SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 7
Registered: ‎02-09-2011
0 Kudos
Accepted Solution

Can SRX series work with Shrew Soft VPN client?

Hi all,

 

I’m newbie for Juniper…

Just wonder that Shrew Soft VPN client (third party VPN client) able to work with Juniper SRX series? I had success to make the VPN connect by using Juniper Access Manager but not Shrew Soft. I know that Shrew Soft able to work with Juniper SSG series but how about SRX…

 

Can anybody advice on this? Here in my configuration.

Recognized Expert
Posts: 315
Registered: ‎11-01-2010

Re: Can SRX series work with Shrew Soft VPN client?

Yes it works.

 

Here is a configuration one of our internal gurus came up with that has been tested in a lab with the Shrew client.

 

 

## Last changed: 2011-01-17 21:14:39 MST
version 10.4R1.9;
system {
        login {
        user admin {
            uid 2002;
            class super-user;
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file traffic-log {
            any any;
            match RT_FLOW;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 4.4.4.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.180.39/24;
            }
        }
    }
}
security {
    ike {
        proposal RemoteVPNPolicy1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy RemoteVPNIKE {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$ywMeMXVwgUjq7-jqmfn6revW7-"; # SECRET-DATA
        }
        policy t400-ike-policy {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$IcPhyKX7V4aUM8aUjH5TRhSrM8"; # SECRET-DATA
        }
        inactive: gateway RemoteVPN {
            ike-policy RemoteVPNIKE;
            dynamic user-at-hostname "remote@domain.com";
            external-interface ge-0/0/1.0;
        }
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.com";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/1.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        proposal RemoteVPNIPSec {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy RemoteVPNIPSec {
            proposals RemoteVPNIPSec;
        }
        policy t400-ipsec-policy {
            proposals RemoteVPNIPSec;
        }
        inactive: vpn RemoteVPN {
            ike {
                gateway RemoteVPN;
                ipsec-policy RemoteVPNIPSec;
            }
            establish-tunnels on-traffic;
        }
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    zones {
        security-zone corp {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            address-book {
                address hq-net-10-4-4 10.4.4.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy RemoteVPN {
                match {
                    source-address any;
                    destination-address hq-net-10-4-4;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.40.0/24;
                range t400-range {
                    low 192.168.40.101;
                    high 192.168.40.149;
                }
                xauth-attributes {
                    primary-dns 10.4.4.85/32;
                }
            }
        }
    }
}

 

 

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
Visitor
Posts: 7
Registered: ‎02-09-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Thanks Hanks, it’s working with Shrew client now.

But… I can’t connect to the remote peer network + no internet connection after VPN is connected.

 

Do you have any idea?

Qin
Contributor
Posts: 12
Registered: ‎01-12-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

It's doing global tunneling, you will need to create polices on your juniper to allow the traffic out or use split tunneling on the shrew.

Distinguished Expert
Distinguished Expert
Posts: 938
Registered: ‎10-09-2008
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Hi

 

By the way, is dynamic-vpn license still needed in this case for more than 2 users?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
Posts: 104
Registered: ‎06-19-2009

Re: Can SRX series work with Shrew Soft VPN client?

Yes Dymanic VPN liceses will be required.

 

 

Visitor
Posts: 1
Registered: ‎01-12-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Are you sure that Dynamic licenses are required for Shrew to work? It defeats the purpose of using a free VPN client. NCP does not require Dynamic licenses to be in place.

 

Thanks,

 

John

Qin
Contributor
Posts: 12
Registered: ‎01-12-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

no it does not require dynamic vpn license.   I have about 60 shrew VPN tunnels up atm.

Super Contributor
Posts: 244
Registered: ‎11-06-2007
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Dynamic VPN licenses are only required if you are using JUNOS Pulse or Juniper Access Manager (JAM), where the device pushes the config over to the PC, and client.  In this case, you are not using Dynamic VPN, and hence not required.

GAP
New User
Posts: 3
Registered: ‎11-22-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

YIn both my srx (version 10.2R3.10Smiley Wink  I can't add these commands

        address-assignment {
            pool t400-assign-pool;

 

It can depend on the software version ?

 

 

access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }

 

Visitor
Posts: 2
Registered: ‎02-24-2012
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

I've tried the suggested configuration and it woks just for 200 seconds.

After that time I receive back :

gateway is not responding

tunnel disabled

detached from key daemon....

Tested with SRX240 10.4.8.5 junos version and Shrew 2.1.7 and 2.2.0(beta).

 

Any suggestion ?

 

Visitor
Posts: 9
Registered: ‎10-19-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

I have this same problem and would really love to figure this out.  The SRX deletes the SA after a couple minutes, then Shrew reports that the gateway is not responding and disconnects.   Running Wireshark and I am not seeing Heartbeats or any packets for that matter that are coming from the SRX.  From the IKE traceoption is appears that the SRX is receiving DPD packets from Shrew client.

 

10.4R8.5 with shrew 2.2.0.

 

Juniper Networks Access Manager works fine with dynamic VPN.

Visitor
Posts: 2
Registered: ‎02-24-2012
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

YES

Juniper Networks Access Manager works fine.

I've used it.

Highlighted
Juniper Employee
Posts: 1
Registered: ‎01-07-2008
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

I got the same problem with Shrew and SRX: disconnects consistently after 200 sec.

 

The workaround is to set Phase1 key life time to 180 sec while keeping Phase2 key life time on default 28800. This will force a rekey before the SA is deleted from the SRX. Tunnel connectivity is not disrupted and the tunnels stays up.

 

Have been testing the tunnel using icmp for the last hour and get occasional spikes of 70ms delay, I guess because of the rekey (min latency is 35ms and avg is 40ms).

 

Tested with SRX210H running Junos 11.4r2.1 and Shrew 2.1.6 on Windows and on Linux (Ubuntu).  

 

Pascal.

NCP
Contributor
Posts: 15
Registered: ‎05-03-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

The proper supported IPsec VPN client is NCP: http://www.ncp-e.com.

It works with no problems, stable, reliable and fast. I think you get what you pay for 8)

Best Regards,
Rainer Enders
New User
Posts: 1
Registered: ‎09-12-2012
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Hey, just grappled with this

 

Need to tell the Shrew client what networks are going to be tunneled.

 

To do this open the client

 

Policy tab 

Untick "Obtain Topology Automatically or Tunnel All"

Click "Add" and enter the network that you want to tunnel to 

Save and reconnect, should work.

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Thanks for the great share!!!

Does it work in SRX 11.4?
Any other VPN client to test/share?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Visitor
Posts: 5
Registered: ‎11-28-2012
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Hello all,

 

Asked Shrew Core Dev about this :

 

http://lists.shrew.net/pipermail/vpn-help/2012-December/004655.html

 

This is internal to the Shrew client, this should be fix next year.

 

Hope that helps,

Cheers,

Greg

Trusted Contributor
Posts: 1,048
Registered: ‎09-26-2011
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

Thanks.

Anyone tried any shrewsoft lookalike on mobile or smart devices?

Merry X'mas!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Visitor
Posts: 2
Registered: ‎03-08-2013
0 Kudos

Re: Can SRX series work with Shrew Soft VPN client?

from my experience, the device disconnects after 60 seconds, just like whats mentioned in the link

 

https://lists.shrew.net/pipermail/vpn-help/2012-December/014094.html

 

once i set the key life time limit to 55 seconds its stays up with no issues. Anyways it should be fixed hopefully in the next release of shrew.

 

HTH

khalid.