This is a short guide for setting up a Netgear SRX5308 IPsec Client to Box VPN tunnel using the free Shrew VPN client. This guide should however work with most Netgear Prosafe routers (let me know if it doesn’t).
First of all, my topology is a lab setup. A real world scenario should have the WAN port of the SRX facing the Internet directly. In this scenario I have just replaced the Internet with the LAN network of my modem/router, it doesn’t make any difference in terms of setup as I am not being double-NATed or going through any external firewall.
*Windows 10 64 bit Pro
*Shrew Soft VPN Client – Standard Edition 2.2.2
As you can see my main PC is on a 192.168.0.0/24 Network and the resources I want to access are on 10.0.0.0/24 network behind the SRX5308 (SRX WAN interface is connected to the LAN interface of my ISP modem/router).
SRX5308 IPsec configuration
The SRX side of things is very easy, you can just use the VPN Wizard and you’ll be fine. Go to web GUI -> VPN -> IPSec VPN -> VPN Wizard.
As you can see it’s very simple. You don’t need to make any manual changes to the IKE or VPN policy after this, the SRX5308 IPsec VPN wizard is all you need. Now, on to the client.
Shrew VPN Client configuration
Let’s go through the necessary configuration, I’ll just go through the tabs that needs to be changed. Everything else; leave as default.
Pretty self explanatory, the WAN IP of the SRX5308 (or hostname if you prefer) goes here. Also you need to set the Auto Configuration to “Disabled”.
Set authentiction method to “Mutual PSK” (Pre Shared Key)
- Local identity
Set to “Fully Qualified Domain Name” and the string should match what you configured on the SRX as the REMOTE identifier setting, in my case remote.com
- Remote identity
Set to “Fully Qualified Domain Name” and match the string to the SRX LOCAL identifier setting, in my case: local.com
Fill in the Pre Shared Key field configured on your SRX5308.
- Local identity
- Name Resolution
Untick DNS and WINS, unless of course you have a DNS and/or WINS server on the SRX5308 side.
- Phase 1
Pretty straight forward, match the settings on the SRX5308 which should be Aggressive, DH Group 2 and, by default, a key life time limit of 28800. If you’re having issues getting past Phase 1 in your VPN connection I do recommend avoiding the “Auto”-settings. Change them to match what is set up on the SRX. In most cases Auto works fine though.
- Phase 2
Unless you set up the router with PFS you don’t really need to change anything in here. However, just like with Phase 1, there are some fields here that are set to “Auto” by default, if you have issues – try adjusting them to match the VPN server settings.
This is where you tell the client what traffic should go through the tunnel. Turn off the “Obtain topology automatically or tunnel all” and instead add manual include entries, in my case I added one for 10.0.0.0/24.
Ready to go! Save the settings and open that tunnel!
Pretty simple right? Please let me know if the above guide does not work. I’ll add a section on troubleshooting some common issues soon.