No announcement yet.

Shrewsoft v2.2.x IPSec RSA VPN Issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Shrewsoft v2.2.x IPSec RSA VPN Issue

    I have recently been tweaking some settings with our IPSec VPN's to move away from Legacy SHA-1 encryption objects to more current SHA-256 objects. I was also trying to move away from using pre shared keys to using RSA certs instead.

    Now changing to the SHA-256 object works fine and Shrewsoft client works fine with the new config.

    I created a new user and set it to use RSA Authentication instead of PSK, I exported the vpn config from the firewall and imported it into the Shrewsoft VPN Client v2.2 and added the relevant certificates that had also been exported from the firewall.

    I am using Windows 10 Pro 64 bit and when I try to connect with the RSA enabled user it connects then disconnects, then connect again and disconnects again, cycling like this for as long as you leave it about every second or two. When you can interrupt it you then have to restart as it leaves the key daemon all messed up.

    Has anyone seen this behaviour before and more importantly do you know how to fix it?

  • #2
    Hello npickles
    You shouldn't need to export/install any certificates for this to work. The VPN profile downloaded from the firewall has the certificates embedded within it already. Try deleting the profile within the Shrewsoft client and re-import the file only. The only other thing I would check is that the "Host Name or IP address" within the profile is set correctly.

    If the above doesn't work, I would recommend starting with a new user in PSK configuration. Verify that works using the new GTA "Remote Access" IPSec object which includes AES256, SHA256, DH14 to secure the connection. If this works, changing the auth type to RSA should only require an edit within the user and downloading a new file from the firewall. This is also assuming that you are allowing the RSA authentication type under the remote access section's advanced tab.

    I hope this helps.


    • #3
      Thanks Rick, that works much better.