146

Shrew Soft VPN tutorial on Windows 64 bit with IPsec

Posted by Happy Hippo on 9/10/2009 02:35:00 pm
Note: if you tried installing older version of Shrew VPN (e.g. alpha version), and you keep getting blue screen, I recommend doing System Restore to get rid of it (it might also affect other programs you installed after Shrew VPN). Otherwise it's very difficult to stop BSODs.

I published the NCP-e VPN configuration tutorial not so long ago, which was the first 64bit IPSec VPN client that worked for me, it's not free (probably that's why), most other clients gave me blue screens while installing drivers. But now it seems, as we are getting closer to Windows 7 64bit release date, there soon be a choice of even free IPSec VPN clients working on 64bit Windows 7. It's for you to decide whether you want a commercial VPN client with more support and extra features or just a free VPN client. I only intend to publish my personal experience when testing them. Now it's time for Shrew VPN client, which only recently (3rd of Sept) released it's RC3 version, that worked on my computer.

Installation:
After downloading the 2.1.5(rc3) version of Shrew VPN, start installing it, a message or two maybe pop-up asking to confirm driver installation, which may hide behind the installation window (press ALT+TAB if your installation doesn't seem to be doing much to check if it's hiding somewhere), click yes (install) to it. Update: version 2.1.5 is no longer in beta or RC version, so you can download the stable 2.1.5 version of 05 Dec 2009 (or newer betas if you fancy testing new releases).




Configuration:
If you have a .pcf file from your older CISCO VPN client, then open Shrew Soft VPN, go to File>Import>Select .pcf file extension from the filter>Select your file>click open. Try connecting now, if it works then great (it didn't for me at this point). If it doesn't then click Modify>select "client" tab>Navigate to NAT traversal>Select "force-rfc" Update: force rfc is probably not required in most configurations, only in very particular cases. If it's still not connecting, check the configuration as described below.





If you don't have a configuration file from your old Cisco client, then make sure that you have these common settings:

  • IPSec gateway (e.g. vpn.blahblah.com or 129.123.000.000)
  • IPSec ID, also known as group ID (usually just a word)
  • IPSec secret. also known as group password (also a word)
  • remote access personal username (xauth username)
  • remote access personal password (xauth password) 
 (and maybe other advanced settings as well, if you were given those)


1) First add a new connection profile, by clicking ADD button, you will see General VPN settings tab, enter your IPSec gateway in "Host Name or IP address" field (and port settings if you were given them).


2) Navigate to client tab, and select force-rfc under NAT traversal (leave other settings on default, unless you were given different ones). (see the first image for the screenshot). Update: this is probably not required for most connection types



3) Navigate to Name Resolution tab, and leave all automatic settings (unless you were given specific WINS, DNS servers etc.., but try automatic first).


4) Navigate to Authentication tab, select Mutual PSK+Xauth under Authentication method (if you method of authentication is IPSec group ID and pre-shared key, select a different one if you are using a certificate, etc..).
  • Navigate to Local Identity sub-tab, select Key Identifier under Identification Type and enter your IPSec group ID in the "Key ID String" field.
  • Navigate to Remote Identity sub-tab and leave it on Any Identification type.
  • Navigate to Credentials sub-tab and enter your IPSec Group Password in "Pre Shared Key" field. If you are using a certificate as your authentication method then select your certificate in this tab.



5) Phase 1 tab, Phase 2 tab and Policy tab usually don't need any changes, unless you were given particular settings that you need to enter, like main exchange type if you are using a certificate, encryption algorithms supported by your server, PFS exchange, etc ..

Click save, and then in the main program windows click connect. You will be asked for your Xauth username and password. Enter them and if your connection is successful, you can check your IP address on www.whatismyipaddress.com .

There are also two things that I recommend, go to File>Preferences>Tick Minimize when connection succeeds and Tick remember the connection username. And select Visible in system tray only for both drop-down lists, because it's very annoying to see those two windows in taskbar all the time.

Main VPN window (aka Access Manager can be closed now , or minimized if you want it to stay in system tray, it allows you to edit VPN connections, but otherwise is not needed to be open).
And I have not found a way to remember Xauth password yet, you'll have to enter it everytime you want to connect to your vpn.

That's it!
If you need any help or think something in this tutorial is wrong or misleading, leave a comment or contact me via message box on the right =>
Sign up for  updates from this blog as well!! there will be more interesting STUFF!

Useful Tip: 

To run Shrew VPN automatically or from command line (or remember password), create a text file in Notepad and add this line:

cd C:\Program Files\ShrewSoft\VPN Client\
start ipsecc.exe -r "configuration name" -u "user name" -p "password" -a

(without quotes), and save this file as 1.bat. Now when you run it, Shrew VPN will pop-up, connect and disappear automatically!! It's magic!!!

146 Comments


Their latest Stable version (2.1.4-release Nov 11 2008) gave me a blue screen on Windows 7 and I had to Restore Windows to a pre-install snapshot to undo that mess.

I went ahead and downloaded this RC version and had a much better result. I was able to simply import my Cisco pcf file and it connected right away.

No need to go past paragraph 1 in your write up. :)


Excellent! Thanks for confirming that it works. I had exactly the same problem with 2.1.4, and I also had to use Windows System restore to get rid of it. It must be a common problem for vpn clients. But they seem to be improving :)


I installed Shrew client on Windows Serves 2008 R2 64-bit, it connects and the tunnel is enabled. Computer is gotten IP address, route is established but... I can not ping computers behind firewall. I have no clue what seems to be the problem. Any idea? It must be something wrong with route.

ipconfig

Connection-specific DNS Suffix . : local.lan
Link-local IPv6 Address . . . . . : fe80::c823:eb00:f639:be4b%11
IPv4 Address. . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Connection-specific DNS Suffix . : xxxxx.com
Link-local IPv6 Address . . . . . : fe80::a6:eeb3:e40d:db74%16
IPv4 Address. . . . . . . . . . . : 10.255.255.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

route print

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
10.255.255.0 255.255.255.0 On-link 10.255.255.1 306
10.255.255.1 255.255.255.255 On-link 10.255.255.1 306
10.255.255.255 255.255.255.255 On-link 10.255.255.1 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.1.0 255.255.255.0 On-link 10.255.255.1 51
172.16.1.255 255.255.255.255 On-link 10.255.255.1 306
172.16.2.0 255.255.255.0 On-link 10.255.255.1 51
172.16.2.255 255.255.255.255 On-link 10.255.255.1 306
172.16.3.0 255.255.255.0 On-link 10.255.255.1 51
172.16.3.255 255.255.255.255 On-link 10.255.255.1 306
172.16.100.0 255.255.255.0 On-link 10.255.255.1 51
172.16.100.255 255.255.255.255 On-link 10.255.255.1 306
172.16.101.0 255.255.255.0 On-link 10.255.255.1 51
172.16.101.255 255.255.255.255 On-link 10.255.255.1 306
172.16.102.0 255.255.255.0 On-link 10.255.255.1 51
172.16.102.255 255.255.255.255 On-link 10.255.255.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 276
192.168.1.2 255.255.255.255 On-link 192.168.1.2 276
192.168.1.255 255.255.255.255 On-link 192.168.1.2 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 276
224.0.0.0 240.0.0.0 On-link 10.255.255.1 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 276
255.255.255.255 255.255.255.255 On-link 10.255.255.1 306


There are many reports about pinging problems all over the internet, and in particular that everything works on 32bit systems and not on 64bit system, I am not sure what causes this problem, but I found this response on thegreenbow website :

* Check Phase 2 settings : VPN client address and Remote LAN address. Usually, client IP address should not belong to the remote LAN subnet (read also What must be filled in Phase 2 field "VPN client address" ?)
* Once tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall. Check that every device between the client and the VPN server does accept ESP
* Check your VPN server logs. Packets can be dropped by one of its firewall rules.
* Check your ISP support ESP
* If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface (with Ethereal for example). You will have an indication that encryption works.
* Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is not “Default gateway” settings.
* You cannot access to the computers in the LAN by their name. You must have specified their IP address inside the LAN.


