[EMAIL PROTECTED] wrote: > heya, > > i've been grinding away to get a VPN setup where i can have win xp clients > connect to my openbsd firewall and access the network behind it. i have tried > a > number of things, none of which have yet worked for all my users. i am very > much > interested in hearing from other admins who have currently working solutions > along these lines. i have setup isakmpd between my home and my business > location, so i know i am not a complete idiot when it comes to this stuff ;). >
as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works with no problems. here are my config files: ######isakmpd.conf###### [General] Policy-file= /etc/isakmpd/isakmpd.policy Retransmits= 4 Listen-On= ext_if_ip [Phase 1] perr1_ext_ip= peer1 [Phase 2] Passive-Connections= peer2 [peer1] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somepass [peer2] Phase= 2 ISAKMP-peer= perr1 Configuration= Default-quick-mode Local-ID= local-net Remote-ID= peer-net [peer-net] ID-type= IPV4_ADDR Address= peer_ext_ip [local-net] ID-type= IPV4_ADDR_SUBNET Network= 192.168.1.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ######isakmpd.policy###### KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:somepass" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; ######xp settings###### ipseccmd.exe -u ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n ESP[3DES,SHA] -a PRESHARE:"somepass" -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n ESP[3DES,SHA] -a PRESHARE:"somepass" -1s 3DES-SHA-2 if you want to preserve (after reboot for eg.) ipseccmd setting you can add '-w reg -p somename' to your cmd line to store ipseccmd settings in windows registry, and so they be'll also visible via mmc/ipsec console. on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming udp on ports 500 (and 4500 if your xp clients are behind nat witch changes source ports numbers) read also: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx http://support.microsoft.com/default.aspx?kbid=885407 hope it will help you. sorry for my english ;) -- raff
