Shrew Soft VPN client

I tested this using the Shrewsoft 2.2.2 release for Windows, the Ubuntu Linux “ike-qtgui” version 2.1.5 and IPCop 2.0.2. First, add the connection to IPCop, as in pageĀ Create CA & Certs , generating a certificate and save it to your USB flash drive.

Then install the Shrewsoft client, either on Windows or Linux. On Windows XP it should have created a folder in “My Documents” named “Shrew Soft VPN” with two folders in it, one of them named “certs”. On Linux, it is ~/.ike/certs. Copy the IPCop generated PKCS12 certificate to the “certs” folder. Then start the program, click “Add” and configure it as follows: Under the General tab, put in the IPCop dynamic DNS name or IPCop external IP address, set “Auto Configuration” to “disabled”, “address method” to “Use existing adapter and current address.” On the “Client” tab, set “NAT Traversal” to enabled, leave the NAT traversal port at “4500”, leave “Keep-alive packet rate” at “15” sec, change IKE fragmentation to “disable”, leave “Enable Dead Peer Detection” checked, but uncheck “ISAKMP failure notification” and “Enable Client Login Banner”. On the “Name Resolution” tab uncheck both “Enable WINS” and “Enable Split DNS” and add a public DNS server IP address. On the “Authentication” tab set “Authentication Method to “Mutual RSA”, then on the “Local” sub-tab set to “User Fully Qualified Domain Name” and put the email address used when the certificate was generated, I used “”. On the “Remote” sub-tab also put “User Fully Qualified Domain Name” and put in the email address on the server, I used “”. On the “Credentials” sub-tab, select “…” next to “Server Certificate Autority File”, which will automatically open up the “C:\Documents and Settings\<username>\My Documents\Shrew Soft VPN\certs folder” or ~/.ike/certs directory, change the “Save as type” to “PKCS #12 files(*.p12,*.pfx)” and then select the IPCop generated PKCS12 file copied earlier. Choose the same file for “Client Certificate File” and “Client Private Key File”. On the “Phase1” tab change “Exchange Type” to “main”, not “aggressive” and make sure that the “DH Group” is “group 2” and leave the rest at the defaults. On the “Phase 2” change the “PFS Exchange” to “group 2” and leave the rest at the defaults. On the “Policy” tab set the “policy generation” tab to “auto”, uncheck both “Maintain Persistent Security Associations” and “Obtain Topology Automatically or Tunnel All” and then click on “Add” under “Remote Network Resources” and choose “include”, put in the IP address of the network behind the IPCop firewall and the netmask of that network and click “Save” at the bottom.

Then click on the connection just defined to select it and then click on the “Connect” button. This will open up a new window. Click on the “Connect” button at the bottom of that window and it will ask you for the PKCS12 password that you used when you created the certificate on IPCop. If all goes well, it should connect.

Donald Trump is an idiot.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.