Knowledge Search


×
 

How to configure Shrew Soft VPN client to work with ScreenOS firewalls

  [KB22074] Show Article Properties


Summary:
This article provides information on how to configure the Shrew Soft VPN client to work with ScreenOS firewalls.



Symptoms:
Configure the Shrew Soft VPN client to work with ScreenOS firewalls.
Cause:

Solution:
  1. Open the Shrew Soft VPN Access Manager.

  2. Click Add to add a new VPN.

  3. General tab:



    1. Hostname or IP: 1.1.1.1.

    2. Auto Configuration - Disabled (or ike config push if using IP Pool).

    3. Address Method - Use an existing adapter and current address (or 'Use a virtual adapter and assigned address' if using IP Pools; also select the 'Obtain Automatically' option).

  4. Client tab:



    1. NAT Traversal - enable.

    2. NAT Traversal Port - 4500.

    3. Keep-alive packet rate - 15 seconds.

    4. IKE Fragmentation - enable.

    5. Maximum packet size - 540 bytes.

    6. Enable Dead Peer Detection - uncheck.

    7. Enable ISAKMP Failure Notifications - uncheck.

    8. Enable Client Login Banner - uncheck.

  5. Name Resolution tab:



    1. Enable WINS - uncheck (unless you are using XAuth with IP Pools and WINS).

    2. Enable DNS - uncheck (unless you are using XAuth with IP Pools and DNS).


  6. Authentication tab:





    1. Authentication Method - Mutual PSK (or "Mutual PSK + XAuth" if using XAuth).

    2. Local Identity tab:

      1. Identification Type - User Fully Qualified Domain Name.

      2. UFQDN String - user1@screenos.com.

    3. Credentials tab:



      1. Pre Shared Key - screenos.


  7. Phase 1 tab:



    1. Exchange Type - Aggressive.

    2. DH Exchange - group 2.

    3. Cipher Algorithm - 3des.

    4. Hash Algorithm - sha1.

    5. Key Life Time limit - 28800 Secs.

    6. Key Life Data limit - 0 Kbytes.

    7. Enable Check Point Compatible Vendor ID - uncheck.


  8. Phase 2 tab:



    1. Transform Algorithm - esp-3des.

    2. HMAC Algorithm - sha1.

    3. PFS Exchange - group 2.

    4. Compress Algorithm - disabled

    5. Key Life Time limit - 3600 seconds.

    6. Key Life Data limit - 0 Kbytes.

  9. Policy tab:



    1. Policy Generation Level - auto.

    2. Maintain Persistent Security Associations - uncheck.

    3. Obtain Topology Automatically or Tunnel All - uncheck.

    4. Click Add:



      1. Type - Include.

      2. Address - 172.16.10.0.

      3. Netmask - 255.255.255.0.

      4. Click OK.

  10. Click Save.

  11. Provide a name for the connection.

  12. Click Connect.

  13. When the next dialog box is displayed, click Connect (or enter your XAuth username\password if using XAuth):



    If the client connects successfully, the connect button will change to disconnect and the windows will display tunnel enabled:


If you have followed the above procedure and now require help in troubleshooting, refer to the VPN Configuration and Troubleshooting Guide.
Related Links: