SRX5308 IPsec VPN with Shrew soft

 

This is a short guide for setting up a Netgear SRX5308 IPsec Client to Box VPN tunnel using the free Shrew VPN client. This guide should however work with most Netgear Prosafe routers (let me know if it doesn’t).

First of all, my topology is a lab setup. A real world scenario should have the WAN port of the SRX facing the Internet directly. In this scenario I have just replaced the Internet with the LAN network of my modem/router, it doesn’t make any difference in terms of setup as I am not being double-NATed or going through any external firewall.

Topology

Topology map for an SRX5308 IPsec client to box VPN setup
Topology for lab setup, IPsec with Shrew VPN to SRX5308

Main PC:
*Windows 10 64 bit Pro
*Shrew Soft VPN Client – Standard Edition 2.2.2

SRX5308:
*Firmware: 4.3.3-6

As you can see my main PC is on a 192.168.0.0/24 Network and the resources I want to access are on 10.0.0.0/24 network behind the SRX5308 (SRX WAN interface is connected to the LAN interface of my ISP modem/router).


SRX5308 IPsec configuration

The SRX side of things is very easy, you can just use the VPN Wizard and you’ll be fine. Go to web GUI -> VPN -> IPSec VPN -> VPN Wizard.

Here’s my Wizard setup:
IPSec SRX5308 Wizard page

As you can see it’s very simple.  You don’t need to make any manual changes to the IKE or VPN policy after this,  the SRX5308 IPsec VPN wizard is all you need. Now, on to the client.


Shrew VPN Client configuration

Let’s go through the necessary configuration, I’ll just go through the tabs that needs to be changed. Everything else; leave as default.

  • General
    General tab of the Shrew VPN client
    Pretty self explanatory, the WAN IP of the SRX5308 (or hostname if you prefer) goes here. Also you need to set the Auto Configuration to “Disabled”.
  • Authentication
    Set authentiction method to “Mutual PSK” (Pre Shared Key)

    • Local identity
      Set to “Fully Qualified Domain Name” and the string should match what you configured on the SRX as the REMOTE identifier setting, in my case remote.com
    • Remote identity
      Set to “Fully Qualified Domain Name” and match the string to the SRX LOCAL identifier setting, in my case: local.com
    • Credentials
      Fill in the Pre Shared Key field configured on your SRX5308.
  • Name Resolution
    Untick DNS and WINS, unless of course you have a DNS and/or WINS server on the SRX5308 side.


  • Phase 1
    Phase 1 settings for Shrew VPN Client
    Pretty straight forward, match the settings on the SRX5308 which should be Aggressive, DH Group 2 and, by default, a key life time limit of 28800.  If you’re having issues getting past Phase 1 in your VPN connection I do recommend avoiding the “Auto”-settings. Change them to match what is set up on the SRX. In most cases Auto works fine though.

  • Phase 2
    Unless you set up the router with PFS you don’t really need to change anything in here. However, just like with Phase 1, there are some fields here that are set to “Auto” by default, if you have issues – try adjusting them to match the VPN server settings.


  • Policy
    This is where you tell the client what traffic should go through the tunnel. Turn off the “Obtain topology automatically or tunnel all” and instead add manual include entries, in my case I added one for 10.0.0.0/24.


Ready to go! Save the settings and open that tunnel!

Picture of a successful connection to the SRX5308 IPSec server
Success!

Pretty simple right? Please let me know if the above guide does not work. I’ll add a section on troubleshooting some common issues soon.