SA500 Remote Access IPSEC - Shrewsoft VPN Client

Unanswered Question

I've had zero luck with QuickVPN and using more then 5 SSL VPN tunnels seems to lockup the SA540.  As a workaround I've used Shrewsoft's IPSEC VPN client since it's "free".  I've also had luck with The Greenbow IPSEC client.  It's a little nicer in that it can run before msgina and runs in the tray, however it does run around $80/client.


Setup SA500:

  1. Use the VPN Wizard and configure the following:
    1. VPN Type: Remote Access
    2. Connection Name: IPSECRA
    3. PSK: Whatever you like
    4. Local WAN: Dedicatd WAN
    5. Remote GW Type: FQDN
    6. Remote FQDN: remote.com
    7. Local GW Type: IP Address
    8. Local IP Address: WAN IP of SA500
    9. Save
  2. Now you want to add XAUTH to the IKE policy.  Since you can't modify an IKE policy bound to an VPN Policy, you need to do the following:
    1. Create a dummy IKE Policy, just enter temp for the name and temp for the PSK and save.
    2. Go into the new IPSECRA VPN Policy and change the IKE Policy to "temp" and save.
    3. Modify the original IKE Policy so XAUTH has "edge device" and Auth Type is "user database" and save.
    4. Return to the VPN Policy and return to the original, just modified IKE Policy and save.
    5. Delete the temp IKE Policy.
  3. Setup users as necessary in IPSEC Users, just ensure you choose the type as "Standard IPSEC (XAUTH).
  4. Download and install Shrewsoft VPN client
  5. Paste the following into a text file and name it "myconnection.vpn". 

    n:version:2
    n:network-ike-port:500
    n:network-mtu-size:1380
    n:client-addr-auto:1
    n:network-natt-port:4500
    n:network-natt-rate:15
    n:network-frag-size:540
    n:network-dpd-enable:1
    n:client-banner-enable:1
    n:network-notify-enable:1
    n:client-wins-used:1
    n:client-wins-auto:1
    n:client-dns-used:1
    n:client-dns-auto:0
    n:client-splitdns-used:1
    n:client-splitdns-auto:1
    n:phase1-dhgroup:2
    n:phase1-life-secs:86400
    n:phase1-life-kbytes:0
    n:vendor-chkpt-enable:0
    n:phase2-life-secs:3600
    n:phase2-life-kbytes:0
    n:policy-nailed:0
    n:policy-list-auto:0
    s:network-host:1.1.1.1
    s:client-auto-mode:pull
    s:client-iface:direct
    s:network-natt-mode:enable
    s:network-frag-mode:enable
    s:client-dns-addr:2.2.2.2
    s:client-dns-suffix:mydomain.loal
    s:auth-method:mutual-psk-xauth
    s:ident-client-type:fqdn
    s:ident-server-type:address
    s:ident-client-data:remote.com
    s:ident-server-data:1.1.1.1
    b:auth-mutual-psk:
    s:phase1-exchange:aggressive
    s:phase1-cipher:auto
    s:phase1-hash:auto
    s:phase2-transform:esp-3des
    s:phase2-hmac:sha1
    s:ipcomp-transform:disabled
    n:phase2-pfsgroup:-1
    s:policy-list-include:3.3.3.3.0 / 255.255.255.0
  6. Import in the Shrewsoft VPN Access Manager via File. . . Import
  7. Rename as you wish
  8. Highlight the connection and choose the Modify button on the toolbar.
  9. Under General Tab and Host Name, change 1.1.1.1 to WAN IP of SA500.
  10. Under Name Resolution Tab, change 2.2.2.2 DNS to your DNS and mydomain.local to your domain.
  11. Under Authentication Tab. . . Small Remote Identity Tab, Change 1.1.1.1 to WAN IP of SA500
  12. Under Authentication Tab. . . Small Credentials Tab, enter your PSK
  13. Under the policy tab, change 255.255.255.255/24 to the subnet on your LAN you want to route to.
  14. Click Save
  15. Click Connect on the toolbar, enter your user creds and you should be able to connect the tunnel and pass traffic.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
William Childs Tue, 12/15/2009 - 04:06
User Badges:
  • Bronze, 100 points or more

Matt,


The main thing that jumps out at me is that you are using XAUTH for authentication of your users. According to the admin guide, you should be using Cisco QuickVPN. I have personally set this up before and it worked flawlessly using this admin guide:


http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA_500_Series_AG_OL-19114-01.pdf


The section you need begins on the bottom of page 152 in this pdf doc. Try using these steps, and if you are still having issues please post your new results.


Bill

purplehaze Tue, 01/05/2010 - 13:46
User Badges:

Hi,


I'am unable to configure my remote client with Quick VPN, i try Shewsoft VPN client with your instruction but i'am unable to ping any ip

address of the office LAN.


Can you help me ?

I'm throwing in the towel on this device and will probably absorb the loss in switching all these clients back to their Sonicwalls or putting in an ASA.


The SA 500 series is having problems that Cisco is not fessing up to with the devices locking up and, at the best, rebooting during production.


These are not fit to be sold or used anywhere outside a lab environment.  I wouldn't even put one in my home at this point.


If you're running 1.0.39, do not run IPSEC at all.  Regardless, just put the SA 500 on the shelf until stable firmware comes out.

Actions

This Discussion