WatchGuard Support Center

Knowledge Base - Article

000013135
 About the Shrew Soft VPN Client

Information
Does WatchGuard support the Shrew Soft VPN Client?

For Mobile VPN with IPSec, we recommend the WatchGuard IPSec Mobile VPN Client. For information about the WatchGuard client, see About the IPSec Mobile VPN Client in Fireware Help.

We support mobile VPN tunnels created with the Shrew Soft VPN client only if:

  • The Shrew Soft client supports your operating system. 
  • Your Firebox has Fireware v11.4.1 or higher 

The Shrew Soft VPN client does not support Windows 8.1 or higher. For more information about Shrew Soft system requirements, see https://www.shrew.net/download/vpn.

If you have the Shrew Soft VPN client installed on an operating system that supports it, you can use the steps in this article to install, configure, and troubleshoot the Shrew Soft VPN client and the VPN connection.

About the Shrew Soft VPN Client

The Shrew Soft VPN Client functions similarly to the WatchGuard IPSec Mobile VPN Client and shares many of the same configuration settings, but it does have some limitations.

You can download the Shrew Soft VPN Client for Windows from Shrew Soft (http://www.shrew.net/download). 

SHA2 authentication and encryption options require Shrew Soft VPN Client v2.2.1 or higher.

The Shrew Soft VPN client supports Diffie-Hellman groups 1, 2, 5, 14, and 15. 

Shrew Soft VPN Client Limitations

The Shrew Soft VPN Client does not support these Mobile VPN with IPSec configuration settings and features:

FeatureDetails
IKE keep-aliveNot supported
Configuration of multiple VPN gateways for multi-WAN failoverNot supported

Line management configuration settings:

Connection mode and Inactivity timeout

Not supported
Phase 2 proposal Force Key Expiration setting kilobytesDoes not apply to the Shrew Soft VPN client

Dead Peer Detection (DPD) configuration settings: 

Traffic idle timeout and Max retries

Do not apply to the Shrew Soft VPN client. If DPD is enabled, the Shrew Soft VPN client supports DPD with a traffic idle timeout value of 15 seconds.
RADIUS 2-factor authenticationNot supported
SecurID 2-factor authenticationNot supported
Read-only profileNot supported
User name and password stored for user authenticationNot supported. Users must type their user names and passwords each time they connect.
TDR Host Sensor Enforcement for mobile VPN connections (Fireware v12.5.4 or higher)Not supported


The Shrew Soft VPN end-user profile is generated as a .VPN file that is not encrypted. We recommend that you use a secure method to distribute this file.

Install the Shrew Soft VPN Client Software

You can install the Shrew Soft VPN client on any computer that uses Windows 7 or 8. The installation process includes two parts: install the client software on the remote computer and import the end-user profile into the client.

Before you start the installation, make sure you have these installation components:

  • The Shrew Soft VPN client installation file
  • A Shrew Soft VPN end-user profile (.vpn file)

For instructions to generate the Shrew Soft VPN end-user profile, see Generate Mobile VPN with IPSec Configuration Files in Fireware Help.

Install the Shrew Soft VPN Client

  1. Copy the Shrew Soft VPN installation file to the remote computer.
  2. Run the .exe file. 
    The Shrew Soft VPN Client Setup Wizard appears.
  3. Select the software edition to install.
    • Standard Edition — does not require a client license.
    • Professional Edition — supports additional features, but requires a client license from Shrew Soft after the 14 day trial period. See www.shrew.net for more information.
  4. Select the destination folder.
  5. Complete the Setup Wizard.
    The Shrew Soft VPN client software and Shrew Soft VPN Client Administrators Guide are installed in the destination folder you selected.

Import the End-User Profile

  1. Copy the end-user profile (.vpn file) to the root directory on the remote (client or user) computer.
  2. From the Windows Start menu, start Shrew Soft VPN Access Manager.
    Shrew Soft VPN Access Manager appears.
  3. Select File > Import.
  4. Select the .vpn file you copied to the client computer in Step 1.
  5. Click Open.
    The VPN client configuration is imported and a new site configuration appears in the Shrew Soft VPN Access Manager window.

Each time you import a .vpn file, make sure that you use a unique file name. For example, if you generate an updated end-user profile, the .vpn file has the same name as the previously generated file. If necessary, you can rename the updated .vpn file before you import it to the Shrew Soft VPN Client. If you import a .vpn file that has the same name as a previously imported .vpn file, two site configurations with the same name appear in the Shrew Soft VPN Client , but only the most recently imported configuration operates correctly.

After you import the end-user profile, if you use certificates for authentication, you must import your certificates to the Shrew Soft VPN Client. However, if you used Policy Manager to generate the end-user profile client configuration file (.vpn file), the certificate is embedded in the .vpn file, so you do not have to manually import it. But, if you used Fireware Web UI or the CLI to generate the .vpn file, you must manually import the certificates to the Shrew Soft VPN client after you import the end-user profile.

Import Certificates to the Shrew Soft VPN Client

If you use certificates for authentication, you must import your certificates to the Shrew Soft VPN Client before you can connect to your network. If you used Policy Manager to generate the .vpn client profile, you do not have to import the certificates manually because Policy Manager automatically embeds the certificate in the .vpn profile when it is generated. Then, when you import the .vpn profile to the Shrew Soft VPN client, the certificates are already included. If you used Fireware Web UI or the CLI to generate the certificates, after you import the end-user profile (.vpn file) you must manually import these certificates:

  • cacert.pem — The certificate for the Certificate Authority
  • .p12 file — The client certificate file

For instructions to generate the Shrew Soft VPN end-user profile, see Generate Mobile VPN with IPSec Configuration Files in Fireware Help.

To manually import certificates:

  1. Start Shrew Soft VPN Access Manager.
    Shrew Soft VPN Access Manager appears.
  2. Select an end-user profile (.vpn file).
  3. Click Modify.
    The VPN Site Configuration dialog box appears.
  4. Select the Authentication tab.
    The Authentication settings appear, on three tabs.
  5. Select the Credentials tab.
  6. In the Server Certificate Authority File text box, type or select the location and file name of the cacert.pem file.
  7. In the Client Certificate File and Client Private Key File text boxes, type or select the location and file name of the .p12 certificate file.
  8. Click Save.

Use the Shrew Soft VPN Client to Connect

You can use the Shrew Soft VPN Client for Windows to connect to a Firebox that is configured for Mobile VPN with IPSec.

Before you can use the Shrew Soft VPN Client, you must install the client software and import the end-user profile (.vpn file). You must also know the user name and password. 

Start a Shrew Soft VPN Connection

To start a VPN connection:

  1. Open Shrew Soft VPN Access Manager.
    Shrew Soft VPN Access Manager appears.
  2. Select the imported client profile.
  3. Click Connect.
    The Shrew Soft VPN Connect dialog box appears.
  4. Type the Username and Password for the Mobile VPN user.
  5. Click Connect.
  6. If you use certificates for authentication, a second password dialog box appears. Type the same Mobile VPN user password again.
    This password is used to open the private key for the client certificate.

It can take several seconds for the Shrew Soft VPN client to connect. When the VPN client has connected, the Tunnel Enabled message appears.

After the VPN client has connected, you can minimize the Shrew Soft VPN Connect dialog box, but do not close it. To keep your VPN connection, you must keep the Shrew Soft VPN Connect dialog box open. You can close the Shrew Soft Access Manager window.

Stop a Shrew Soft VPN Connection

You can use two methods to stop your VPN connection: close the Shrew Soft VPN Connect dialog box, or use the disconnect option in the Shrew Soft VPN Connect dialog box.

To use the disconnect option to end your VPN connection:

  1. Maximize the Shrew Soft VPN Connect dialog box.
  2. Click Disconnect.
    Your VPN connection ends.

If users cannot connect to the VPN, you can use the Shrew Soft VPN Trace utility to troubleshoot the connection.

Troubleshoot the Shrew Soft VPN Client

If the Shrew Soft VPN client fails to connect, you can use the Shrew Soft VPN Trace utility to see more information about why the connection failed.

To use the Shrew Soft VPN Trace utility:

  1. From the Windows Start menu, select the Shrew Soft VPN Client > Trace Utility.
    The Shrew Soft VPN Trace utility appears.
  2. Select File > Options.
    The Debug Output Options dialog box appears.
  3. From the Log output level drop-down list, select loud.
  4. Click OK.
  5. Select the IKE Service tab.
  6. Click Open Log.
  7. Click Restart.
    Debug log messages appear in the console.
  8. To copy log messages from the Shrew Soft VPN Trace utility, highlight the text in the console, then press Ctrl-C on your keyboard.
  9. Open a text file and press Ctrl-V on your keyboard to paste the copied text into the file.
  10. Review the content of the new text file to find any problems with your connection.

When you set the Log output level to loud, the Shrew Soft VPN Trace utility can quickly generate a very large file. Make sure you reset the Log output level to none after you have resolved the connection problem.

If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity in Fireware Help for information about other steps you can take to identify and resolve the issue.

See Also

Configure DNS in the Shrew Soft IPSec VPN client
What is the difference between Shrew Soft VPN Standard and Professional Edition?