[vpn-help] Shrew soft used to access services on VPN server itself

Kevin VPN kvpn at live.com
Thu Jul 26 21:29:21 CDT 2012 

On 07/25/2012 06:54 AM, MikuslawProxy wrote:
> Hi,
>
> I've a question to you guys. I'm trying for some time to figure out
> how to use Shrewsoft in my usecase. I want to use it to connect to a
> IPSEC server and encrypt traffic between my computer and that server
> itself (a server with some services and not a vpn applience). The
> Shrewsoft forces NONE policies being added for the server ip, so no
> traffic that is directed at the server or from the server is
> encrypted.
>
> Does Shrewsoft support other use-cases then VPN applience used to
> access other servers behind the tunnel?
>

I don't think that's how Shrew (or maybe even IPsec) is supposed to 
work, although I suppose MS does something similar with its DirectAccess 
bit.

I think the easiest way to do that might be to give the server a second 
IP address.  Use one of the IPs as the listener IP for the IPsec server 
and the other IP for all the other services.  I would see if you can 
give the box a second Internet IP and bind the IPsec service to that IP. 
  Shrew would connect to the gateway on the second (new) IP and on the 
Policy tab you would specify the original Internet IP be protected. 
That might work.

If it doesn't, assuming that you're running a Linux box, you could build 
a network inside your server.  Add a virtual interface to the machine 
and give it some private IP (e.g. 172.16.0.1 on eth0:1).  Also configure 
your services (e.g. Apache) to bind to all interfaces.  Then configure 
your IPsec service to listen on your real Internet interface (e.g. eth0) 
and have it offer access to the private network on the virtual interface 
(eth0:1 172.16.0.1/32).  You may also have to enable routing and play 
with the firewall on the Linux machine, I'm not sure.

Then configure Shrew to connect to the Internet IP and on the Site 
Configuration Policy tab put in the private IP (172.16.0.1/32).  You'll 
then need to try to connect to your services using the private IP 
instead of the Internet IP.


Disclaimer:  I've never done any of this before, so it is just as likely 
to blow up your machine as it is to work.  Please be careful and save 
copies of files before you change them. :)

More information about the vpn-help mailing list