Re: VPN Solutions
On 12/27/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/12/26 22:01, Siju George wrote: I am unable to go to office dueto health reasons and my firm has allowed me to work from home for 3 months. Icould someone please tell me the feasible VPN Solutions I have using OpenBSD please? Between fairly up-to-date OpenBSD systems, the simplest way is to configure the VPN using ipsec.conf. You could probably work this out from the manual, but there's no direct example for a dynamic endpoint, so you might find this post from reyk@ useful: http://marc.theaimsgroup.com/?l=openbsd-miscm=114200271127147w=2 Thankyou so much Murali Vijay and Stuart for your help :-) I was almost looking at VPN but Reyk's post above that Stuart gave me is a releif :-) Thankyou so much Stuart Thanks a million Reyk :-) kind regards Siju
VPN Solutions
Hi, I am unable to go to office dueto health reasons and my firm has allowed me to work from home for 3 months. Icould someone please tell me the feasible VPN Solutions I have using OpenBSD please? 1) The Company network consists of BSD\Linux\OS X\MS Windows systems guarded by and OpenBSD firewall. 2) The firewall in connected to two Internet connections with differrent static IP address. However at a time only one Internet connection will be active, the other one is a backup connection which will be activated when the first connection goes down. 3) All hosts behind the firewall make use of NAT to access the Internet. 4) My computer at home will be running OpenBSD most of the time ( sometimes debian/slamd64 ). it will be getting a dynamic Ipaddress from a DSl router. 5) the DSL router itslef gets dynamic internet IP address from the provider. What are the feasible VPN solutions for me so that I can access computers in my company just like i am on the same network? AuthPF is good but I would like a VPN solution :-) If there are Docs regarding these please let me know too. thankyou so much Kind regards Siju Edit/Delete Message
Re: VPN Solutions
Siju, I believe debian has an isakmpd package for IPSec. Although, if you use OpenBSD , use ipsec.conf which is a breath of fresh air for any (including large-scale) IPSec VPN implementation. You may also want to consider OpenVPN - http://openvpn.net. Thanks! _Raju On 12/26/06, Siju George [EMAIL PROTECTED] wrote: Hi, I am unable to go to office dueto health reasons and my firm has allowed me to work from home for 3 months. Icould someone please tell me the feasible VPN Solutions I have using OpenBSD please? 1) The Company network consists of BSD\Linux\OS X\MS Windows systems guarded by and OpenBSD firewall. 2) The firewall in connected to two Internet connections with differrent static IP address. However at a time only one Internet connection will be active, the other one is a backup connection which will be activated when the first connection goes down. 3) All hosts behind the firewall make use of NAT to access the Internet. 4) My computer at home will be running OpenBSD most of the time ( sometimes debian/slamd64 ). it will be getting a dynamic Ipaddress from a DSl router. 5) the DSL router itslef gets dynamic internet IP address from the provider. What are the feasible VPN solutions for me so that I can access computers in my company just like i am on the same network? AuthPF is good but I would like a VPN solution :-) If there are Docs regarding these please let me know too. thankyou so much Kind regards Siju Edit/Delete Message -- May the packets be with you.
Re: VPN Solutions
On Tue, 2006-26-12 at 22:01 +0530, Siju George wrote: Hi, I am unable to go to office dueto health reasons and my firm has allowed me to work from home for 3 months. Icould someone please tell me the feasible VPN Solutions I have using OpenBSD please? 1) The Company network consists of BSD\Linux\OS X\MS Windows systems guarded by and OpenBSD firewall. 2) The firewall in connected to two Internet connections with differrent static IP address. However at a time only one Internet connection will be active, the other one is a backup connection which will be activated when the first connection goes down. 3) All hosts behind the firewall make use of NAT to access the Internet. 4) My computer at home will be running OpenBSD most of the time ( sometimes debian/slamd64 ). it will be getting a dynamic Ipaddress from a DSl router. 5) the DSL router itslef gets dynamic internet IP address from the provider. What are the feasible VPN solutions for me so that I can access computers in my company just like i am on the same network? For multiple OS'es in a corporate environment, I found PopTop on OpenBSD to be a good solution. I set up OpenVPN, PopTop, and IPSec on the OBSD firewall but found that most users preferred PopTop. This was mostly because users with Windows XP machines at home or on the road did not have to make any changes or add additional software. Since OpenBSD has pptpclient and rdesktop packages, it was not a hassle for the home OpenBSD users to use this set up either. AuthPF is good but I would like a VPN solution :-) If there are Docs regarding these please let me know too. thankyou so much Kind regards Siju Edit/Delete Message !DSPAM:1,45914e912611258626592! -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: VPN Solutions
On 2006/12/26 22:01, Siju George wrote: I am unable to go to office dueto health reasons and my firm has allowed me to work from home for 3 months. Icould someone please tell me the feasible VPN Solutions I have using OpenBSD please? Between fairly up-to-date OpenBSD systems, the simplest way is to configure the VPN using ipsec.conf. You could probably work this out from the manual, but there's no direct example for a dynamic endpoint, so you might find this post from reyk@ useful: http://marc.theaimsgroup.com/?l=openbsd-miscm=114200271127147w=2 2) The firewall in connected to two Internet connections with differrent static IP address. However at a time only one Internet connection will be active, the other one is a backup connection which will be activated when the first connection goes down. You may need to adjust the settings at your side when the office changes to the other connection and use ipsecctl to flush and reload the configuration but I don't expect that to be a big problem for you. If it's likely to happen often you could automate this via a script started from cron. 4) My computer at home will be running OpenBSD most of the time ( sometimes debian/slamd64 ). it will be getting a dynamic Ipaddress from a DSl router. It should be possible to setup IPsec there too, but if you might find that it's enough to use SSH when you're running Debian; using ssh -D most programs can connect to internal computers when you wrap them using 'dsocks' - this is fast and simple to use. Wishing you a speedy return to health. Stuart
Re: VPN solutions for OpenBSD to Windows
Hello, On Fri, 22.12.2006 at 05:03:11 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. we have good experience with the NCP Secure Entry client (www.ncp.de). It is very capable and easy to handle, although also one of the most expensive pieces out there that I'm aware of. Best, --Toni++
Re: VPN solutions for OpenBSD to Windows
Can you better define your set up? If you want to connect from a Windows road warrior which may or may not be behind a NAT, OpenVPN can hardly be beat in ease of use, robustness etc. It runs fine as a service or on demand, has optionally a nice GUI and I had no issues with packet length etc. If the Windows machine is not behind a NAT and is directly connected to the Internet Greenbow is really a fine product. Regards Peter http://www.hopfgartner.it Edy wrote: Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
Re: VPN solutions for OpenBSD to Windows
On Fri, Dec 22, 2006 at 05:03:11AM +, [EMAIL PROTECTED] wrote: I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? The Windows build-in VPN client uses L2TP running over IPSEC transport mode. It's straightforward to set up IPSEC transport mode between Windows and OBSD. Unfortunately finding a working L2TP daemon for OBSD is harder. I made some patches to rp-l2tp, and posted them to this list a few weeks ago. It kind-of worked, but I had a problem with vty's and packets over 1024 bytes, and nobody here was able to provide any assistance in debugging the problem. If you want to have a go, please feel free. I can't find an open archive of [EMAIL PROTECTED] You can try these links, but I removed my username and password from them. Otherwise scan the archive for December looking for subject rp-l2tp, ppp and pty problem http://lists.openbsd.org/cgi-bin/mj_wwwusr?list=miscbrief=onfunc=archive-get-partextra=200612/293 http://lists.openbsd.org/cgi-bin/mj_wwwusr?list=miscbrief=onfunc=archive-get-partextra=200612/299 Regards, Brian.
