[Vpn-help] Help needed to configure Windows client

Matthew Grooms mgrooms at shrew.net
Tue Apr 22 09:18:50 CDT 2008

Mustafa Jamil wrote:
> Hello folks.

Hello Mustafa,

Thanks for your interest in the Shrew Soft VPN Client.

> I am an IPSec newbie (which explains why I'm having to post on this list) that is trying to map configuration between what I enter in /etc/ipsec.conf on a linux system and what goes into the GUI in the ShrewSoft VPN Client.  I'm failing to get anywhere.

Sorry for the delayed response. I just returned from a 6 week hiatus. 
Now that I am back, client development work will resume and I will be 
more active on the mailing list.

> Here's my (very simple) ipsec.conf:


> As you can tell, I'm using AH to authenticate, and ESP to encrypt, data between two hosts in transport mode.  The keys are manually provided in the file, so no IKE processing is necessary.
> If my destination host is a linux box, enabling this configuration is trivial: I just copy this file to that machine, switch the in/out params in the policy statements, and voila - things work.

The major problem here is that the Shrew Soft VPN Client is designed 
from the ground up to use IKE to negotiate IPsec connectivity. You will 
need to install racoon or Strong/OpenSWAN to support client connections.

BTW: The ESP protocol handles message encryption as well as message 
authentication so there is little point to doing AH+ESP. AH does not 
support message encryption and is typically only used for situations 
where message authentication is desired but one side of the connection 
doesn't support ESP w/o encryption. Another thing that makes ESP more 
attractive is that it is much better defined for use with protocol 
extensions such as NAT Traversal.

> But I'm baffled with how to enable this simple configuration through the Windows ShrewSoft VPN Client GUI.

I can see why its confusing. The client does not support manually keyed 
connections. This is very insecure as there is no peer authentication 
and or dynamic keying. This is what IKE is for :)

> Can someone please help me out?

Yes. Please start by having a look at the vpn client administrators 
guide on the Shrew Soft web site. It provides examples and instruction 
on how to install and configure ipsec tools on a *nix host for client 
connectivity. Please make sure you use the ipsec tools 0.7 version or 
later ...


Pay close attention to the following sections ...

Using the VPN Client
\*Getting Started*
  *Client Authentication*
  *Client Management*

Using the VPN Client
\VPN Gateway Configuration
  \*Configuring IPsec Tools*

> Mustafa
> P.S.  Separate question: does the Unix client work on the BSD-derived Mac OS X Mach kernel?

The short answer is that a Mac OSX port does not currently exist.

Here are some notes: Although 99% of the code should work out of the 
box, the client currently relies on the standard tun/tap interface 
which, as far as I know, is not supported on the OSX platform. There is 
a 3rd party effort to get this going primarily for use with OpenVPN.


But even if tun/tap existed, the cmake system used to build the client 
is not currently setup to support OSX. Getting the entire port up and 
running probably wouldn't take more than a week for a capable developer 
that is familiar with the platform. All the *nix related Shrew Soft 
source code is available from the public subversion repository under a 
liberal open source license so feel free to give this a shot if your up 
to the challenge. Patches go to me :)


While I do plan to port the Shrew Soft client to OSX in the future, 
there is already an excellent free VPN Client suite based on ipsec tools 
named IPSecuritas. I have heard lots of good things about it so its 
probably well worth looking into.


If you have any further questions, please don't hesitate to ask. There 
are several folks on the list using Linux for their VPN gateway OS that 
would be willing to help with any questions or problem resolutions. Of 
course, I will do what I can to help as well.



More information about the vpn-help mailing list