Victor B. Berdin wrote:
Hello everyone,
How do you guys go about with subnet-2-subnet VPN Interop
between Dachstein1.0.2 and WIN2K? If I were to use
"fwscert" extracted RSA keys from my serverkey.pem (since FSwan lower than 1.96 does not support the RSA cert key line declaration in ipsec.secrets), and place the p12 cert extract of my clientcert.pem on the WIN2K side, I'm assuming that my
DS ipsec.conf and ipsec.secrets should look like this:
<snip>
I don't use certs, so can't comment with much authority on your settings above, but I do have a couple of comments that might help.
Is there something wrong with my settings above? I also referred to the "Bering" site on how to setup the WIN2K machine.
And also seen other DOCs stating that PSK is enough to achieve above
subnet-2-subnet interop., even with FSwan as low as v1.1.
But I can't get my above requirements right. :o(
I thought I can get away w/o having to do a WIN2K interop, but then
again ....
1) I hope you are aware of the various limitations of the built-in windows IPSec client? There are at least two issues I've heard of that could be causing you problems, including the fact that you don't get 3DES support without installing a security patch (although you get the "check-box" regardless, so you can mistakenly belive you're running 3DES on the windows side when in reality it will only negotiate 1DES. FreeS/WAN, of course, will refuse to talk 1DES).
The other issue is the fact that only some flavors of Win2K (server and/or advanced-server, IIRC) will do gateway-gateway connections. I think all that's supported on 2K-Pro is host-host or host-subnet, with the 2K-Pro end being a host, and the remote end being a subnet or gateway.
2) I have used the ssh sentinel client to connect W2K-Pro to FreeS/WAN using shared-secrets. While I implemented a host-subnet connection, I believe ssh sentinel does support subnet-subnet links. While it is not free, the price for ssh sentinel is pretty reasonable, and I think it's a lot easier to configure than the built-in M$ client, and it's way cheaper than a server or advanced-server license, if you're trying to use 2K-Pro for a subnet-subnet connection.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
