Jan 16

Shrew Client Configuration

VPN client software, shrew is easy to configure. It allows you to build IPsec tunnels from Window/Linux distribution.


You can download the soft  for free from this site


What we want to achieve :

Client_1 and Client_2 have to build an IPsec tunnel to the MikroTik router. Also, all the traffic to LAN has to pass thru the tunnel but both clients should be able to surf on the Internet. Authentication is going to be be made by certificates, clients are going to receive an IP @ from VPN pool.

For any certificates issues, please go there.

For any router configuration issue, please go there.


Shrew configuration


As the installation is easy, we skip it


Please run the software as Administrator. It is mandatory to create the virtual network interface.


Afeter creating a new connection, we can start the configuration :

Remote Host has to be an @ IP or a Domain Name (if DDNS is used)


Adaptator Mode is set to create a virtual adapter. The IP @ is going to be received  from the router where the Pool is configured.


You should use NAT-T (client1) or not (client2)

It’s up to you to use or not IKE Fragmentation. Just keep in mind that it can open vulnerabilities.

The rest can keep by default


Authentication :


We use certificates to authenticate the client and the server (Mutual RSA). Local Identity and Remote Identity are configured in the same way. For more information


We specify which certificates to use :

We have :

Public CA certificate

Public Client certifcate

Secret client key

The Pre Shared Key is not in used in our configuration


We now specify which protocols to use for ISAKMP phase 1 and  2 :

It has to be equal to  the router’s proposals.


We finish with the routing/topology part :

As the split is already configured on the router, we can tell the software to get the configuration Automatically


We can now relunch the soft to be sure that all parameters are taken in account.


Testing :


After connection is established :

The IP @ assigned to the virtual interface is

We are able to ping the Rasp in the LAN

I have no pictures to proove it but the surf is running for sure !


RQ :


Name resolution is not used as I am still facing issue. I am not able to access SMB shares thru the VPN. If someone has an idea to allow broadcast packets …


In case of issues :


Shrew propose several powerfull debuging tools : VPN Trace Utility.



Bon clic à tous,

Lien Permanent pour cet article : http://rsocisco.fr/shrew-client-configuration/

Laisser un commentaire

Your email address will not be published.