SRX Services Gateway
SRX Services Gateway

Can SRX series work with Shrew Soft VPN client?

02.09.11   |  
‎02-09-2011 09:12 PM

Hi all,

 

I’m newbie for Juniper…

Just wonder that Shrew Soft VPN client (third party VPN client) able to work with Juniper SRX series? I had success to make the VPN connect by using Juniper Access Manager but not Shrew Soft. I know that Shrew Soft able to work with Juniper SSG series but how about SRX…

 

Can anybody advice on this? Here in my configuration.

Attachments

31 REPLIES
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

02.09.11   |  
‎02-09-2011 11:07 PM

Yes it works.

 

Here is a configuration one of our internal gurus came up with that has been tested in a lab with the Shrew client.

 

 

## Last changed: 2011-01-17 21:14:39 MST
version 10.4R1.9;
system {
        login {
        user admin {
            uid 2002;
            class super-user;
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file traffic-log {
            any any;
            match RT_FLOW;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 4.4.4.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.180.39/24;
            }
        }
    }
}
security {
    ike {
        proposal RemoteVPNPolicy1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy RemoteVPNIKE {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$ywMeMXVwgUjq7-jqmfn6revW7-"; # SECRET-DATA
        }
        policy t400-ike-policy {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$IcPhyKX7V4aUM8aUjH5TRhSrM8"; # SECRET-DATA
        }
        inactive: gateway RemoteVPN {
            ike-policy RemoteVPNIKE;
            dynamic user-at-hostname "remote@domain.com";
            external-interface ge-0/0/1.0;
        }
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.com";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/1.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        proposal RemoteVPNIPSec {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy RemoteVPNIPSec {
            proposals RemoteVPNIPSec;
        }
        policy t400-ipsec-policy {
            proposals RemoteVPNIPSec;
        }
        inactive: vpn RemoteVPN {
            ike {
                gateway RemoteVPN;
                ipsec-policy RemoteVPNIPSec;
            }
            establish-tunnels on-traffic;
        }
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    zones {
        security-zone corp {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            address-book {
                address hq-net-10-4-4 10.4.4.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy RemoteVPN {
                match {
                    source-address any;
                    destination-address hq-net-10-4-4;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.40.0/24;
                range t400-range {
                    low 192.168.40.101;
                    high 192.168.40.149;
                }
                xauth-attributes {
                    primary-dns 10.4.4.85/32;
                }
            }
        }
    }
}

 

 

Doug Hanks
JNCIE-ENT #213, JNCIE-SP #875

Follow me on Twitter @douglashanksjr
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

02.10.11   |  
‎02-10-2011 03:01 AM

Thanks Hanks, it’s working with Shrew client now.

But… I can’t connect to the remote peer network + no internet connection after VPN is connected.

 

Do you have any idea?

Attachments

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

06.14.11   |  
‎06-14-2011 09:59 AM

It's doing global tunneling, you will need to create polices on your juniper to allow the traffic out or use split tunneling on the shrew.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

06.14.11   |  
‎06-14-2011 12:59 PM

Hi

 

By the way, is dynamic-vpn license still needed in this case for more than 2 users?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

06.15.11   |  
‎06-15-2011 12:12 AM

Yes Dymanic VPN liceses will be required.

 

 

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

09.13.11   |  
‎09-13-2011 02:13 PM

Are you sure that Dynamic licenses are required for Shrew to work? It defeats the purpose of using a free VPN client. NCP does not require Dynamic licenses to be in place.

 

Thanks,

 

John

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

09.14.11   |  
‎09-14-2011 10:54 AM

no it does not require dynamic vpn license.   I have about 60 shrew VPN tunnels up atm.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

09.14.11   |  
‎09-14-2011 11:32 AM

Dynamic VPN licenses are only required if you are using JUNOS Pulse or Juniper Access Manager (JAM), where the device pushes the config over to the PC, and client.  In this case, you are not using Dynamic VPN, and hence not required.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

11.22.11   |  
‎11-22-2011 01:38 PM

YIn both my srx (version 10.2R3.10Smiley Wink  I can't add these commands

        address-assignment {
            pool t400-assign-pool;

 

It can depend on the software version ?

 

 

access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }

 

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

02.25.12   |  
‎02-25-2012 08:24 AM

I've tried the suggested configuration and it woks just for 200 seconds.

After that time I receive back :

gateway is not responding

tunnel disabled

detached from key daemon....

Tested with SRX240 10.4.8.5 junos version and Shrew 2.1.7 and 2.2.0(beta).

 

Any suggestion ?

 

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

03.02.12   |  
‎03-02-2012 10:45 PM

I have this same problem and would really love to figure this out.  The SRX deletes the SA after a couple minutes, then Shrew reports that the gateway is not responding and disconnects.   Running Wireshark and I am not seeing Heartbeats or any packets for that matter that are coming from the SRX.  From the IKE traceoption is appears that the SRX is receiving DPD packets from Shrew client.

 

10.4R8.5 with shrew 2.2.0.

 

Juniper Networks Access Manager works fine with dynamic VPN.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

03.05.12   |  
‎03-05-2012 01:05 AM

YES

Juniper Networks Access Manager works fine.

I've used it.

Highlighted
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

05.02.12   |  
‎05-02-2012 08:58 AM

I got the same problem with Shrew and SRX: disconnects consistently after 200 sec.

 

The workaround is to set Phase1 key life time to 180 sec while keeping Phase2 key life time on default 28800. This will force a rekey before the SA is deleted from the SRX. Tunnel connectivity is not disrupted and the tunnels stays up.

 

Have been testing the tunnel using icmp for the last hour and get occasional spikes of 70ms delay, I guess because of the rekey (min latency is 35ms and avg is 40ms).

 

Tested with SRX210H running Junos 11.4r2.1 and Shrew 2.1.6 on Windows and on Linux (Ubuntu).  

 

Pascal.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

05.02.12   |  
‎05-02-2012 09:30 AM

The proper supported IPsec VPN client is NCP: http://www.ncp-e.com.

It works with no problems, stable, reliable and fast. I think you get what you pay for 8)

Best Regards,
Rainer Enders
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

09.12.12   |  
‎09-12-2012 12:29 PM

Hey, just grappled with this

 

Need to tell the Shrew client what networks are going to be tunneled.

 

To do this open the client

 

Policy tab 

Untick "Obtain Topology Automatically or Tunnel All"

Click "Add" and enter the network that you want to tunnel to 

Save and reconnect, should work.

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

12.17.12   |  
‎12-17-2012 12:50 AM
Thanks for the great share!!!

Does it work in SRX 11.4?
Any other VPN client to test/share?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

12.19.12   |  
‎12-19-2012 02:54 AM

Hello all,

 

Asked Shrew Core Dev about this :

 

http://lists.shrew.net/pipermail/vpn-help/2012-December/004655.html

 

This is internal to the Shrew client, this should be fix next year.

 

Hope that helps,

Cheers,

Greg

SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

12.24.12   |  
‎12-24-2012 12:41 AM
Thanks.

Anyone tried any shrewsoft lookalike on mobile or smart devices?

Merry X'mas!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: Can SRX series work with Shrew Soft VPN client?

09.21.13   |  
‎09-21-2013 08:41 AM

from my experience, the device disconnects after 60 seconds, just like whats mentioned in the link

 

https://lists.shrew.net/pipermail/vpn-help/2012-December/014094.html

 

once i set the key life time limit to 55 seconds its stays up with no issues. Anyways it should be fixed hopefully in the next release of shrew.

 

HTH

khalid.