Also, these steps on experts-exchange.com:

When you get the tunnel up and running but no traffic passes this is usually a problem with either NAT0 or NAT-T.

Your NAT0 access-list seems right, so try adding the following:
crypto isakmp nat-traversal 20


Tell me if it helps please.


Great tutorial and some good user feedback here. Re: the ping issues with a firewall, is this an overlapping subnet issue? I see this all the time connecting into VPN's from hotels (some companies too, but rarer).

I know this is a frustration with a lot of clients out there now. Last I heard, NCP's Windows client has overcome this issue (some tech mojo they haven't made public).


Dear Happy Hippo:
Thanks a ton..
Used the 2.1.5 RC3, imported my cisco pcf and lo! Back to Work.. ! Took me 5 minutes..

Only additional message I got was, soon after the installation finished, Vista brought up a pop-up of "Compatibility Manager" or some sort and it warned me that "this program may not have installed correctly" (even though the installer finished properly and I clicked its "finish" button to gracefully quit)..It gave me two options:
1. (Re) Install using recommended settings (whatever that meant)
2. Its fine.. This program installed correctly.

I choose option 2.. and haven't faced any problems since..

Thanks once again.. You made my day..

Best Regards
Vignesh S


Thanks a lot! Very Useful!


Hi,

Great blog! Unfortunately I still have some problems. I have installed Shrew Soft VPN and a connection was established right away.
However, when connected through VPN, my connection with the internet is lost and I cannot make connection with the network of my work. I had the same problem with NCP. Guess it must be something with the settings of my computer? Any suggestions? I am not really into computer things, but I really do need a working vpn-connections. So, hopefully, someone can help!

Thanks a lot.


Not so sure if my last post, half an hour ago, was that clear. However the problem is: I get the tunnel up and running but no traffic passes... I read that this is usually a problem with NAT-T?

thanks again


On Windows 7 Ultimate the Shrew installer will not be able to install all necessary bits and pieces.


The 2.1.5 rc3 version installed very well on Windows 7 64bit. The screenshot in this post are from Windows 7.


I installed 2.1.5 rc3 on Windows 7 RC 64bit and have had no problems. It is faster than the Cisco client.


I installed 2.1.5(rc3)on vista. It worked on first try. Thanks a million


I still have problems with Windows Server 2008 R2, 64-bit. Where should I write "crypto isakmp nat-traversal 20". Probably in Cisco VPN server? The problem is that I'm not the administrator of VPN server :( I forgot to mention in my previous post on 13 september post that NCP 9.12 build 84 is working fine, but it is not free :(


Just trying to get up and running with Windows 7, 64-bit, with known good existing *.pcf files from three of the major sites we support. I get a "negotiation timeout" on all three sites. I've included a copy of the log in the Connect dialog. Any help would be appreciated.

config loaded for site 'Buffalo.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...

Thanks,

Dale


Have you checked all the other settings manually? (Indicated on the screenshots) Sometimes more settings are needed to make it work. In particular check : NAT Traversal setting in Client tab (because my connection didn't work until I set this to force-rfc)


Hi, I installed version 2.1.5-rc-4 and followed your instructions. I did set the NAT Traversal setting to force-rfc and I'm getting the same timeout problem as Dale. Here's my log:

config loaded for site 'XXXXXVpn.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...

Note: I installed the same version on my Windows XP laptop and it works fine with the same settings.

Any other suggestions???

Thanks!


Hi,

Just tested the latest RC. 2.1.5-rc-4 on my Win 7 64 bit computer, importing my Cisco VPN client profile file.
I manage to get conneted but the security association fails continously. Do you have any idea why and how to troubleshoot it?

Thanks in advance
G.


I have installed 2.1.5 rc4 on my Vista 64bit HP laptop. Once I have connected to my company VPN, my internet connection is being dropped. So, there is no way to either browse internet or remote desktop to my workstation at office. I have no such problem when using NCP secure client when setting DPD response to OFF (however, this is not free, I just tried the trial version).

I will try to turn off DPD setting to shrew. Hope it will work.

Any comment and help?


Installed and it was working but I use VMware Workstation on my machine and from there I lost access to the external network, basically made VMware useless. Any ideas?


Shrew does not appear to work with vmware workstation installed on your machine. It completely disables the network connection. If you disable Shrew, everything starts working.


I had already removed form my PC - does it need to be disabled as a service or is there another way to disable?


Worked for me out of the box! Used 2.1.5 RC5 running on Windows 7 64-bit RTM. Thanks very much!


I downloaded 2.1.5rc4 on win7 home premium and imported the PCF file from a working cisco vpn. I have the username and password for the working vpn and made sure they appear in the pcf file. I changed the nat to force rfc as suggested.

Still get negotiation timeout. Any ideas or a way to increase the connect timeout?

Thanks for the good work so far. ML


Brilliant, thank you!


I too have the same timeout issue described above (during the "bringing up tunnel..." message). The company I work for uses a user-assigned "grid" of values for a second validation. Could this have something to do with the problem? I've actually gotten VPNC to work in Linux, but it didn't work in Windows.


Oh, btw, I found this comment on the Shrew Soft web site about Cisco. It may, or may not, have something to do with secondary authentication:

Known Issues
Cisco gateways support a proprietary form of hybrid authentication which does not conform to RFC draft standards. At this time the Shrew Soft VPN Client does not support this authentication mode. We hope to add support for this in the future


It appears that some people are able to use this by doing changing the NAT Traversal to force-rfc, but this is not working for other (me included) I started from a working .pcf file.
Is it possible that the type of firewall you are trying to connect to is an issue here? We have a basic Cisco PIX 501 on the other end. Are the people who have successfully connected using something more elaborate?

I'm just trying to troubleshoot what may be the difference.
thanks,
Joel


I honestly do not have that information. I'm the "pioneer" here trying to get the Cisco VPN Client to work in a 64bit environment (unsuccessfully atm). It "may" have something to do with the secondary authentication. It's a grid of columns and rows (kind of like a battleship board). After a successful authentication, a prompt is displayed by the Cisco client that gives you a few row-column combinations. You are to enter the letter or number in each cell to finish the authentication process. However, that never happens and I'm wondering if it's because of the above comment from Shrewsoft. As I said, at one point in time I was actually able to VPN using Linux and vpnc, but I've sense had to make my main machine Windows simply because of the company's software requirements.


Here's the site I originally used to connect to the company via Linux and VPNC.

http://www.longren.org/2007/05/17/how-to-cisco-vpn-client-on-ubuntu-704-feisty-fawn/


Sorry, it was not VPNC. It was a modified version of the real Cisco client for a Linux machine.


