Connecting to a VPN+IPSec based on a Shrew VPN client config

RouterOS General
1

Hello,

I’ve been given a configuration file (.vpn) for Shrew Soft VPN Client which looks something like this: http://pastebin.com/yKQGHw0d

I attempted to configure my Mikrotik router to access that VPN but with no successs. Through sniffing with Wireshark I’ve managed to notice some differences in how RouterOS connects and how the Shrew Soft VPN client does.

For one RouterOS sends the login name as ID Type USER_FQDN(3) while the Shrew Soft client as FQDN(2):

This is defined by following lines in the vpn configuration:

s:ident-client-type:fqdn
s:ident-server-type:any
s:ident-client-data:fake_user_name

I’m pretty sure this difference causes me to not be able to log in. Is there a way to Make RouterOS send the user name as FQDN?

As to hashing/encryption configuration, since the vpn configuration file sets all to AUTO or disables options:

s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1

I had to acquire the propper configuration through debugging Shrew Soft client. In one of it’s logs, iked.log, I found this:

14/06/06 17:56:19 ii : matched isakmp proposal #1 transform #1
14/06/06 17:56:19 ii : - transform    = ike
14/06/06 17:56:19 ii : - cipher type  = aes
14/06/06 17:56:19 ii : - key length   = 256 bits
14/06/06 17:56:19 ii : - hash type    = md5
14/06/06 17:56:19 ii : - dh group     = modp-1024
14/06/06 17:56:19 ii : - auth type    = psk
14/06/06 17:56:19 ii : - life seconds = 86400
14/06/06 17:56:19 ii : - life kbytes  = 0

Which gave me the propper configuration for the Phase #1, and based on the ipsec.log I found the prefered Phase #2 setup:

14/06/06 17:56:38 ii : - encr = AES-CBC
14/06/06 17:56:38 ii : - ekey = 256 bits
14/06/06 17:56:38 ii : - auth = HMAC-MD5
14/06/06 17:56:38 ii : - akey = 128 bits
14/06/06 17:56:38 ii : - hard = 3600
14/06/06 17:56:38 ii : - soft = 2880
14/06/06 17:56:38 ii : - natt = ESPINUDP

But that alone does not allow me to connect.

Another question is, how can I acquire an IP address from the established IPSec tunnel like the Shrew Soft client does? The relevant configuration looks in the Shrew Soft client like this:

Does anyone else know how to replicate that setup in RouterOS?
Address.png
Identification.png