Redux Blog

Connecting the ShrewSoft VPN client to a Juniper SRX

(April 23, 2012, Posted in Platform Development by Brian Shore)

Our standard architecture for private clouds includes security appliances that provide a fairly comprehensive set of security features from stateless firewall to full intrusion detection. We like to use Juniper SRX devices, and I admit I'm a big fan JunOS.

In the same vein as this post by Thomas, a client wished to use a Linux system to connect to their SRX-powerd IPSec VPN using the Shrew Soft client. Searching the tubes for other people's experience connecting these two end points yielded... nothing. But after some poking and prodding, I got the client to connect. The main elements of the configuration that weren't immediately obvious were:

• Use "push" configuration mode
• Manually add the policies needed for the given VPN

I find the configuration modes are always named differently from one client to another -- Shrew Soft has push, pull, and dhcp; VPN Tracker has mode config, mode config (active), and mode config (passive); &c. Standard terminology would definitely simplify cross-vendor integrations. I would have liked to have this VPN client pulling the network policies from the SRX. VPN Tracker is able to do this, and the Shrew Soft client has a configuration option for this, but it didn't work in my test setup. Below is the complete client configuration. The test node was a Debian 6 VM, extra stuff beyond the base install was added just to build the client (2.1.7, current at the time of writing).

b:auth-mutual-psk:eA==
n:client-addr-auto:1
n:client-banner-enable:1
n:client-dns-auto:1
n:client-dns-used:1
n:network-dpd-enable:1
n:network-frag-size:540
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:60
n:network-notify-enable:1
n:phase1-dhgroup:2
n:phase1-keylen:256
n:phase1-life-kbytes:0
n:phase1-life-secs:28800
n:phase2-keylen:256
n:phase2-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-pfsgroup:2
n:policy-list-auto:0
n:policy-nailed:1
n:vendor-chkpt-enable:0
n:version:2
s:client-ip-addr:0.0.0.0
s:client-ip-mask:255.255.255.255
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:
s:network-host:vpn.example.com
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-client-data:vpn.example.com
s:ident-server-type:address
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:auto
s:policy-list-include:10.10.10.0 / 255.255.255.0

-- bks