarily for use with OpenVPN.
But even if tun/tap existed, the cmake system used to build the client
is not currently setup to support OSX. Getting the entire port up and
running probably wouldn't take more than a week for a capable developer
that is familiar with the platform. All the *nix related Shrew Soft
source code is available from the public subversion repository under a
liberal open source license so feel free to give this a shot if your up
to the challenge. Patches go to me :)
While I do plan to port the Shrew Soft client to OSX in the future,
there is already an excellent free VPN Client suite based on ipsec tools
named IPSecuritas. I have heard lots of good things about it so its
probably well worth looking into.
If you have any further questions, please don't hesitate to ask. There
are several folks on the list using Linux for their VPN gateway OS that
would be willing to help with any questions or problem resolutions. Of
course, I will do what I can to help as well.
More information about the vpn-help