Re: VPN solutions for OpenBSD to Windows
On Fri, Dec 22, 2006 at 01:41:05PM +0800, Lars Hansson wrote: On Friday 22 December 2006 13:03, [EMAIL PROTECTED] wrote: What of the built-in VPN client for the Windows OS? While it works it suffers mainly from two things; being confusing to configure and lacking strong ciphers (you only get DES and 3DES). I'll second this, but with the footnote that 3DES is not so much insecure as it is slow. Joachim
Re: VPN solutions for OpenBSD to Windows
I second that -- OpenVPN is great. Easy and quick to set up, clients for most OSes (and you can re-use the config files across OSes. that was a nice bonus when the boss wanted his Mac to connect to the VPN). Unless there's another requirement that means you can't use OpenVPN, you should check it out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Hopfgartner Sent: Friday, December 22, 2006 6:09 AM To: misc@openbsd.org Subject: Re: VPN solutions for OpenBSD to Windows Can you better define your set up? If you want to connect from a Windows road warrior which may or may not be behind a NAT, OpenVPN can hardly be beat in ease of use, robustness etc. It runs fine as a service or on demand, has optionally a nice GUI and I had no issues with packet length etc. If the Windows machine is not behind a NAT and is directly connected to the Internet Greenbow is really a fine product. Regards Peter http://www.hopfgartner.it Edy wrote: Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
Re: VPN solutions for OpenBSD to Windows
I would also agree that OpenVPN is nice and fairly simple to set up... I use it and enjoy it. The only problem I could point out about OpenVPN, is that it cannot interact with other VPNS - I.E. OpenSwan or Other Hardware/Software solutions running ipsec. Please correct me if I am wrong. Amedeo Peter Landry wrote: I second that -- OpenVPN is great. Easy and quick to set up, clients for most OSes (and you can re-use the config files across OSes. that was a nice bonus when the boss wanted his Mac to connect to the VPN). Unless there's another requirement that means you can't use OpenVPN, you should check it out. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Hopfgartner Sent: Friday, December 22, 2006 6:09 AM To: misc@openbsd.org Subject: Re: VPN solutions for OpenBSD to Windows Can you better define your set up? If you want to connect from a Windows road warrior which may or may not be behind a NAT, OpenVPN can hardly be beat in ease of use, robustness etc. It runs fine as a service or on demand, has optionally a nice GUI and I had no issues with packet length etc. If the Windows machine is not behind a NAT and is directly connected to the Internet Greenbow is really a fine product. Regards Peter http://www.hopfgartner.it Edy wrote: Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
VPN solutions for OpenBSD to Windows
Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
Re: VPN solutions for OpenBSD to Windows
Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter
Re: VPN solutions for OpenBSD to Windows
On Friday 22 December 2006 13:03, [EMAIL PROTECTED] wrote: What of the built-in VPN client for the Windows OS? While it works it suffers mainly from two things; being confusing to configure and lacking strong ciphers (you only get DES and 3DES). --- Lars Hansson
Re: VPN solutions for OpenBSD to Windows
- Original Message -From: Edy [EMAIL PROTECTED]Date: Friday, December 22, 2006 12:17 amSubject: Re: VPN solutions for OpenBSD to WindowsTo: [EMAIL PROTECTED]: misc@openbsd.org Hi Peter, Have you look at OpenVPN? Please check out this document http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd Cheers, Edy [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments,Sorry, I should have specified that I would like to use OpenBSD's native VPN implementation. Of course, if that is not feasable then I will definitely take a look at OpenVPN.Peter
Re: VPN solutions for OpenBSD to Windows
On 12/22/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi gang, I'm looking for peoples' experiences and advice for setting up a VPN between OpenBSD (I will be using 4.0) and Windows XP/2000 systems. I have tested the Greenbow client and it seems ok. What of the built-in VPN client for the Windows OS? I am mostly interested in ease of configuration and reliability of the tunnel. I am ok on IPSEC theory. Thanks in advance for any comments, Peter The greenbow client is definitely easier to use than the built-in MS IPSec client, and offers a lot more in terms of capabilities. There are some limitations on the MS client as far as what types of encryption you can use with the Phase1/2 negotiations. With the Windows client, there are two approaches I've used to establish IPSec tunnels: (1) the IPSec MMC Snap-in and (2) the command line method (via the windows support tools). In either case, there is no clear way to see that a tunnel is established or to close the tunnel. It's clear to the savvy user on how to close a tunnel, but if you are looking to deploy it to a regular user-base, it probably won't be so clear. With the MMC snap-in, you can export the settings, then another user can import those settings, at which point only minor changes are required to make it work (configure the ip for your end of the tunnel). The same applies to the command line approach. Axton Grams
Re: VPN: solutions that interoperate with win xp
i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. I would definately stick with the openvpn solution. It's simplier to implement, and i didn't understood the part that the configuration cannot survive a reboot. Is this a problem on the user side? If it is, the same potential to damage the openvpn setup, could be used to dmage the ipsec setup. The same problem probably won't affect ipsec, since there's no extra network interface involved there. http://openvpn.se/xpsp2_problem.html Yes, that's another advantage, it use only ONE port, and is NAT friendly. This is no different to ipsec nat-t. There are both advantages and disadvantages with ipsec, openvpn, and openssh tun-forwarding. Use what fits best for the job...
