Zigmunds Vītiņš | 1 Oct 07:57 2010

Problem with Shrew soft VPN client configuration for juniper SSG


at this moment all clients successfully can use NetscreenRemote, but on one pc are windows7 and for this pc,
I plan to use ShrewSoft VPN client.
Now I make tests for this vpn client, bun unsuccessful.

Configuration on NetscreenRemote are:

Connection security: secure
Remote Party Identing ...
ID Type: IP subnet
Protocol: all
use: Secure Gateway Tunnel
ID type: IP address
My Identity
ID Type: e-mail address

Security Policy

aggresive mode
Enable PFS
DH group 5

Preshared Key; Extended Authentication

(Continue reading)

Carlos Gutierrez Calleja | 1 Oct 15:48 2010

negotiation timout occurred - in Windows 7 64 bits

I’m having the following error when trying to connect to a VPN having windows 7 home 64 bits.

When I connect using 32 bits systems, the same configuration works fine (attached find the setup)

The shrewsoft client version is 2.1.6.


config loaded for site 'Vpn Soft modem.vpn'

configuring client settings ...

attached to key daemon ...

peer configured

iskamp proposal configured

esp proposal configured

client configured

local id configured

remote id configured

pre-shared key configured

bringing up tunnel ...

negotiation timout occurred

tunnel disabled

detached from key daemon ...




Carlos Gutiérrez Calleja


Consultoría Proyectos

T. (55) 5362 6750 / 5362 7455

M. (55) 5252 9658

Soft & Soulware / Oracle Partner


Attachment (Vpn Soft modem.vpn.vpn): application/octet-stream, 1065 bytes
vpn-help mailing list
Maxim Belousov | 1 Oct 18:35 2010

importing certificates

is there a detailed instructions on how to import certificate from windows 2003 CA to the client v2.1.6?
Thank you
vpn-help mailing list
Matthew Grooms | 1 Oct 19:10 2010

Re: an error occurred while importing the site definition

On 9/22/2010 1:40 AM, Peter Schwandner wrote:
>   Can someone help me to import a cisco.pcf file.
> I allways get the message: an error occurred while importing the site
> definition
> I have tryed 3 or 4 files with the same group but other users.
> What's the problem in the file:

Give this a try. The client was trying to hex-decode the plain text.


Matthew Grooms | 1 Oct 19:14 2010

Re: JUNOS/SRX with Shrew VPN

On 9/22/2010 2:50 PM, Lars Vik wrote:
> Hi,
> Anyone managed to get Shrew VPN to work with JUNOS on the SRX-series?
> (SRX240H-POE).

Hi Lars,

I don't have a SRX series gateway device in my lab. At one point, the 
folks at Juniper were going to ship me one but they never did. What kind 
of issues are you having?

Matthew Grooms | 1 Oct 19:41 2010

Re: Session terminated by gateway

On 9/22/2010 7:10 PM, Leblanc, Guy (IT) wrote:
> I am not a VPN expert so I read forums and apply instructions. I found
> that the only way for me to get rid of the "session terminated by
> gateway" issue was to disable my Windows 7 (64 bits) firewall in
> addition to setting Phase-2 PFS=2 as recommended. (Windows firewall
> issued no warning that it had blocked anything Shrew, though, even if
> the notification option was checked). Once the Windows firewall has been
> disabled on my domain connection with my head office, the tunnel remains
> stable over my Linksys WRT-610N WIFI broadband home router/gateway (with
> its own firewall active, btw).
> I have now installed Shrew version 2.1.7 beta but I still have to
> disable the Windows firewall to eliminate the error. Is there a
> workaround to this? Much has been written regarding interference from
> some specific router firewalls but after reading many forums, I seem to
> be the only one having to disable its Windows firewall. Anybody has an idea?

This is an interesting issue. I believe the windows firewall has been 
implemented as a windows filtering platform driver which is higher in 
the NDIS stack than the Shrew Soft LWF driver. In other words, this 
shouldn't cause any packets sent during IKE negotiations to be blocked 
by the filter. My guess is that the client didn't negotiate an initial 
IPsec SA after the connection had been established. A Cisco gateway will 
terminate the connection unless this occurs. Disabling the windows FW 
may have allowed packets to traverse the tunnel ( DNS or something 
similar ) which allowed the IPsec SA to be established and the tunnel to 
remain active.

I would suggest you try to install the latest 2.1.7 RC and see if that 
makes any difference. Michael Kenny submitted a patch ( which has been 
committed ) that fixes a bug related to the initial SA negotiation which 
may resolve your issue. If that doesn't help, try starting a ping to an 
IP address on the distant side of the tunnel, and then try the 
connection. If the ping starts to respond after you connect and the 
connection remains stable, please let me know. There may be something 
else we can do to improve the situation.

Matthew Grooms | 1 Oct 19:43 2010

Re: Nortel

On 9/23/2010 7:16 AM, Andersson, Henrik (Integration and Application 
Centers) wrote:
> Has anyone set up the Shrew client for use instead of a Nortel VPN client?
> *Henrik Andersson* | System developer
> Application Management | Logica Sweden*
> *Rådhusgatan 15-17, 831 41 Östersund | Sweden
> T: +46 63 15 22 84
> hen.andersson@...
<mailto:hen.andersson@...> |
> www.logica.com <http://www.logica.com/>

I don't have a Nortel device in my lab for testing. If you do try to use 
the client and run into issues, you can post your results here and we 
will do what we can to help.

Matthew Grooms | 1 Oct 19:55 2010

Re: Ipsec to Mikrotik RouterOS

On 9/26/2010 1:58 PM, Greg-Texmesh wrote:
> Has anyone setup Shrew 2.1.6 on Windows Xp or 7 and connect to a
> Mikrotik router running RouterOS4.2 or higher?
> I need help!!!

It would appear that the Microtik router uses racoon as its IKE daemon, 
so the client should work well with that platform. I don't have such a 
device in my lab for testing so I can't offer a configuration howto for 
that particular platform. However, if you read the VPN Client docs which 
are available on our website, you should be able to get it up and 
running. It has detailed information on how to configure racoon to work 
with the Shrew Soft VPN Client ...


However, it doesn't look like the Microtik supports the modecfg section 
of racoon which will means the client won't be able to support the ike 
config push/pull methods. That means you will need to either disable the 
virtual adapter or use static virtual adapter addresses for each client 
and configure any private DNS/WINS settings manually. Disappointing.

Matthew Grooms | 1 Oct 20:01 2010

Re: VPN connection with Alcatel-Lucent Brick

On 9/28/2010 8:45 AM, Sławomir Krok wrote:
>   Hi
> I was able to solve this on my own. Problem was actually caused by
> Alcatel-Lucent IP Sec client which was on the same PC. Even when it was
> off, there were few services working and blocking Shrew. This was a bit
> of suprise because in past I was using Alcatel client with e.g. Cisco
> and Junier clients on the same PC and all of them worked fine.
> So, after uninstalling Alcatel client I could ping remote hosts, and
> remote doktop works fine too.

Thanks for the followup post. Different VPN Clients capture and process 
IKE and IPsec traffic differently. We have invested a lot of time into 
making sure our VPN client doesn't interfere with other clients that may 
be installed ( only install divert rules for specific peer IP's and only 
process traffic which match our specific IPsec SA identifiers ). 
However, other VPN clients aren't nearly as accommodating and will try 
to process traffic that it shouldn't. This can cause the Shrew Soft VPN 
client to work incorrectly. Its all very implementation specific.

vpn-help mailing list
vpn-help <at> lists.shrew.net
Matthew Grooms | 1 Oct 20:09 2010

Re: DNS server preference

On 9/28/2010 3:40 PM, lst_hoe02@... wrote:
> Hello
> we like to set for all VPN users a "prefered" internal DNS-server to
> resolve internal addresses and external ones. Unfortunately it seems
> that after bringing up the VPN still the DNS server assigned to the
> Windows LAN Interface is used. This is especially annoying with provider
> which lie about non-existing domains to redirect to some search page.
> Details:
> Client OS Windows XP-SP3 with ShrewSoft VPN Client 2.1.6 and a virtual
> interface with manual assigned IP address and DNS server. No Split DNS
> or search suffix set. Name resolution by hand works fine across the
> tunnel but as said the DNS server assigned by DHCP to the Windows LAN
> Interface is used first.
> Any chance to get the VPN DNS Server as prefered??

Hi Andreas,

How do you have DNS configured on the client OS? Is "Append primary and 
connection specific DNS suffixes" or "Append these DNS suffixes ( in 
order )" selected under the advanced TCP/IP settings DNS tab?