Type the same Mobile VPN user password again. If you use certificates for authentication, a second password dialog box appears.Type the Username and Password for the Mobile VPN user.The Shrew Soft VPN Connect dialog box appears. You must also know the user name and password.įor more information, see Install the Shrew Soft VPN Client Software. This will be configured to match in the client later, needless to say the algorithm we want to use in this case is AES specifically and that algorithm is part of the default "High" proposal list for both IKE and IPsec.įor Authentication we chose Pre-shared key and the PSK we created earlier.You can use the Shrew Soft VPN Client for Windows to connect to a Firebox that is configured for Mobile VPN with IPSec.īefore you can use the Shrew Soft VPN Client, you must install the client software and import the end-user profile (.vpn file). Lastly for the IKE (6) and IPsec (7)algorithms we leave them at their default values. Since we want to communicate with entire networks we cannot use transport mode.įor IKE Config Mode Pool (5) we select the CFG_Mode_Pool object we created earlier (it is always called Static). Remote Endpoint (3) is set to be all-nets, as we do not know from which IP our roaming clients are connecting from we must allow everything.Įncapsulation mode (4) we will leave at the default Tunnel mode. The more we can restrict and limit access the better, we also avoid situations where a client is incorrectly configured with a network that conflicts with the internal networks behind the Clavister. It also has a big advantage to specify which IP the client should use when accessing resources beyond the tunnel, that way we do not have to use "all-nets" as the remote network. It is a pre-caution for the future, we can extend the pool without having to change the networks on the IPsec tunnel. These are the two internal networks we want our client users to be able to access.įor the remote network (2) we use the CFG_Mode_Pool_Net object previously created, this object is a /24 network even though we are only using 10 addresses in the pool currently. The local network (1) we use the group we created that consists of our two example internal network 80.80.80.0/24 and 90.90.90.0/24. To configure the IPsec tunnel we apply our previously created objects as shown in the below picture. We also specify a DNS.Ĭonfiguring the IPsec tunnel in the Clavister: We do not use the entire /24 network but it can easily be extended in the future depending on the number of users involved. A Keyring->PSK for use on the IPsec tunnel called Shew_PSKĤ. A group of two internal networks (in this example the group consists of 80.80.80.0/24 and 90.90.90.0/24) called G2_G3_Net_Grp.Ģ. Note: Currently it is not possible to automatically hand out the network to the client as the Shewsoft client does not understand the "INTERNAL_IP4_SUBNET" Cfg Mode attribute Clavister is sending (may be subject to change in the future).Ĭonfiguring the Clavister, objects neededīefore we start configuring the tunnel we create the following objects:ġ. This article will describe how to configure the Shrewsoft VPN client towards a Clavister Security Gateway using Pre-Shared key and manually configured split-tunneling with automatically assigned IP address using CFG Mode.
0 Comments
Leave a Reply. |