Heinrich Rebehn wrote:
[EMAIL PROTECTED] wrote:
heya,
i've been grinding away to get a VPN setup where i can have win xp
clients
connect to my openbsd firewall and access the network behind it. i
have tried a
number of things, none of which have yet worked for all my users. i am
very much
interested in hearing from other admins who have currently working
solutions
along these lines. i have setup isakmpd between my home and my business
location, so i know i am not a complete idiot when it comes to this
stuff ;).
when i tried to use the native windows IPsec implementation, both as
described
in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI,
i was not
able to get anywhere. when i used ipseccmd.exe, it would not give me
any useful
debugging outputs and crashed a couple times while i was trying to set
this up.
i would very much like to have a setup using the native IPsec in win
xp, but am
utterly in the dark as to the win xp configuration side of things.
i have also setup openvpn, which works great for me from home, and i
have been
able to successfully get this working. however, one of the users that
connects
to my VPN is having problems making openvpn and his kerio firewall
"play nice",
and a working openvpn configuration cannot survive a reboot due to win
xp being
such a great OS.
i am also aware of "the green bow" VPN client that is known to
interoperate with
isakmpd. i have avoided using this solution since i know it to be a
resource hog
on win xp. anybody else's views on this software would be nice.
anything that you think could help me get a VPN with win xp talking to my
openbsd firewall would be awesome. i would love a "howto" for the win
xp boxes,
but a smack with the cluestick is likely all i need. it would be nice
for this
to NOT use certificates, as i'd like to get a shared secret setup
working first,
then switch to certs later.
cheers,
jake
Hi jake,
I have been successfully using the Windows XP native IPSec client for
some 2 years now. There is a good configuration tool at
http://vpn.ebootis.de/ which reads a configuration file and executes the
ipseccmd commands needed for setting up the tunnel. Latest version is
2.2, i am using 2.1.4.
You do need XP Service Pack 2. Also you must install the windows support
tools as mentioned on Marcus' web page. Note that if you already
installed them before installing SP2, you must also upgrade the support
tools after installing SP2.
As for windows debug output, look for "oakley log" in
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx
This works with certificates (somewhat tricky to setup) as well as with
preshared secret.
HTH,
Heinrich
The tool mentioned by Henrich has worked for me quite well. I
have used it against a Linux freewswan server for three years, and OBSD
for the last six months. The following link eplains how to use x509
certs http://mirror.huxley.org.ar/ipsec/isakmpd.htm
The script he provided on the page had a small type-o that prevented it
from working, he seems to have fixed it now. You will find certs to be
simple actually, more secure, and easier to manage.
Although I have yet to get a certificate revocation list to work with
isakmpd.
http://mirror.huxley.org.ar/ipsec/isakmpd.htm
