Connecting the ShrewSoft VPN client to a Juniper SRX
Our standard architecture for private clouds includes security appliances that provide a fairly comprehensive set of security features from stateless firewall to full intrusion detection. We like to use Juniper SRX devices, and I admit I'm a big fan JunOS.
In the same vein as this post by Thomas, a client wished to use a Linux system to connect to their SRX-powerd IPSec VPN using the Shrew Soft client. Searching the tubes for other people's experience connecting these two end points yielded... nothing. But after some poking and prodding, I got the client to connect. The main elements of the configuration that weren't immediately obvious were:
- Use "push" configuration mode
- Manually add the policies needed for the given VPN
I find the configuration modes are always named differently from one client to another -- Shrew Soft has push, pull, and dhcp; VPN Tracker has mode config, mode config (active), and mode config (passive); &c. Standard terminology would definitely simplify cross-vendor integrations. I would have liked to have this VPN client pulling the network policies from the SRX. VPN Tracker is able to do this, and the Shrew Soft client has a configuration option for this, but it didn't work in my test setup. Below is the complete client configuration. The test node was a Debian 6 VM, extra stuff beyond the base install was added just to build the client (2.1.7, current at the time of writing).
b:auth-mutual-psk:eA== n:client-addr-auto:1 n:client-banner-enable:1 n:client-dns-auto:1 n:client-dns-used:1 n:network-dpd-enable:1 n:network-frag-size:540 n:network-ike-port:500 n:network-mtu-size:1380 n:network-natt-port:4500 n:network-natt-rate:60 n:network-notify-enable:1 n:phase1-dhgroup:2 n:phase1-keylen:256 n:phase1-life-kbytes:0 n:phase1-life-secs:28800 n:phase2-keylen:256 n:phase2-life-kbytes:0 n:phase2-life-secs:3600 n:phase2-pfsgroup:2 n:policy-list-auto:0 n:policy-nailed:1 n:vendor-chkpt-enable:0 n:version:2 s:client-ip-addr:0.0.0.0 s:client-ip-mask:255.255.255.255 s:client-dns-addr:126.96.36.199 s:client-dns-suffix: s:network-host:vpn.example.com s:client-auto-mode:push s:client-iface:virtual s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-client-data:vpn.example.com s:ident-server-type:address s:phase1-exchange:aggressive s:phase1-cipher:aes s:phase1-hash:sha1 s:phase2-transform:aes s:phase2-hmac:sha1 s:ipcomp-transform:disabled s:policy-level:auto s:policy-list-include:10.10.10.0 / 255.255.255.0