How to connect Shrew Soft VPN client to Sophos IPsec VPN
So far I have really been impressed with the features and power of the Sophos UTM appliance. I have ran it both in a software based applianced running on a whitebox atom powered machine and also in a VMware virtual machine which is the current configuration I have running due to the great CPU power I have available from my VMware host. The Sophos UTM appliance provides a very wide range of remote access options to access your network from a remote location. The options that exist are SSL, PPTP, L2TP over IPsec, IPsec, HTML5 VPN Portal, and Cisco VPN Client.
I want to cover the topic of setting up an IPsec VPN on the Sophos side as well as connecting to your Sophos IPsec VPN using the free Shrew Soft VPN client. Sophos offers a VPN client that can easily connect up to your Sophos UTM box by importing an .ini file from the UTM itself. I have tried this process and it is extremely easy and takes care of all the heavy lifting of getting the configuration right, however, the client is downloaded with a 30 day trial license. The client is quite expensive, especially if you are just purchasing a single seat of the software.
Unfortunately, there is no way to import the downloadable .ini file from the UTM into the Shrew Soft VPN client. However, as you will see below, you can connect to your IPsec VPN by manually configuring the client to connect to your Sophos UTM.
First things first, go down to the Remote Access link on the left side of the dashboard. Click IPsec and then click New IPsec Remote Access Rule… after which you will be brought to the screen to setup the VPN connection. Below I have named the VPN connection, set the Interface that the connection would listen on (External WAN), setup the Virtual IP Pool which is set by default to the VPN Pool out of the box. You can choose between a number of policy profiles that you want to enable. I have chosen to setup a Preshared key Authentication type. Also, you can enable XAUTH which will increase security by also requiring a username and password for that user.
The user is specified underneath the Allowed users box that appears after you select Enable XAUTH. Once you setup the user, simply hit Save.
Below is a quick capture of the Authentication type dropdown where you see you can select between CA DN match, Preshared key, and X509 certificate.
Be sure after you click Save on the Access Rule screen, that you enable the VPN by sliding the slider next to the VPN connection over to green, which effectively enables the connection.
After you have created a VPN connection on the Sophos side using the settings we mentioned above, you can now begin to setup your Shrew Soft connection via the free Shrew Soft VPN client download which can be found here. The installer is very small in size and installs in a snap.
After installing Shrew Soft, simply create a new connection. Enter your public WAN interface address that you setup on the Sophos side. Note below, I have a 192.168.1.1 address showing just for purposes of documenting the setup.
- Make sure under the auto configuration section to select ike config pull and then under the Adapter Mode to select obtain automatically
Leave the default settings under the NAT traversal options
Under name resolution in my particular config, I setup public DNS resolvers, however, these can be set to any that you wish, or selected to Obtain Automatically which should pull from your Sophos VPN addresses DNS configuration.
Since I am using a preshared key and XAUTH, I have selected that below under the Authentication tab. Also, leave the Identification type under Local Identity as the default IP Address.
Still in the Authentication tab, leave the default Identification Type for Remote Identity selected as IP Address.
Under the Credentials tab you will need to specify your Pre Shared Key
The settings below were matched up to the AES 256 policy I am using for the Policy type on the VPN connection on Phase 1.
Same goes for Phase 2.
Under the Policy tab, you specify Remote Network Resource. I have the local LAN subnet specified as well as the 0.0.0.0 network which allows the machine to browse Internet resources as well.
After you finish the Policy tab, you should be ready to go to test the VPN connection. Save the connection above and then double click it and you should see a screen similar to the below where you will be asked for your XAUTH username and password that you specified on the Sophos UTM side.
I am really liking the remote access capabilities of the Sophos UTM. There is a wide range of builtin options that will cover just about any need that you would have to establish a remote VPN connection to your Sophos UTM. Shrew Soft is an awesome VPN with a lot of capabilities that will allow you to connect to just about any type of VPN connection that you need to connect up with. Hopefully the tutorial above will help those of you out there who are looking for a free client that can connect up with the Sophos UTM without having to spend the money on the Sophos VPN client. The genuine Sophos client is a great client and works rock solid as it is basically NCP client that has been rebranded. However, the price of the client can be a slight sticker shock.
If you are looking for a free way to achieve the same results, you can’t go wrong with the Shrew Soft client as it works perfectly in connecting to the IPsec VPN of the Sophos UTM.