On Thu, 02 Jan 2003 12:01:51 -0800 [EMAIL PROTECTED] wrote: > Message: 5 > From: "S Mohan" <[EMAIL PROTECTED]> > To: "'leaf-user'" <[EMAIL PROTECTED]> > Date: Thu, 2 Jan 2003 10:22:54 +0530 > Subject: [leaf-user] IPSec > > Chad has made Win2K configuration using IPSec look simple in his > documentation. It does not seem as if the description is enough to get > it to work well first shot. I've had a horrid time going thro' a Win2K > configuration. I've been in the Windows world for over 12 years and > Win2K IPSec configuration is as convoluted as it can get.
Agreed. I had a very difficult time figuring out how to explain that convolution in the document. The main thing to understand as I see it now is that the Windows 2000/XP "IP Security Policy" mmc snap-in is really a combination of the functionality of iptables _and_ freeswan on the Linux side. Filter rules catch the traffic you want to encrypt and actions tell Windows what to do with the caught traffic. In my example, I want to encrypt everything. This may not be the way you want to do business. My road warriors were set up to use the ipsec gateway as their default gateway, a somewhat strange configuration, I suppose, but not unheard of in the harsh world out there. Also, I tried to include a troubleshooting section because I knew that the point and click instructions would not be sufficient. I think that I may not have accounted for the myriad of ways mistakes can be made during the process (not to mention a section on what to do when your hand falls off from clicking...) Also, I must say to all that are having problems with it, that it is _not_ easy, until you get it to work once. When you can get it to work and you know what you did, you can sort of start to see Microsoft's warped view of ipsec and repeat the atrocity... > > I'm learning. I've been able to set up a preshared key tunnel between > a leaf box and a RH Linux box to connect two LANs as under > 192.168.1.1 192.168.2.1 > local LAN | +------------+ Internet Link +--------+ |local LAN > 192.168.1.0/24 |----| LEAF Bering|================|RH > Linux|-----|192.168.2.0/24 > | +------------+ +--------+ | > > I then thought I'd set up Win2K to LEAF using preshared keys. I've got > stuck up here. I'd like some light here. > > 1. My Win2K box is a Internet dial up box on Dynamic IP. Can I use > preshared keys in this scenario between Win2K and LEAF? If so, how do > I configure my Win2K box. Most documentation I've seen refer to x509 > certificate use for such a scenario. Setting up a separate machine for > this in a predominant Windows network poses organisational problems. Windows needs a static ip to describe the road warrior end of the tunnel using the documentation I have written. I have heard it is possible to use the utility you mentioned below to set up a dynamic ip tunnel, but you would have to refer to Nate's documentation for that info; I have not done it myself. > 2. I've seen a ipsec.exe tool in Nate Carlson's page > http://www.natecarlson.com/linux/ipsec-x509.php . One of the things > that make my head spin is two tunnels for one connection and the > sequence of configuration. Can someone throw some light on this > please? Is Nate Carlson's utility an overkill for a LEAF scenario? If > not, can it not be adopted to make life simpler? The utility (if I am thinking of the right one), is not written by Nate but a guy by the name of Marcus Muller (http://vpn.ebootis.de). From what I have seen, it just puts a freeswan-like configuration file and can manipulate the Windows system interfaces to make the magic happen, without all the nasty clicking. I believe (see above) that it can also handle dynamic tunnel addresses. I didn't want to have an extra utility deployed to every road warrior in my network, so I chose to spend the time to learn Windows's hideous GUI, but it may not be worth it for your application. I do not now how you distribute programs to your clients, how many you have, etc. If you have any specific questions about the Windows interface, anybody, I will try to help as much as I can, but it _is_ hellish, and there just comes a moment of clarity with it (what else can I say?) after you screw around with it long enough. -- ----------------------------------------------------------------------- Chad Carr [EMAIL PROTECTED] -----------------------------------------------------------------------
msg11832/pgp00000.pgp
Description: PGP signature
