Please help: DHCP over IPSec
Hi all, Please this is very urgent for me. Where I can find configuration docs about to configure isakmpd with x509 certificates and DHCP over IPSec for OpenBSD?? Thank you very much to all. -- C.L. Martinez [EMAIL PROTECTED]
Re: Please help: DHCP over IPSec
C. L. Martinez wrote: Hi all, Please this is very urgent for me. Where I can find configuration docs about to configure isakmpd with x509 certificates and DHCP over IPSec for OpenBSD?? DHCP over IPSec isn't supported. Virtual IPs with IKE Mode config works well, though. sk
Re: Please help: DHCP over IPSec
(please do not write me off list) C. L. Martinez wrote: Ok, but if i would like use windows ipsec native client. How can I assign virtual ip??? Or somebody knows any free vpn client taht works with virtual ip and x509 certs??? AFAIK, the windows native client does not support virtual IPs. I'm not aware of a free client that handles both IKECFG and x509. You might want to take a look at Greenbow. They produce a windows VPN client based off isakmpd. It's priced at 58 euros. sk
Re: Please help: DHCP over IPSec
Ok. Thank you very much for your help. On 7/1/05, Sigfred Heversen <[EMAIL PROTECTED]> wrote: > C. L. Martinez wrote: > > Hi all, > > > > Please this is very urgent for me. Where I can find configuration > > docs about to configure isakmpd with x509 certificates and DHCP over > > IPSec for OpenBSD?? > > > > Thank you very much to all. > > As some poster wrote, this might not be supported. You might have > a look at openvpn.net that supports dhcp and has a Windows client, > and is in the ports. > > /Sigfred > > -- C.L. Martinez [EMAIL PROTECTED]
Re: Please help: DHCP over IPSec
> C. L. Martinez wrote: > > Ok, but if i would like use windows ipsec native client. How can I > > assign virtual ip??? > > Or somebody knows any free vpn client taht works with virtual ip and > > x509 certs??? > > AFAIK, the windows native client does not support virtual IPs. I'm not > aware of a free client that handles both IKECFG and x509. You might want > to take a look at Greenbow. They produce a windows VPN client based off > isakmpd. It's priced at 58 euros. IKE-mode is good but can be buggy with some clients. The best Windows clients for a pure IPSec connection are: a) Safenet (OEM) SoftRemote version 10.x (versions 9.x do not support AES). * Danke Harondel! *. Safenet supports PSK "and" X509 certs. It has very good support and stability and I believe is the best of the bunch. b) SSH.com's Sentinel Client 1.4.1 - This was the last release and is not longer available. However, you can find copies all over the net. (I do not want to paste direct links to the ftp site). Very good support for most configurations (PSK, X509) and also supports ike-mode configuration ( DHCP over IPSec). However, it's completely unsupported AFAIK. c) The GreenBow VPN Client - http://www.thegreenbow.com/vpn_tool.html - This is newest kid on the block. It's simple, fast, flexible and supports all encryption types. However, in my experience it's not stable. I ran it on Windows XP SP1 + Patches and each time my laptop would find and connect to another wireless AP, I would get a BSOD. Remove Greenbow and the problem goes away.. This is the only software I've found that can crash Windows XP that easily! It supports X509 certs, but it's not as easy to get them working. The links for tools for playing/extracting p12 x509 certs are broken on thegreenbow.com's website. If you want, I can forward you the copy of the tools. I cannot seem to have more than one X509 certificate/Root CA for it to work. So if you have more than one VPN connections, you may be out of luck. You can download an eval copy and play with the software and see if would fit your needs. I also happened to find an interesting project on freshmeat.net today: 3SP's SSL-Explorer (GPL) - http://3sp.com/showSslExplorer.do SSL-Explorer is the world's first open-source SSL VPN solution of its kind. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser. It's pretty neat actually! Anyways, my two cents. Warm Regards, -Bruno
Re: Please help: DHCP over IPSec
From: "Bruno S. Delbono" <[EMAIL PROTECTED]> IKE-mode is good but can be buggy with some clients. The best Windows clients for a pure IPSec connection are: a) Safenet (OEM) SoftRemote version 10.x (versions 9.x do not support AES). * Danke Harondel! *. Safenet supports PSK "and" X509 certs. It has very good support and stability and I believe is the best of the bunch. SoftRemote can be purchased rather cheaply (~$40 US) under the name NetGear ProSafe VPN Client. -Kurt
Re: Please help: DHCP over IPSec
Hi, On Fri, 01.07.2005 at 18:36:56 -0700, Bruno S. Delbono <[EMAIL PROTECTED]> wrote: > IKE-mode is good but can be buggy with some clients. The best Windows > clients for a pure IPSec connection are: > a) Safenet (OEM) SoftRemote version 10.x (versions 9.x do not support > AES). * Danke Harondel! *. Safenet supports PSK "and" X509 certs. It has hmmm... I didn't get SafeNet to work properly (maybe an older version, in 200[123] or so, which was OEM'ed by NetScreen, and also had severe breakage with > b) SSH.com's Sentinel Client 1.4.1 - This was the last release and is this which just stopped working for us after an Sentinel and OpenBSD upgrade - both were required, the Sentinel because of a remote root, and OpenBSD to go from 3.[12] to 3.[456], can't quite remember, at the time. We have absolutely no inclination to rely on software which is clearly abandoned and also closed source. We arrived at d) NCP's SecureEntry (?) which you can purchase from OEMs and/or through dealers, depending on qty. Works rather well for us so far, but hey, we also sell it, so take with a grain of salt. It's probably the most expensive of the pack... :-| We use X509, AES256, NAT-T, and IKECFG and would also use DHCP-over-IPSEC and compression if they were supported (didn't check lately, though). I didn't have a good opportunity (time etc) to look into the Greenbow yet, but am still interested in this and other software for this application. I've heard that implementing DHCP-over-IPSEC in ISAKMPD is open for sponsoring... Maybe we can collect enough to get it in? Best, --Toni++
