Tag Archives: shrewsoft

Connecting to multiple subnets with Shrew Soft VPN and Juniper SSG 5

This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.

I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)

The problem
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!!  policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy

The solution
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking

That was much more difficult than it should have been…

Shrewsoft listening on the wrong IP?

For some reason, it had binded on eth1 rather than eth0 (it’s supposed to bind on both).

Shrewsoft uses IPSEC_Pluto for IKE connections, check out this manpage: http://www.linuxsecurity.com/resource_files/cryptography/FreeSWAN-HOWTO/manpage.d/ipsec_pluto.8.html

To refresh the interfaces (restarting didn’t work for me, but this did), use:

ipsec whack –listen


UPDATE: I was wrong!  It’s strongswan that uses IPSEC_PLUTO, Shrewsoft uses it’s own stuff, and the reason my Shrewsoft wasn’t making the connections as it should was because of conflicts with strongswan; once I uninstalled that it started working again.