The IPSec client software used in this guide is available on the Internet and is merely used for example purposes. VASCO does not endorse or provide support for any particular brand or type of client software. Contact the software manufacturer for support and documentation.
4.1.3.1. Installation
The installation of the Shrew Shoft IPSec client is simple and similar to any other Windows program:
1. Log on to Windows with administrator privileges.
2. Download the Shrew Soft IPsec Client from: http://www.shrew.net/download
3. Start the installation by double-clicking the installation executable and follow the on-screen instructions.
No reboot is required after installation.
4.1.3.2. Configuration
1. Click on Start.
2. Navigate to All Programs > Shrew Soft VPN Client.
3. Click on Access Manager. A screen similar to the image below appears.
Figure 4.4. Shrew Soft VPN Access Manager
To add an IPSec connection:
1. Click on Add.
2. Enter the settings as explained further (per tab).
General Tab
1. Enter the Public IP address or host name of the AXS GUARD you are connecting to, e.g. 195.0.83.11 or axsguard.yourdomain.com.
2. Leave the Port number unchanged (500).
3. Set the Auto Configuration to disabled.
4. Set the Address Method to Use a virtual adapter and assigned address.
5. Leave the MTU unchanged (1380).
6. Enter the virtual adapter’s IP address, e.g. 192.168.11.100. Make sure that this IP address is not used in the LAN of the AXS GUARD you are connecting to. If you are unsure about the IP address, use one in another range, e.g. 10.0.0.5.
7. Enter the virtual adapter’s netmask, e.g. 255.255.255.255.
Figure 4.5. Shrew Soft VPN General Tab
Client Tab
1. Enable NAT Traversal.
2. Leave the NAT Traversal port unchanged (4500).
3. Leave the Keep-alive packet rate unchanged (15).
4. Leave the IKE Fragmentation unchanged (enable).
5. Leave the Maximum packet size unchanged (540).
6. Enable Dead Peer Detection.
7. Enable ISAKMP Failure Notifications.
Figure 4.6. Shrew Soft VPN Client Tab
Name Resolution Tab 1. Do not enable WINS.
2. Enable DNS.
3. Enter the DNS server’s IP address. This is the LAN IP address of the AXS GUARD, e.g.
192.168.11.254 (see tip below).
4. Enter the DNS Suffix of the domain used in your network (see tip below).
5. Do not enable Split DNS.
Figure 4.7. Shrew Soft VPN Name Resolution Tab
• To view the LAN IP address of your AXS GUARD, navigate to: Network > Devices > Eth and select the appropriate secure device
• You may also use the Active Directory DNS in your network, if available.
Authentication Tab
1. Set the authentication Method to Mutual PSK + XAUTH.
2. In the Local Identity Tab, set the Identification Type to IP address.
3. Check Use a discovered local host address.
4. In the Remote Identity Tab, set the Identification Type to IP address.
5. Enter the Public IP address of the AXS GUARD you are connecting to. This is the same IP address as entered in the General Tab.
6. Do not check Use a discovered remote host address.
7. Enter the Pre-Shared Key in the Credentials Tab. This is the same Key as entered on the AXS GUARD (see Section 4.1.2.2, “Phase 1 Settings”).
Figure 4.8. Shrew Soft VPN Authentication Tab
Use long and complex strings when using PSK authentication (see Section 4.1.2.2, “Phase 1 Settings”).
Phase 1 Tab
1. Set the Exchange Type to main.
2. Set the DH Exchange to auto.
3. Set the Cipher Algorithm to AES.
4. Set the Cipher Key Length to auto.
5. Set the Hash Algorithm to MD5.
6. Leave the Key Life Time limit unchanged (86400).
7. Leave the Key Life data limit unchanged (0).
8. Do not check Enable Check Point Compatible Vendor ID.
Figure 4.9. Shrew Soft VPN Phase 1 Tab
Phase 2 Tab
1. Set the Transform Algorithm to ESP-AES.
2. Set the Transform Key Length to 128 bits.
3. Set the HMAC Algorithm to SHA1.
4. Set the PFS Exchange to auto.
5. Set the Compress Algorithm to disabled.
6. Leave the Key Life Time limit unchanged (3600).
7. Leave the Key Life data limit unchanged (0).
Figure 4.10. Shrew Soft VPN Phase 2 Tab
Policy Tab
1. Check Maintain Persistent Security Associations.
2. Do not check Obtain Topology Automatically or Tunnel All.
3. Click on Add. A screen similar to Figure 4.12, “Shrew Soft VPN Topology Entry” will appear.
4. Set the Type to Include.
5. Enter the LAN IP Network address of the AXS GUARD, e.g. 192.168.11.0 (see Section 4.1.2.2, “Phase 1 Settings”).
6. Enter the LAN Netmask of the AXS GUARD, e.g. 255.255.255.0 (see Section 4.1.2.2, “Phase 1 Settings”).
7. Click on OK.
Figure 4.12. Shrew Soft VPN Topology Entry
4.1.3.3. Testing your Connection
1. Start the Shrew Soft VPN Access Manager as explained in Section 4.1.3.2, “Configuration”.
2. Select the Connection you have created.
3. Click on Connect. A screen as shown below appears.
Figure 4.13. Connection to IPSec Endpoint 4. Enter the AXS GUARD user name.
5. Generate and enter the DIGIPASS OTP.
6. Press enter or click on Connect. Information about the connection is displayed as shown in the image below.
Figure 4.14. Connection to IPSec Enabled
7. Once the tunnel is up, open a Windows command prompt (Navigate to Start > Run and type cmd followed by enter).
8. Ping the LAN IP address of the AXS GUARD, e.g. ping 192.168.11.254 (see below).
9. Test your DNS settings by pinging the internal host name of the AXS GUARD (see below).
Figure 4.15. Testing the IPSec Connection
• If you can ping the IP address of the AXS GUARD, but not the host name, the problem is DNS-related. Verify the DNS configuration settings of your client if necessary.
• If you are using an Active Directory (AD) DNS server, make sure that the internal host name of the AXS GUARD is correctly added to its DNS repository. Consult the documentation of your AD server if necessary.