I installed 2.1.5-rc-4 last night and it came right up! With the exception of not being able to get outside internet (internal works fine), all of my applications worked better than expected including Remote Desktop. Will be checking local firewall settings to see if that helps internet connections. Thanks for all of the inputs


Man this seems to be a real mix some people seem to be able to get into Cisco VPN's fine with shrew others like me not so much.

I tried both the rc4 and rc3 things. At one point I was able to get a connection to come up briefly with rc4 but not for long. Tried the NAT change to force and that did not help either.

I am wondering like other posters if this works on "some of" the Cisco gear but not on other stuff?

For now using an Virtual Machine under XP mode ... useable enough but kind of clunky.

The NCP version worked really well for me but pricey.

Some hints that eventually Cisco eventually will be forced ( oops ... step up to the bar ) with 64 bit VPN improvements and support but maybe not real soon.

Thanks Hippo for the legwork and doc! Wish I was one of the ones that it did work for.

There doesn't seem to be much lately in new stuff out from shrew ... maybe that will change also.


i tried nat-traversal as enable & force-rfc. Both didnt work. Please help in solving this problem. here is the log looks like

config loaded for site 'xxxxxxxxxxxx.pcf'
configuring client settings ...

attached to key daemon ...
peer configured

iskamp proposal configured

esp proposal configured

client configured

local id configured

pre-shared key configured

bringing up tunnel ...

network device configured

tunnel enabled

session terminated by gateway
tunnel disabled

detached from key daemon ...


Thank you

Worked after 3 tries 2 of which were BSOD. I did a system restore and installed version 2.1.5-rc-4 and cisco vcf file.
Thanks


I've downloaded 2.1.5rc4 on win7 64bit professional and imported the PCF file from cisco vpn. It worked at once.
Thanks a lot!!!


Has anyone been able to retain internet connectivity on the local machine once connected to the VPN? Shrewsoft worked right out of the box to connect to my VPN (I was so happy I donated to them immediately) but it is a little frustrating to lose internet connectivity once connected. Cisco's VPN on my 32 bit machine does not do this. Any tips out there? I tried posting to their mailing list but got no response.


Well, I get disconnected sometimes when I use wireless networks to connect to my VPN, due to weak signal, but otherwise it works fine. Try disabling Dead Peer Detection in client tab.


Thanks for the help. I had tried other clients but they either didn't work or they were too expensive. Following your steps got me connected in a couple of minutes using RC4.


Worked for me. RC4, Win7 Pro 64 bit virtual guest behind a dd-wrt flashed router connecting to a cisco 2621xm. I did not change any settings in the client, just imported the pcf file.


Hi, I m using 64bit XP.
I also have VMware workstation installed to run some unix environments.

I installed vpn-client-2.1.5-rc-4, but no virtual network adapters got created.

got the following messages:

config loaded for site 'xxxx.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network unavailable
tunnel disabled
detached from key daemon ...


it is saying "network unavailable", does it have anything to do with my VMWare workstation

Please help


vpn-client-2.1.5-rc-4.exe works perfectly on my Win7 x64. Stable build crashed my system and I had to remove/disable Shrew components through safe mode.
But this RC4 build works fine!


Anyone know how to get Shrew client to change the "Application version"?

This can be the cause of some disconnects (I know it is mine), since the VPN Server is configured to use firewall with windows cients. If I could add something like "Application version Cisco Systems VPN Client 4.8.00 (0490) Linux" like you can do for vpnc, this would probably solve all of my Shrew Issues.


I have 2.1.5-rc-4 installed on my laptop and I'm able to VPN into work without a problem. What seems to be happening now is that my wireless connection can't connect to the internet unless the network cable is connected. If I uninstall ShrewSoft my wireless connection works fine.

Is anyone else having this problem or have any idea what might be causing it? Thanks...


Between the 2 clients on a Win XP SP2 (x86) machine, both clients connect,
Cisco client passes traffic. The routing and ipconfig info is different between the 2.

Connected by Shrew Soft VPN Client 2.1.5_rc5
Ping of IP address on remote end fails.
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0xa0003 ...00 0c 29 85 29 b1 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
0xf0002 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.24.201.80 172.24.201.80 1
0.0.0.0 0.0.0.0 192.168.96.2 192.168.96.129 110
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.24.201.0 255.255.255.0 172.24.201.80 172.24.201.80 30
172.24.201.80 255.255.255.255 127.0.0.1 127.0.0.1 30
172.24.255.255 255.255.255.255 172.24.201.80 172.24.201.80 30
192.168.96.0 255.255.255.0 192.168.96.129 192.168.96.129 10
192.168.96.129 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.96.255 255.255.255.255 192.168.96.129 192.168.96.129 10
204.115.209.5 255.255.255.255 192.168.96.2 192.168.96.129 1
224.0.0.0 240.0.0.0 172.24.201.80 172.24.201.80 30
224.0.0.0 240.0.0.0 192.168.96.129 192.168.96.129 10
255.255.255.255 255.255.255.255 172.24.201.80 172.24.201.80 1
255.255.255.255 255.255.255.255 192.168.96.129 192.168.96.129 1
Default Gateway: 172.24.201.80
===========================================================================
Persistent Routes:
None

ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.96.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.96.2

Ethernet adapter {AEAE96A6-7DFC-400A-AEF4-0DCE71F6FF36}:

Connection-specific DNS Suffix . : mypcorp.net
IP Address. . . . . . . . . . . . : 172.24.201.80
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.24.201.80


The other half of my post from above.

Connection via Cisco VPN client works perfectly
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0xa0003 ...00 0c 29 85 29 b1 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
0x100002 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.24.201.1 172.24.201.80 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.24.201.0 255.255.255.0 172.24.201.80 172.24.201.80 10
172.24.201.80 255.255.255.255 127.0.0.1 127.0.0.1 10
172.24.255.255 255.255.255.255 172.24.201.80 172.24.201.80 10
192.168.96.0 255.255.255.0 192.168.96.129 192.168.96.129 10
192.168.96.0 255.255.255.0 172.24.201.1 172.24.201.80 10
192.168.96.129 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.96.254 255.255.255.255 192.168.96.129 192.168.96.129 1
192.168.96.255 255.255.255.255 192.168.96.129 192.168.96.129 10
204.115.209.5 255.255.255.255 192.168.96.2 192.168.96.129 1
224.0.0.0 240.0.0.0 172.24.201.80 172.24.201.80 10
224.0.0.0 240.0.0.0 192.168.96.129 192.168.96.129 10
255.255.255.255 255.255.255.255 172.24.201.80 172.24.201.80 1
255.255.255.255 255.255.255.255 192.168.96.129 192.168.96.129 1
Default Gateway: 172.24.201.1
===========================================================================
Persistent Routes:
None

ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.96.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : mycorp.net
IP Address. . . . . . . . . . . . : 172.24.201.80
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.24.201.1


OK. I've got things working. I upgraded to the 2.2.0-alpha-9 release and now things connect nicely and traffic passes as well.


I also had the negotiation timeout error. Both with Shrew 2.1.5 stable and 2.20 Alpha against a Citrix gateway.

However NCP Secure Entry Client works for me on Win 2008 64-bit, even though it is not supported on Windows 2008. I disabled the following two services in order to make NCP work: IKE and AuthIP IPsec Keying Modules [servicename: IKEEXT], IPsec Policy Agent [servicename: PolicyAgent]).

/Jan


I've had a partial success getting Shrew 2.1.5 VPN clinet and VMware to work together.
What doesn't work for me is DNS from the VMs. Shrew seems either to be filtering or incorrectly forwarding DNS requests from the VM adapters.
I've isolated this to the 'Shrew Soft Lightweight Filter' which if disabled, restores the VMs DNS. Unfortunatly, it also stops the establishment of VPNs :-(
I suspect that this may require a change to the above filter code to properly interoperate with the VM adapters but maybe I've missed a setup change.
This has been found on Win7 professional with 2.1.5 of Shrew vpn client.
Any further suggestions welcome.
Regards,
Ian


This worked for me on Windows 7 x64. Thanks for the very detailed explanation!


Regarding VMware DNS interaction:
Disabling the 'ShrewSoft DNS Proxy Daemon' service restores DNS access for the VMs. This only disables the split DNS capability which I can live for the time being.
\Ian


Hi Everyone,

I have installed NCP secure client 9.20 in my Windows 7 64 Bit and its working fine (30 Day trial is annoying me). I installed the various versions of SHREW Soft VPN but all the Shrew VPN Connecting successfully but I am unable to ping any LAN Servers. Do i need to uninstall NCP before installing Shrew VPN. Please advise.

Regards
Punith


I am trying to install SS on Win 7 Ultimate 64-bit and I get 2 errors while installing the drivers:
1: Error 0x1: Couldn't get an interface pointer to vflt. Possible cause: Inforrect function.
I click OK and get the second error
2: could not install the network component.

I got this with 2.1.4, then 2.1.6, and finally 2.2.0 (alpha). I tried running the installer as Administrator still no juice.

Any ideas?

Also how does one completely remove all SS bits (drivers in system folder) in addition to the uninstall app?

Thanks in advance,

Syd.


Syd, sound like something is wrong either with your windows, or some program is interfering with Shrew VPN.
To remove it , try system restore (it will also remove all programs you installed since your chosen restore point).
Try running run command and entering: sfc /scannow
Although vflt from googling seems to be some language system or something, so it well may be shrew VPn was incorrectly installed. Try uninstalling it, and going to Control panel and checking your language and regional settings. Set them to English.
Good Luck


I have pcf files from my previous Cisco client, but when I try to import them it gives error:
An error occured while importing site definition.
:(


Maybe your pcf file is corrupted? Try this: right click the file => open with => select Notepad (or go to browse C:\Windows\System32\Notepad.exe ) => and see what it shows inside. If it's readable text like:

"enable transparent tunelling"
"Allow IPSec over UDP (NAT/PAT)"
"ForceKeepAlives"
"EnableNAT"
"TunnelingMode"
IKE Authmode psk
TcpTunnelingPort=10000/4500

Then it's ok, but it's unreadable or empty then it must be corrupted.
If it is readable, try to manually configure Shrew VPN (but you must know your Username and password and Group ID and Group password, if you don't know that , it is possible to decode them from Cisco pcf file, but I don't know how to be honest).
Good luck


Hello,
After trying a number of different versions of the Cisco VPN Client and having too many BSOD’s that crashed my PC, I am now trying the Shrew VPN Software. I’m using version 2.1.5. I’m running Windows Vista SP2. I installed the software successfully and was able to import my Cisco PCF file. I can connect to my client’s network initially. The problem I’m having is that I can’t keep the connection. Usually within a minute, I lose the connection. I’ve played around with almost all combinations of the options on the “Client” tab. I’m close but… I switched from my wireless connection to a wired connection on my home network to eliminate any issues with the wireless connection. Can anyone suggest any changes that may work?


Vincent, I'm not 100% sure to be honest, might be Shrew VPN bug, but try unticking "Dead Peer Detection" in client tab.
http://3.bp.blogspot.com/_Fy8G3Iv2XAo/Sqj0TFCg5jI/AAAAAAAAAIo/vBf9aGB9h_s/s1600-h/shrew3.jpg


meeboguest455824 (who left a message about running VPN before logging to windows)Ж I don't really know if you can do it, you can probably write a script that will run when you login to windows, execute shrew VPN/or connect Shrew VPN, and remap your network drives and stuff.. But for that Shrew must have command line interface, but I don't know if it has that. You may need to contact Shrew Soft directly and ask if they have that feature. http://www.shrew.net/contact


I am getting "Error 0x8004a029: Couldn't install the network component." error msg while installation, I am using 2.1.5 release!

to be specific, above error occurs at "Execute: C:\Program Files\ShrewSoft\VPN Client\netcfg.exe -add service vflt C:\Program Files\ShrewSoft\VPN Client\drivers\vfilter.inf" step and installation continues if I click OK!

when I try to connect to my vpn server it does not connect!

it does displays following msgs!

config loaded for site 'VPN xxxxx.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network unavailable
tunnel disabled
detached from key daemon ...

I am feeling some component is not installed or some service is disabled or stoped in my system so, installer is not able to install network drivers!! plz help guys!

--


I, like a couple of others posting here, had great success in installing Shrew, importing the Cisco configuration (PCF) and getting it connect to our Cisco VPN COncentrator. However, lost internet connectivity on the local PC and didn't get it back even after disconnecting from the VPN. I finally had to uninstall Shrew and reboot my home PC to get it back.

Since all of our new laptops are coming with Windows 7, I need to be able to set them up with a VPN client that works with both the OS and our VPN Concentrator. Being a member of a small IT team working for a small company, I don't have the time to spend hours troubleshooting this issue, so if someone else that has experienced this problem has a solution, I'd greatly appreciate you sharing. Thanks!


Has anyone has luck getting Shrew to work with a Cisco ASA?

I have the latest version of Shrew (2.1.5) installed on my Win7 64bit system. I have imported a pcf file that works on my WinXP laptop.

When I try to connect it hangs on "bringing up tunnel". After a few minutes it will inform me of a timeout and disconnect.


On Win7 x64 under 2.1.5 release, Shrew has connected to the majority of my PCF files I was utilizing.

However, connections to Cisco's VPN (the company itself, which I assume uses their own top-of-the-line VPN gateway products) was failing after initial successful connection. I was immediately getting "session terminated by gateway" as detailed here. The timing pointed to a Phase2 issue but switching the Phase2 PFS setting did nothing.

Upgraded to 2.1.6-beta-3 release, and switched off Client | Enable Dead Peer Detection, and it is now is connecting fine.


Anonymous post on 11 January 2010 19:50 was true for me too.

Connections to Cisco's VPN was failing after initial successful connection. I was immediately getting "session terminated by gateway" as detailed here. Upgraded to 2.1.6-beta-3 release, and switched off Client | Enable Dead Peer Detection, and it is now is connecting fine.

I am not sure if the "Enable Dead Peer Detection" step is required but the upgrade to 2.1.6 made the difference.

Thanks for the software, I will donate!


I have windows 7 home 64 bit.
I have imported .pcf file from cisco vpn.

But when i try to connect i get the following log:
config loaded for site 'Japan.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
config error : auth-server-cert undefined
detached from key daemon ...

I think this is some certificate issue.
Can anyone please help me?


First of all thanks for your post

I have Win7 Pro 64bit on my laptop and trying to connect to our company e-mail by home through VPN.

First I installed Shrew 2.1.5 nad I had a problem with the connection (timeout) and uninstalled and installed NCP.
No Connection again, had a problem on Phase 2... see log below.

18-Jan-10 8:33:42 PMIPSec: Start building connection
18-Jan-10 8:33:42 PMIke: Outgoing connect request AGGRESSIVE mode - gateway=213.42.193.66 : XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: XMIT_MSG1_AGGRESSIVE - XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: RECV_MSG2_AGGRESSIVE - XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: IKE phase I: Setting LifeTime to 28800 seconds
18-Jan-10 8:33:42 PMIke: Turning on XAUTH mode - XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: IkeSa negotiated with the following properties -
18-Jan-10 8:33:42 PMIPSec: Final Tunnel EndPoint is:213.042.193.066
18-Jan-10 8:33:42 PM Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
18-Jan-10 8:33:42 PMIke: XXXXXXXX ->Support for NAT-T version - 9
18-Jan-10 8:33:42 PMIke: Turning on NATD mode - XXXXXXXX.net - 1
18-Jan-10 8:33:42 PMIke: XMIT_MSG3_AGGRESSIVE - XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: IkeSa negotiated with the following properties -
18-Jan-10 8:33:42 PM Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
18-Jan-10 8:33:42 PMIke: Turning on DPD mode - XXXXXXXX.net
18-Jan-10 8:33:42 PMIke: phase1:name(XXXXXXXX.net) - connected
18-Jan-10 8:33:42 PMSUCCESS: IKE phase 1 ready
18-Jan-10 8:33:42 PMIPSec: Phase1 is Ready - IkeIndex=30,AltRekey=0
18-Jan-10 8:33:42 PMIke: NOTIFY : XXXXXXXX.net : RECEIVED : NOTIFY_MSG_S_RESPONDER_LIFETIME : 24576
18-Jan-10 8:33:42 PMIkeXauth: RECV_XAUTH_REQUEST
18-Jan-10 8:33:42 PMIkeXauth: XMIT_XAUTH_REPLY
18-Jan-10 8:33:43 PMIkeXauth: RECV_XAUTH_SET
18-Jan-10 8:33:43 PMIkeXauth: XMIT_XAUTH_ACK
18-Jan-10 8:33:43 PMIkeCfg: name - IkeXauth: enter state open
18-Jan-10 8:33:43 PMSUCCESS: Ike Extended Authentication is ready
18-Jan-10 8:33:44 PMIkeCfg: XMIT_IKECFG_REQUEST - XXXXXXXX.net
18-Jan-10 8:33:45 PMIkeCfg: RECV_IKECFG_REPLY - XXXXXXXX.net
18-Jan-10 8:33:45 PMIkeCfg: name - enter state open
18-Jan-10 8:33:45 PMSUCCESS: IkeCfg ready
18-Jan-10 8:33:45 PMIPSec: Quick Mode is Ready: IkeIndex = 0000001e , VpnSrcPort = 4500
18-Jan-10 8:33:45 PMIPSec: Assigned IP Address: 192.168.221.24
18-Jan-10 8:33:45 PMIPSec: DNS Server: 192.168.208.212
18-Jan-10 8:33:45 PMIPSec: WINS Server: 192.168.208.212
18-Jan-10 8:33:45 PMIPSec: Domain is: XXXXXXXX.net
18-Jan-10 8:33:45 PMIPSec: IkeCfg Tunnel Network=192.168.208.0,Tunnel Mask=255.255.255.0,Tunnel Proto=0,Tunnel SrcPort=0,Tunnel DstPort=0
18-Jan-10 8:33:45 PMIPSec: IkeCfg Tunnel Network=192.168.10.0,Tunnel Mask=255.255.255.0,Tunnel Proto=0,Tunnel SrcPort=0,Tunnel DstPort=0
18-Jan-10 8:33:45 PMIkeQuick: XMIT_MSG1_QUICK - XXXXXXXX.net
18-Jan-10 8:33:45 PMIke: NOTIFY : XXXXXXXX.net : RECEIVED : NO_PROPOSAL_CHOSEN : 14
18-Jan-10 8:33:45 PMIkeQuick: phase2:name(XXXXXXXX.net) - error - received notify error message.
18-Jan-10 8:33:45 PMERROR - 4037: IKE(phase2):Waiting for message2, rec

Reading several articles on the web reached here and uninstalled NCP to try Shrew again.
V.2.2.9 was messing my network driver and loose connection.
V.2.1.5 installed again and finally I connected by changing the NAT-T to force-rfc.
But no party!!! :-(

Even though the connection and IPs seem to be OK no ping to the e-mail server and no traffic.

Any ideas? I read somewhere that this might be a problem with the ISP but I took my laptop to a friends house with different ISP and no luck again.

Any ideas?
ST


Hi, regarding the last post, a quick google search for "NO_PROPOSAL_CHOSEN" resulted in this:


It means that the phase 2 settings do not match properly between the two
routers. So your subnet definitions may be wrong. Perhaps you put the
local address in the remote address field or something like that.

Things you normally see as part of phase 2 settings:
encapsulation type, ESP encryption transform, ESP authentication
transform, perfect forward secrecy, local and remote ip settings. Don't
worry about key lifetime settings for now, they will not cause a phase 2
failure yet.

source: http://www.tomshardware.com/forum/17710-42-no_proposal_chosen

So basically it says to check your phase 2 settings, but I'm not sure what exactly went wrong.


Oh, and also, turn off Dear Peer detection (DPD) a lot of people said it terminates the connection sometimes, and Force-rfc on Shrew and UDP Encapsulation on NCP, as NCP-e VPN support suggested it is not needed in 99% of cases.


If you're using Windows 7 64 bit, and having problems getting/staying connected with the VPN client and getting the "session terminated by gateway" error, *and* you have tried changing the phase 2 options with no success....

If you have a 3rd party firewall product try *uninstalling* your 3rd party firewall. (Do not merely disable your firewall, but uninstall it (and use the Windows firewall)). I found Kaspersky Internet Security's firewall was preventing the VPN client from working. No firewall settings, or even disabling the firewall had any effect. I needed to uninstall it to make things work.

Hope this helps someone. :)

- Brent


Well, Brent, I wouldn't recommend to completely uninstall your firewalls.
Disable windows firewall and try this: go to your internet connection adapter by clicking :

Control Panel > Network Sharing Centre > Change adapter settings > right click on you internet adapter (e.g. Wireless Network Connection or Local area connection) > Properties > Networking tab > and untick your firewall component (e.g. I have COMODO Internet Security Firewall Driver or something like that).

And I find Comodo firewall the best firewall (but don't install Comodo antivirus or anything else).


P.S. Windows firewall is shite o.O
It never tells me when a program wants to connect to the internet, and it always blocks ports that I don't want it to block.


I like many of you have been having a problem with SS v2.1.5 where I am able to connect but not able to connect to the internet, or in my case, also not able to use Outlook and connect to my Exchange server. I was able to do everything else I needed to do like use RDP and connect to file shares.

After installing SS, I imported my Cisco VPN Client .pcf file expecting everything to work only to find my previously mentioned issues. I then tried the NCP Secure Entry Client and imported my .pcf and had none of the issues mentioned.

This led me to believe that is must be a SS configuration problem and not a .pcf or in my case a Cisco ASA issue.

What i ended up doing to fix my issues with SS is to go to in to the Name Resolution tab and uncheck the Enable Split DNS box.

i did not have to change the NAT Traversal or Enable Dead Peer Detection options.

I hope this helps the people with the same issues I was having.


First, a couple of things I do know about connecting to e.g. PIX515!
1)It is normal behaviour to lose local access to networks/printers/internet while the VPN is up - you need to set up "split tunnelling" on the PIX.
2)You should remove all previous VPN client software before installing Shrew (it does mention this on their website) I got BSDODs on Win7 pro 64bit due to leaving AnyConnect on.

Now where I am stuck!
Shrew connects fine, but no ping to PIX inside, from both 32 and 64 bit.
Both show "tunnel enabled", PIX ASDM syslog shows ...PHASE-2 COMPLETED etc (exactly the same as a Cisco client).
Wireshark is showing "who has 192.168.12.2?" - it looks as if there is no gateway set up in the Shrew client - any ideas please?


I'm getting the immediate (20s) disconnection too.

config loaded for site 'IBM_VPN.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon ...

Both with 2.1.5 & 2.1.6 beta3

Capturing a trace (note trace options app needed to be run as administrator) showed the problem is due to

NO_PROPOSAL_CHOSEN

Not sure which options to change, but cisco anyconnect works ok from another system


FIXED. In the .pcf file I found a line

"DHGroup=2"

I looked in the cisco docs, and decided to try changing Phase 2->PFS exchange to "group 2"

THIS WORKED. Am now connected to cisco vpn just fine

Yay! Hope this helps someone.


I'll have to retract my statement of success.

now had 3 BSODs whilst using the VPN client (2.1.6 beta 3). Going to try backing off to stable 2.1.5


With thanks to Brent for the pointer, you can put KIS back in now!

Today's proceedings, very much simplified,
Bare metal installation of Win7 (64bit)
Add Updates
Add Shrew 2.1.6(3) - ping works
Add Kaspersky IS 2010 -ping works
Add to Domain (in case it was GPOs) - ping works

Bare metal installation of Win7 (32bit)
Updates
Kaspersky IS 2010
Add to Domain
Shrew 2.1.5 - ping fails
Update to 2.1.6(3) -ping fails
Disable KIS - ping fails
Remove KIS - ping works
Re-install KIS - ping works

Bare metal installation of Win7 (32bit)
Updates
KIS 2010
Shrew 2.1.6(3) - ping fails
REPAIR KIS - ping works

Run repair of KIS on several other 32 and 64 bit Win7 machines - all now work.

I can see no difference in the firewall settings for KIS between working and non-working systems When KIS is installed before Shrew, disabling KIS completely still does not work.
I have never seen any problems with the Cisco VPN on any 32 bit system, XP, Vista or Win7 with any Security Software - so I was not considering this sort of outcome!

Policy has 192.168.1.0/255.255.255.0 which allows both access through PIX and external.
0.0.0.0/0.0.0.0 cuts off external as it routes everything into the tunnel. Otherwise the only changes to default are for Host and Authentication.

I hope that these six days have been useful to others here! They have not made me any money, but will make my customers a lot happier - they will be advised to donate!
Best regards to all, Dave


YES!

after importing the pcf profile

Phase 2->PFS exchange to "group 2"

sets up a working configuration with our Cisco ASA.

THANX ALOT Nigel Jones.


Reply to Ritesh K's install problem:

I had the same issue as you. I removed Sun Virtual Box and Windows XP emulation mode and was then able to install the software package with out errors. Not sure what you have loaded before but but may have a driver from some other app trying to access the same settings? Try unistalling apps that are network accessible?


Great blog post, lots of useful info.
I am using 2.1.6-beta-4. I am using Windows 7.0 64bit.

I am getting the message in the logs "unable to locate inbound policy for init phase2" and soon after this it disconnects.

Have tried the following individually and together without success

disable "dead peer detection"
Nat Traversal to enable/force-draft/force-rfc.
Phase2 PFS Exchange - group 2.

However I did discover that if I immediately use the vpn tunnel I still get the error in the log but it doesnt disconnect. So i setup a continuous ping to a target on other end of tunnel then connect. It connects fine ping gets through then phase 2 completes. If i then stop ping and leave tunnel idle it stays up and is stable.

Hope this helps someone else :).
Or maybe someone might suggest a configuration change that would mean i do not need the traffic to pass phase 2.


Works like a charm, thank you so much!


config loaded for site 'xxxxxx.pcf'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon ...

This is the log file after I have tried to connect to the computer at work. Any ideas?

As you can see i have loaded a pcf-file with the correct preferences - or at least they are supposed to be correct.

I have tried some of he this that are described in this forum (for example Phase2 PFS Exchange - group 2), but I get the same messages.


Looks like CISCO is about to offer official support. Found this on a different place.
**********************

Due to popular demand, the Cisco VPN Client v5.0.7 open beta is now available!
In addition to serving as a general maintenance release, the Cisco VPN Client 5.0.7 beta is compatible with Windows 7 & Windows Vista 64-bit environments.
A 64-bit specific compatible image is available for installation on these platforms.

Please communicate feedback (both positive and problems) to cvc-beta@cisco.com.

Key Capabilities available for Beta Testing:
New Platform support – Windows 7 & Windows Vista 64-bit platform compatibility
Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?m dfid=281940730 (under 5.BETA)
Software is available for download by any customer with a Cisco.com SMARTnet™ enabled login.
Release Notes will be available next week via a link once the download image is selected.

There are currently no plans to support Windows XP 64 bit in the VPN client.


I'm kicked out of the session every hour eventhough I have set the phase 2 parameter Key life time limit to 28000 seconds.

I'm using Schrewsoft 2.1.4 on a PC Windows XP SP 3

Thanks for your help


THANK YOU!
i spent hours trying to figure out why all over sudden my shrew vpn connection did not work on win 64bit after I did not use it for a few month. the force option you described made it work again, you saved my day!


Thanks man! I finally got 2 out of 3 of my VPN's working on my Vista 64bit system with Shrew and your explanation.
The third is a problem, because it uses Certificate Authentication with a USB-token with a password. Does anyone knows how I should configure this in Shrew.
In the Cisco VPN client I get a combobox where I can select a certificate, but in Shrew I see no such thing....?


I had issues VPN connections on Wireless network with WIN7 64 bit. VPN used to work on wireless, but not anymore.

Here is the solution:

go to control panel/network and internet/network connections/

Disable "Microsoft Virtual WiFi Miniport Adapter" in the list of and you will be able to connect VPN via wirelss. I think this was automatically installed by Microsoft update process recently when my VPN via wireless stopped working.


If you can connect to your host but cannot send any traffic, try the 2.2 Alpha 9 Version, it worked fine for me and many others.


I installed latest stable (2.1.5), imported my pcf file and it wouldn't work. Upgraded to latest beta (2.1.6 beat 7) and it worked straight away


If I could only install it...

"Error 0x8004a029: Couldn't install the network component."

Can not even install it by hand later, as another error shows - Can not find file specified:

netcfg.exe -add service vflt "C:\Program Files\ShrewSoft\VPN Client\drivers\vfilter.inf"

Anybody has any idea?

sebus


From google:

the error is 0x8004a029, which basically indicates that the maximum number of network filter drivers has been reached.
Could you uninstall any other network filter driver that you think is not necessary and try reinstalling again?


" Anonymous said...
I had issues VPN connections on Wireless network with WIN7 64 bit. VPN used to work on wireless, but not anymore.

Here is the solution:

go to control panel/network and internet/network connections/

Disable "Microsoft Virtual WiFi Miniport Adapter" in the list of and you will be able to connect VPN via wirelss. I think this was automatically installed by Microsoft update process recently when my VPN via wireless stopped working.

18 March 2010 07:08"

Thank you so much. Disable
"Microsoft Virtual WiFi Miniport Adapter" its really really work on me.


The Cisco VPN release 5.0.7 that ( belatedly ) offers Win 7 64 bit support and Vista 64 bit support is now "out of beta" and is generally available.

It works very well.


@Nigel Jones:

Well, thanks for posting your comment. I had the same problem, read your post, and changed Phase 2 PFS exchange to group 2. It worked beautifully!

cheers


@Happy Hippo

http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/4deb27fc-33ce-4fc0-a26f-3fec5b57733d

I certainly do not have 8 filters installed


@ Happy Hippo

In fact you were RIGHT
It seems that this branch:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}

can NOT contain more then 14 keys

And I reached the limit
Deleting ie. Virtual WiFi Filter Driver makes Shrew install just fine!

Thanks for the pointer

sebus


Thanks Nigel Jones!

Changing my perfect forward secrecy to group 2 did the trick! I was using an import .pcf file and it would connect and pull an IP but the SAs wouldnt come up.


No matter what I do (follow the Shrew wiki) I can not connect to Fortigate 200B (do not get IP from DHCP)
Of course Shrew support does not exist, so that is it really

sebus


Thanks a lot for taking time and writing this article. Also many thanks to person who posted "If you can connect to your host but cannot send any traffic, try the 2.2 Alpha 9 Version, it worked fine for me and many others."

Finally after 2-3 hrs of hard work, I figured out this article and after working for almost 2 hrs could get this beast running. I think investing 5 hrs is worth then spending $$ for the other commercial software.

Thanks,
PG


In response to Happy Hippo regarding disabling firewalls (Jan 19,2010), I found that the only way for me to get rid of the "session terminated by gateway" issue was to disable my Windows 7 (64 bits) firewall (even if the check is on, Windows firewall issues no warning that it has blocked anything).
Once the firewall disabled, tunnel remains stable over my wireless Cisco broadband home router/gateway.
Setting phase-2 PFS=2 was also required but insufficient. I have now installed Shrew version 2.1.7 beta but I still have to disable the Windows firewall. Is there a work around to this? After reading many forums, I seem to be the only one in this situation...


For those who loose their access to the internet when connected to vpn:
Modify->Policy->Uncheck Obtain Topology....
Klick "Add" and type in your remote subnet and netmask.

That did fix it for me.


I installed version 2.1.6 on Windows 7. I am able to establish a tunnel, but within less than 30 seconds it drops the tunnel with the error "detached from key daemon". During that 30 seconds that it is up, I can run ipconfig and see that I get an IP from the remote location. I have another system with Windows 7 at a different location using exactly the same settings (we imported the .pcf file from cisco vpn). He has no problem with his connection. Any suggestions> Thanks.


I installed 2.1.7 on Win7 x64. When trying to connect I was always getting bringing up tunnel negotiation timeout occurred. Tried all suggestions from earlier posts with no success. I was forced to use XP mode to be able to use SS client. It connected without any issues from the XXP mode but the same settings fail in win7. After quite a few days of research, one of the things I retried disabling Microsoft Virtual WiFi Miniport Adapter in network connections with failure again. I found a clue monitoring network activity and found no activity when trying to connect. I returned to MS WiFi Miniport Adapter settings, properties and unchecked SS light weight filter but left MS WiFi Miniport Adapter enabled (status was not connected) and connected right away. Hope this helps.


after some time of trying some of the above solutions for "negotiation timout occurred" message i finaly was able to connect after i restarted the 3 services which screwsoft uses. i started the trace utility and hit restart on all 3 first tabs. after that connection was made without problems. i am using scresoft 2.1.5 btw. hope this helps some others with this problem.


Disabling the Microsoft Virtual WiFi Miniport Adapter worked for me.

This thread rules, thank you all.


I am very pleased to have come across this thread as I have not managed to get Cisco VPN Client to work on my Win7 64 bit. Trying Shrew did also cause some problems, as I got connected, but no traffic. Then I found a note about trying 2.2 Alpha 9, and now everything works perfect.


Amazing.. i just deleted the registry key Virtual WiFi Filter Driver and the installation just worked fine. And now I'm able to connect to the VPN ..


Hi,
I'm trying to connect via VPN to SAP using Shrew (I have windows 7 64 bit on a Sony Vaio notebook) and I got the connection ("tunnel enabled") but unfortunately I cannot reach SAP as I wasn't connect to VPN. I enabled the AVG firewall when they asked to me about it.
I cannot understand why.
Thanks in advance and regards.

Mario


Looking for help.
I installed ver 2.1.7 on my Windows 7 64 bit laptop. Import of profiles works fine. Those VPN connections I had that prompted me for user and password works fine. The ones that did not, do not. It prompts me for credentials which I never had in first place for these connections (I'm not talking about the required group authentication.
How do it get this new client to process the profile connection as before, not require credentials.
Thanks, Bill


For those of you having the Tunnel disabled, key daemon exited issue on Windows 7,this post helped me solve it: http://comments.gmane.org/gmane.network.vpn.shrew.user/1307

Just disable the mini wan port and it works like a charm.

Srini


Does anyone know how to enable "ipsec over udp (nat\pat)" for the shrew soft client?

When I was running xp, i was able to use the cisco client, however i had to make a modifiction from "ipsec over tcp" to ipsec over udp" in my work place.


Regarding the timeout issue on Win7 64-bit, go to Device Manager under Network adapters, then disable the following adapter: Microsoft Virtual WiFi Miniport adapter. I got the hint from this link: http://comments.gmane.org/gmane.network.vpn.shrew.user/322


Is it possible to start the VPN connection automatically with a Linksys Router and this configuration???
(http://www.shrew.net/support/wiki/HowtoLinksys)

Manual connecting is no problem.


Ok it's done.
I've found the error.
Thanks


@Annonymous

"Regarding the timeout issue on Win7 64-bit, go to Device Manager under Network adapters, then disable the following adapter: Microsoft Virtual WiFi Miniport adapter. I got the hint from this link: http://comments.gmane.org/gmane.network.vpn.shrew.user/322"

Thanks! I was chasing the networks and realized after reading your post I was using wireless when having this issue. You Rock!


Nice tutorial and thanks to dpowell for posting that solution for Windows 7 on Wifi. that was quite the head scratcher


FANTASTIC! Thanks for the batch file tip, worked great for me! No more entering my password!


Hello All
i have problem:
In Windows7 logon screen show
Windows Security
Failed to load VPN Site Configuration
any idea ?



he error is 0x8004a029, which basically indicates that the maximum number of network filter drivers has been reached.
Could you uninstall any other network filter driver that you think is not necessary and try reinstalling again?


