Re: ipsec vpn

Tue, 07 Nov 2006 10:26:09 -0800 

Reyk Floeter wrote:

On Fri, Nov 03, 2006 at 12:35:55AM +0000, Paul Civati wrote:

My understanding is, if you want to support the simple connection
of Windows clients, using the built-in VPN connector (eg. control panel -> network -> make new connection -> VPN -> L2TP), the server side needs: 


1. IPSec VPN transport mode, most likely with dynamic IP endpoint
2. L2TP tunneling daemon
3. PPP daemon



no. you don't need l2tp + ppp. you're not talking about the built-in
ipsec support, you're talking about a stupid wizard...

starting with windows 2000, it is possible to use the built-in ipsec
support. it is a bit hidden and the configuration is painful, but it
actually works... you can configure it from the system management
console or by executing "system32\secpol.msc".

you can find some details on the openbsd-support.com website about
mtu's approach to connect windows clients to openbsd ipsec gateways:
  http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html

reyk




I use the following little script to startup ipsec on my w2k and xp 
clients. Preshared key is in a file c:\vpn\key.


Running with certs is also fairly simple.

This link http://vpn.ebootis.de/ will show you how to configure the 
windowze side.  Configure the OBSD side as per the manpage.  I have 
clients using the preshared method to AIX boxen, and others using x509 
to a OBSD gateway



mordred:root:/home/drichard # cat ipseccmds.bat
@ECHO OFF

if exist "c:\vpn\key" (


        for /f "tokens=1"   %%a in  ( 'type c:\vpn\key') do ( set 
prekey=%%a)


        ) ELSE (

        echo "No Key no encrypty! EXITING"
        GOTO END

        )



for /f "tokens=1"   %%a in  ( 'hostname') do ( set hostname=%%a)


if EXIST "C:\Program Files\Support Tools\ipseccmd.exe" (

        REM this is an XP machine then
        SET PATH=%PATH%;C:\Program Files\Support Tools


        ipseccmd -w REG -p BobSwan -r Host-arthur -t cqaddr -f 
%hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:""1234"" -lan



        ipseccmd -w REG -p BobSwan -r arthur-Host -t %hostname% -f 
cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:""1234"" -lan




        ipseccmd -w REG -p BobSwan -x

        GOTO END



   ) ELSE (

        IF EXIST "C:\Program Files\Resource Kit\ipsecpol.exe" (

        SET PATH=%PATH%;C:\Program Files\Resource Kit


        ipsecpol -w REG -p BobSwan -r Host-arthur -t cqaddr -f 
%hostname%/255.255.255.255=cqaddr/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:""1234"" -lan



        ipsecpol -w REG -p BobSwan -r arthur-Host -t %hostname% -f 
cqaddr/255.255.255.255=%hostname%/255.255.255.255 -n ESP[MD5,3DES]  -a 
PRESHARE:""1234"" -lan




        ipsecpol -w REG -p BobSwan -x



        ) ELSE (
        ECHO "Don't know what you are running no ipsec tools installed"
        )

   )


:END























					Reply via email to