Re: VPN: solutions that interoperate with win xp
Stuart Henderson wrote: The same problem probably won't affect ipsec, since there's no extra network interface involved there. http://openvpn.se/xpsp2_problem.html I meant that if one user can misconfigure the openvpn setup, he or she have the same potential to misconfigure the ipsec setup. This is no different to ipsec nat-t. There are both advantages and disadvantages with ipsec, openvpn, and openssh tun-forwarding. Use what fits best for the job... I see one difference: AFAIK when you are using ipsec with nat-t, you have to give up some of the protection that the AH gives to you, and you stay only with the full ESP protection. With openvpn, you use the tls-auth directive and have the same level of protection that AH provides you. Implementing and keeping IPSEC solution is far more comples than a openvpn solution, so i would definately try the openvpn solution. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: VPN: solutions that interoperate with win xp
On 12/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hello I am looking at doing the same thing, from a conversation i had over the weekend i think you need to use virtual-id's and run proxy arp on the internal interface. Hope that helps Cheers Steve
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works with no problems. here are my config files: ##isakmpd.conf## [General] Policy-file=/etc/isakmpd/isakmpd.policy Retransmits=4 Listen-On= ext_if_ip [Phase 1] perr1_ext_ip= peer1 [Phase 2] Passive-Connections=peer2 [peer1] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= somepass [peer2] Phase= 2 ISAKMP-peer=perr1 Configuration= Default-quick-mode Local-ID= local-net Remote-ID= peer-net [peer-net] ID-type=IPV4_ADDR Address=peer_ext_ip [local-net] ID-type=IPV4_ADDR_SUBNET Network=192.168.1.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ##isakmpd.policy## KeyNote-Version: 2 Authorizer: POLICY Licensees: passphrase:somepass Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; ##xp settings## ipseccmd.exe -u ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n ESP[3DES,SHA] -a PRESHARE:somepass -1s 3DES-SHA-2 if you want to preserve (after reboot for eg.) ipseccmd setting you can add '-w reg -p somename' to your cmd line to store ipseccmd settings in windows registry, and so they be'll also visible via mmc/ipsec console. on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming udp on ports 500 (and 4500 if your xp clients are behind nat witch changes source ports numbers) read also: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx http://support.microsoft.com/default.aspx?kbid=885407 hope it will help you. sorry for my english ;) -- raff
Re: VPN: solutions that interoperate with win xp
On Sun, 18 Dec 2005, [EMAIL PROTECTED] wrote: i would love a howto for the win xp boxes ... Charles Dietlein has written a document[1] detailing how to get WinXP's native IPSec talking with OpenBSD, using MMC and the IPSec snapin. (While it's focus is replacing WEP with IPSec, the information is relevant to your situation.) Regards, Greg [1] http://www.dietlein.com/requisites/ipsec/ \|/ ___ \|/[EMAIL PROTECTED]+- 2048R/38BD6CAB -+ @~./'O o`\.~@| 02BD EF81 91B3 1B33 64C2 | /__( \___/ )__\ | 3247 6722 7006 38BD 6CAB | `\__`U_/' +--+
Re: VPN: solutions that interoperate with win xp
[EMAIL PROTECTED] wrote: i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. I would definately stick with the openvpn solution. It's simplier to implement, and i didn't understood the part that the configuration cannot survive a reboot. Is this a problem on the user side? If it is, the same potential to damage the openvpn setup, could be used to dmage the ipsec setup. And i do have many clients of mine, that use a openvpn solution on windows XP without problems. You can even make your own instalation package (http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html), that places your certificates and conf files in the right place, so the setup can be corrected with a few clicks of the user. It can even run without administrator rights (http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html). Now about the kerio firewall, you should try to completely disable the flitering on the tun/tap interface and/or disabilitating filtering on the port that openvpn uses. Yes, that's another advantage, it use only ONE port, and is NAT friendly. So i always recomend openvpn. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: VPN: solutions that interoperate with win xp
Heinrich Rebehn wrote: [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hi jake, I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4. You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2. As for windows debug output, look for oakley log in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx This works with certificates (somewhat tricky to setup) as well as with preshared secret. HTH, Heinrich The tool mentioned by Henrich has worked for me quite well. I have used it against a Linux freewswan server for three years, and OBSD for the last six months. The following link eplains how to use x509 certs http://mirror.huxley.org.ar/ipsec/isakmpd.htm The script he provided on the page had a small type-o that prevented it from working, he seems to have fixed it now. You will find certs to be simple actually, more secure, and easier to manage. Although I have yet to get a certificate revocation list to work with isakmpd. http://mirror.huxley.org.ar/ipsec/isakmpd.htm
VPN: solutions that interoperate with win xp
heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake
