Re: VPN: solutions that interoperate with win xp
i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. I would definately stick with the openvpn solution. It's simplier to implement, and i didn't understood the part that the configuration cannot survive a reboot. Is this a problem on the user side? If it is, the same potential to damage the openvpn setup, could be used to dmage the ipsec setup. The same problem probably won't affect ipsec, since there's no extra network interface involved there. http://openvpn.se/xpsp2_problem.html Yes, that's another advantage, it use only ONE port, and is NAT friendly. This is no different to ipsec nat-t. There are both advantages and disadvantages with ipsec, openvpn, and openssh tun-forwarding. Use what fits best for the job...
Re: VPN: solutions that interoperate with win xp
Stuart Henderson wrote: The same problem probably won't affect ipsec, since there's no extra network interface involved there. http://openvpn.se/xpsp2_problem.html I meant that if one user can misconfigure the openvpn setup, he or she have the same potential to misconfigure the ipsec setup. This is no different to ipsec nat-t. There are both advantages and disadvantages with ipsec, openvpn, and openssh tun-forwarding. Use what fits best for the job... I see one difference: AFAIK when you are using ipsec with nat-t, you have to give up some of the protection that the AH gives to you, and you stay only with the full ESP protection. With openvpn, you use the tls-auth directive and have the same level of protection that AH provides you. Implementing and keeping IPSEC solution is far more comples than a openvpn solution, so i would definately try the openvpn solution. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: VPN: solutions that interoperate with win xp
On 12/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hello I am looking at doing the same thing, from a conversation i had over the weekend i think you need to use virtual-id's and run proxy arp on the internal interface. Hope that helps Cheers Steve
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works with no problems. here are my config files: ##isakmpd.conf## [General] Policy-file=/etc/isakmpd/isakmpd.policy Retransmits=4 Listen-On= ext_if_ip [Phase 1] perr1_ext_ip= peer1 [Phase 2] Passive-Connections=peer2 [peer1] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somepass [peer2] Phase= 2 ISAKMP-peer=perr1 Configuration= Default-quick-mode Local-ID= local-net Remote-ID= peer-net [peer-net] ID-type=IPV4_ADDR Address=peer_ext_ip [local-net] ID-type=IPV4_ADDR_SUBNET Network=192.168.1.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ##isakmpd.policy## KeyNote-Version: 2 Authorizer: POLICY Licensees: passphrase:somepass Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; ##xp settings## ipseccmd.exe -u ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 if you want to preserve (after reboot for eg.) ipseccmd setting you can add '-w reg -p somename' to your cmd line to store ipseccmd settings in windows registry, and so they be'll also visible via mmc/ipsec console. on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming udp on ports 500 (and 4500 if your xp clients are behind nat witch changes source ports numbers) read also: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx http://support.microsoft.com/default.aspx?kbid=885407 hope it will help you. sorry for my english ;) -- raff
Re: VPN: solutions that interoperate with win xp
On Sun, 18 Dec 2005, [EMAIL PROTECTED] wrote: i would love a howto for the win xp boxes ... Charles Dietlein has written a document[1] detailing how to get WinXP's native IPSec talking with OpenBSD, using MMC and the IPSec snapin. (While it's focus is replacing WEP with IPSec, the information is relevant to your situation.) Regards, Greg [1] http://www.dietlein.com/requisites/ipsec/ \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. I would definately stick with the openvpn solution. It's simplier to implement, and i didn't understood the part that the configuration cannot survive a reboot. Is this a problem on the user side? If it is, the same potential to damage the openvpn setup, could be used to dmage the ipsec setup. And i do have many clients of mine, that use a openvpn solution on windows XP without problems. You can even make your own instalation package (http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html), that places your certificates and conf files in the right place, so the setup can be corrected with a few clicks of the user. It can even run without administrator rights (http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html). Now about the kerio firewall, you should try to completely disable the flitering on the tun/tap interface and/or disabilitating filtering on the port that openvpn uses. Yes, that's another advantage, it use only ONE port, and is NAT friendly. So i always recomend openvpn. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: VPN: solutions that interoperate with win xp
Heinrich Rebehn wrote: [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich The tool mentioned by Henrich has worked for me quite well. I have used it against a Linux freewswan server for three years, and OBSD for the last six months. The following link eplains how to use x509 certs http://mirror.huxley.org.ar/ipsec/isakmpd.htm The script he provided on the page had a small type-o that prevented it from working, he seems to have fixed it now. You will find certs to be simple actually, more secure, and easier to manage. Although I have yet to get a certificate revocation list to work with isakmpd. http://mirror.huxley.org.ar/ipsec/isakmpd.htm
VPN: solutions that interoperate with win xp
heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake