Shrew Soft VPN Client Setup To UC500 EZVPN Server V1

Shrew Soft VPN Client setup to UC500 EZVPN Server v1.0

The following docment describes how to set up the Shrew Soft VPN client to work witth a UC500 configured EZVPN Server.

Shrew Soft VPN Client to EZVPN Server Page 1 of 7 The following docment describes how to set up the Shrew Soft VPN client to work witth a UC500 configured EZVPN Server.

The tested version of the Shrew Soft client was 2.1.5-rc-5, and installed on a HP Quad core 64bit desktop PC.

The Shrew Soft client, 2.1.5-rc-5, can be downloaded from the following URL http://www.shrew.net/download/vpn/vpn-client-2.1.5-rc-5.exe.

Extract from http://www.shrew.net/download/vpn Legal Notice:

Legal Notice

Shrew Soft Inc Disclaimer This software uses strong cryptography provided by the freely available OpenSSL Toolkit ( http://www.openssl.org ). For this reason, please read the legal notices below. The second notice is a reproduction of the notice posted on the OpenSSL download page. SHREW SOFT INC WILL NOT BE HELD LIABLE FOR THE VIOLATION OF ANY LAW THAT GOVERNS THE IMPORT/EXPORT OF STRONG CRYPTOGRAPHY SOFTWARE. IT IS YOUR RESPONSIBILITY TO DETERMINE WHICH OF THESE LAWS MAY APPLY TO YOU BEFORE OBTAINING ANY SOFTWARE FROM THIS WEBSITE.

OpenSSL Disclaimer This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world. PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

Shrew Soft VPN Client to EZVPN Server Page 2 of 7 After the install exe file has completed, open the Shrew Soft VPN Access Manager

Under the GENERAL TAB Enter the PEER address of the UC500 EZVPN Server – this is normally the public IP address assigned to the UC500 WAN Interface.

Under the Client TAB

These values were tested as DEFAULT values of the Shrew Soft VPN Client, as shown by the picture to the left.

Shrew Soft VPN Client to EZVPN Server Page 3 of 7 Under the Name Resolution TAB

WINS AND Split DNS were disabled

Under the Authentication TAB

Change the Authentication Method to Mutal PSK + XAuth

Under the Authentication > Local Identity TAB

Ensure Identication Type is set to Key Identifier and set the Key ID String the same as configured as the group identity configured on the UC500 EZVPN Server – If CCA has been used to configure the EZVPN server, this value will be EZVPN_GROUP_1

Under the Authentication > Remote Identity TAB

Ensure Identication Type is set to IP Address and set the tick “Use a discovered remote host address”

Shrew Soft VPN Client to EZVPN Server Page 4 of 7 Under the Authentication > Credentials TAB

Ensure the Authentication Method is set to Mutal PSK + Xauth.

In the Pre Shared Key field, enter the same key that is configured under the UC500 configuration

crypto isakmp client configuration group EZVPN_GROUP_1 key presharedkey

Under the Phase 1 TAB

Under the Phase 2 TAB

Shrew Soft VPN Client to EZVPN Server Page 5 of 7 Under the Policy TAB

Once all TABS and fields have been completed, click on the Save button.

The new profile will now be listed.

Connect to the profile by either double clicking on the profile, Highlight the new profile (click once) and then click Connect

Enter the username and password and click “Connect” – this will be one of the username and passwords configured under the UC500 useranme configuration

Shrew Soft VPN Client to EZVPN Server Page 6 of 7 If the connection is successful, the last message will state “tunnel enabled” and the “Disconnect” button will be available.

Once a profile has been created, the profile can be exported to a .vpn file and then imported by other clients – using the Import and Export options listed under the File menu. A sample .vpn file has been embedded below.

1.1.1.1.vpn

This file is effectively a text file – the contents of the sample file 1.1.1.1.vpn is shown below

Please note that the b:auth-mutual-psk: shown below is hashed by the program – this can ONLY be changed under the Authentication > Credentials TAB

n:version:2 n:policy-list-auto:1 n:network-ike-port:500 n:policy-nailed:0 n:network-mtu-size:1380 n:vendor-chkpt-enable:0 n:client-addr-auto:1 s:network-host:1.1.1.1 n:network-natt-port:4500 s:client-auto-mode:pull n:network-natt-rate:15 s:client-iface:direct n:network-frag-size:540 s:network-natt-mode:enable n:network-dpd-enable:1 s:network-frag-mode:enable n:client-banner-enable:1 s:auth-method:mutual-psk-xauth n:network-notify-enable:1 s:ident-client-type:keyid n:client-wins-used:0 s:ident-server-type:address n:client-wins-auto:1 s:ident-client-data:EZVPN_GROUP_1 n:client-dns-used:1 b:auth-mutual-psk:QwmaawzjqsgPsyssxsz== n:client-dns-auto:1 s:phase1-exchange:aggressive n:client-splitdns-used:1 s:phase1-cipher:auto n:client-splitdns-auto:1 s:phase1-hash:auto n:phase1-dhgroup:2 s:phase2-transform:auto n:phase1-life-secs:86400 s:phase2-hmac:auto n:phase1-life-kbytes:0 s:ipcomp-transform:disabled n:phase2-life-secs:3600 n:phase2-pfsgroup:-1 n:phase2-life-kbytes:0 s:client-saved-username:username

Shrew Soft VPN Client to EZVPN Server Page 7 of 7