This fixed my problem of unable to install netowrk component. I unistalled some unncesary network filter, eg avg filter.

Thanks
paddy.


Hello.

Does anyone know if Shrew supports MULTIPLE connections to VPN gateways ???
I have Windows Server 2008 R2 x64 and I plan to use version 2.2.0 beta 1 (latest).

Any help is greatly appreciated

Thanks
--hyperspaced


Hello Happy Hippo,

Thank you very much for such a nice tutorial.

It helped me.

Thanks
Hitendra


Thanks, Anonymous, for the tip to uncheck Enable dead peer detection. Solved my terminated by gateway problem. :)


Hey Happy Hippo,

I installed the latest version of Shrew on Win 7 64-bit and imported my PCF file from Cisco VPN client. I am able to connect to the VPN, and I can ping all of our workstations and servers, but am not able to remote desktop or SSH into any of them.

I noticed someone else seemed to have this problem, and they said they solved it because their gateway was set to 0.0.0.0.

Mine has that exact problem. When I go through Cisco VPN from an older XP machine, it sets the gateway to the VPN IP address of machine.

Any ideas on how people fixed this? I looked around for about 5 hours tonight so am going to take a break.

--------------------

* Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is not “Default gateway” settings.


Oh well, I gave up. We have a new Palo Alto VPN that uses a java client and it's much faster. So I went with that and Windows 8.

One thing weird though about Windows 8, and Palo Alto, when I tried to use the Remote Desktop app through the tile shortcut, I couldn't get connected, but when I went through the Windows desktop and clicked on the exe, it worked just fine.


Anonymous says:
1 October 2010 19:55

For those who loose their access to the internet when connected to vpn:
Modify->Policy->Uncheck Obtain Topology....
Click "Add" and type in your remote subnet and netmask.

That did fix it for me.

-- great tip to get vpn/internet working together

thanks


This client is so versatile that it was nice to have the info distilled for what I needed to do. Thanks for the post.


Happy Hippo,
Thanks for the technet link posted here
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/4deb27fc-33ce-4fc0-a26f-3fec5b57733d

Changing the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters from 8 to 14 fixed the problem.

Before I got "Error 0x8004a029: Couldn't install the network component." error during installation.

I am using Shrew VPN Client 2.2.0 beta 2 on Windows 7 Home Premium x64.

Thanks a lot!


The version 2.1.5 is great. only leave the port set to 500 when you import your .pcf

Thank you.


I just put available the port 500 from the network to the ipsec server and it's working now, thaks to the forum


I just put available the port 500 from the network to the ipsec server and it's working now, thaks to the forum,

Vickdick


Hello there!

Summary
Using 2.2.0 Beta2 instead of 2.1.7 made it work far beyond connection, facing Cisco VPN server, even without showing default gateway.

Detail
I previously used a Windows 7 x86 with a Cisco VPN client 5.0.04.xxxx to enter my society's intranet.
On my new Windows 7 x64 I have no VPN client furnished by my society.
So I tried Shrew Software for I read good reviews about it.
I imported the current PCF, tried a connection, entered the user name and password and could connect in and retrieve an IP address, but I couldn't connect to targets either on RDP or on HTTP. In fact I couldn't even nslookup anything (the DNS was out of my subnet) or ping my targets (outside, too). My ipconfig showed no default gateway but a DNS and WINS server, while the default gateway showed -at the same time and same place- on my prehistoric Windows 7 x86.

I uninstalled Shrew 2.1.7 and installed 2.2.0 beta2, deleted the existing pcf to import it again, connected entering credentials, but still no dflt gw showing in ipconfig!
I tried anyway the RDP, the http, everything worked fine. Even a succesfull ping out of my subnet.
So I don't know why the gw didn't show, but it appears not to be the main point.

Thanks for above posts and thanks SS!

Oh! BTW, several colleagues with W7x64 didn't experience the same problem as me and work fine with 2.1.7. No time for further investigation.

Here comes my pcf:
[main]
Description=[My company's stamp]
Host=[My company's Cisco server public IP]
AuthType=1
GroupName=[SorryThisIsPrivateToo]
GroupPwd=
enc_GroupPwd=[92HexaCharactersInWhichYouAreNotInterestedAnywayEvenMyColleagueHaveADifferentOne]
EnableISPConnect=0
ISPConnectType=0
ISPConnect=[Stamp]
ISPPhonebook=c:\users\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
ISPCommand=
Username=[WhoCouldItBeNow]
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=150
EnableLocalLAN=0

Glucose


Thanks, you've helped me!


I had the Cisco IPSec connection working on my Mac extremely easily (built-in Network/VPN worked out of the box) so it was very frustrating to see that on Windows 7 it was difficult. Got Shrew VPN 2.1.7 working now. The easiest way for me was to create VPN.pcf with the following simple content:

Host=[My company's Cisco server public IP]
GroupName=[SorryThisIsPrivate]
GroupPwd=[SorryThisIsPrivateToo]

Then just "Shrew Soft VPN Access Manager": File / Import -> VPN.pcf. Then connecting worked fine! (Couldn't get it working without the .pcf import.)


Hi guys,

for the below issue
(i.e,
Session terminated by gateway)

bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon ...


i did 2 things..
a. i removed the old Cisco VPN
b. added a line DHGroup = 2 in the pcf file, and imported that to the shrew VPN

and then it worked!!!


About the Useful Tip:
Where is the "configuration name"?
I'm clueless about what I need to fill in there.
And does it matter where I save 1.bat?

Thx


Hi! Trying to connect to watchguard x750e. profile for shrew Was imported from WG system manager. Shrew client connection is ok. Connecting by RDP to remote host - ok. On remote PC trying to open mapped disk and copying any file- and connection lost, but shrew is stay connected. Localhost connect to router with Nat. But if i connecting to ISP without Nat router - i have no problem. How fix it? Help, guys.


I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
NAT/PAT|
ISDN Configuration


need help on how to config watchguard and shrew vpn client for several PCs connected to 1 internet tunnel. our present config works well for single PC only each internet tunnel. it works well for our remote offices with only 1 PC installed to remotely connect but not when we run clients in more than 1 PC in a site. we set remote tab to any in our setting ...thanks for your help

jeanette saluba of cebu city hall


in reference to the above query of saluba. thanks


Windows 7 64 bit, Cisco SRP547W, works a charm. Thanks for the post! :)


Great instructions. Helped me out a ton.


Hi all, is there way to unhide the network adapter use by Shrew? I can't see it in RRAS. thx


the bat tip is awesome :)


if anyone getting "negotiation timeout occurred" error on SS VPN on Win 7 64-bit, try following...

Go to Network Controller card's properties in Device Manager and go to Advanced Tab and see whether you see a "Header-Data split" property. If it's there and it is enabled then disabled it.

Then try to re-connect using SS VPN and it should work.

This is another workaround for issue "negotiation timeout occurred"


Hiya,

I am able to connect. Actually I want to keep it connected for sometime and then disconnect. Is there something to disconnect using command line

any info will be helpful...

Thanks


Your website pages are almost unreadable - good content but lousy presentation.

© All content on this site is copyright, except where other sources are specified. Please contact me before using any resources on this blog in any way ©