<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I'd really like to use the windows built in client but we've had no
success with Windows XP. With 2000 I can establish and SA but with XP
it just fails between the R1 and R2. <br>
<br>
Feb 26 12:42:18 liberator pluto[6837]: "l2tpwinxp"[3] IP #470:
responding to Main Mode from unknown peer IP<br>
Feb 26 12:42:18 liberator pluto[6837]: "l2tpwinxp"[3] IP #470:
transition from state (null) to state STATE_MAIN_R1<br>
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed<br>
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470:
discarding duplicate packet; already STATE_MAIN_R2<br>
Feb 26 12:43:29 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: max
number of retransmissions (2) reached STATE_MAIN_R2<br>
Feb 26 12:43:29 liberator pluto[6837]: "l2tpwinxp"[3] IP: deleting
connection "l2tpwinxp" instance with peer IP<br>
<br>
XP just doesn't want to preset it's certificate or something.<br>
<br>
ipsec.conf:<br>
<br>
conn l2tpwinxp<br>
authby=rsasig<br>
left=IP<br>
leftnexthop=209.19.183.65<br>
leftcert=certs/liberator.pem<br>
right=%any<br>
rightrsasigkey=%cert<br>
rightsubnetwithin=0/0<br>
leftprotoport=17/1701<br>
rightprotoport=17/1701<br>
auto=ignore<br>
keyingtries=3<br>
#esp=aes128,3des<br>
pfs=no<br>
<br>
Thanks,<br>
David<br>
<br>
Nate Carlson wrote:<br>
<blockquote
cite="midPine.LNX.4.58.0402251251290.31747@conformity.technicality.org"
type="cite">
<pre wrap="">On Wed, 25 Feb 2004, David Prestwich wrote:
</pre>
<blockquote type="cite">
<pre wrap="">We've had great success using openswan for all our vpn connections and
would like to get some input on good windows based clients such as SSH
Sentinel (if they still are around) etc. I'm willing to pay for the
product so cost doesn't matter, just looking for something out there
that has had the best success as a client working with openswan. I'd
prefer a place that I could get the demo first and test out with our
certificates. So if you know of the demo let me know.
</pre>
</blockquote>
<pre wrap=""><!---->
One option is to use Windows' built-in l2tp-over-ipsec client. The only
real difficult part of using it is importing the cert; but that can be
documented for your users fairly easily. With the ipsec updates that MS
released for 2000/XP, it works fairly well with NAT and everything, too.
The downside to this is you have to run a l2tp daemon, and it's kind of
hard to debug problems.
------------------------------------------------------------------------
| nate carlson | <a class="moz-txt-link-abbreviated" href="mailto:natecars@natecarlson.com">natecars@natecarlson.com</a> | <a class="moz-txt-link-freetext" href="http://www.natecarlson.com">http://www.natecarlson.com</a> |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
</pre>
</blockquote>
<br>
</body>
</html>