[Openswan Users] Looking for windows XP client

David Prestwich dprestwich at pacsim.com
Thu Feb 26 13:24:52 CET 2004 

I'd really like to use the windows built in client but we've had no 
success with Windows XP.  With 2000 I can establish and SA but with XP 
it just fails between the R1 and R2. 

Feb 26 12:42:18 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: 
responding to Main Mode from unknown peer IP
Feb 26 12:42:18 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: 
transition from state (null) to state STATE_MAIN_R1
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 26 12:42:19 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: 
discarding duplicate packet; already STATE_MAIN_R2
Feb 26 12:43:29 liberator pluto[6837]: "l2tpwinxp"[3] IP #470: max 
number of retransmissions (2) reached STATE_MAIN_R2
Feb 26 12:43:29 liberator pluto[6837]: "l2tpwinxp"[3] IP: deleting 
connection "l2tpwinxp" instance with peer IP

XP just doesn't want to preset it's certificate or something.

ipsec.conf:

conn l2tpwinxp
        authby=rsasig
        left=IP
        leftnexthop=209.19.183.65
        leftcert=certs/liberator.pem
        right=%any
        rightrsasigkey=%cert
        rightsubnetwithin=0/0
        leftprotoport=17/1701
        rightprotoport=17/1701
        auto=ignore
        keyingtries=3
        #esp=aes128,3des
        pfs=no

Thanks,
David

Nate Carlson wrote:

>On Wed, 25 Feb 2004, David Prestwich wrote:
>  
>
>>We've had great success using openswan for all our vpn connections and
>>would like to get some input on good windows based clients such as SSH
>>Sentinel (if they still are around) etc.  I'm willing to pay for the
>>product so cost doesn't matter, just looking for something out there
>>that has had the best success as a client working with openswan.  I'd
>>prefer a place that I could get the demo first and test out with our
>>certificates.  So if you know of the demo let me know.
>>    
>>
>
>One option is to use Windows' built-in l2tp-over-ipsec client. The only 
>real difficult part of using it is importing the cert; but that can be 
>documented for your users fairly easily. With the ipsec updates that MS 
>released for 2000/XP, it works fairly well with NAT and everything, too.
>
>The downside to this is you have to run a l2tp daemon, and it's kind of 
>hard to debug problems.
>
>------------------------------------------------------------------------
>| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
>|       depriving some poor village of its idiot since 1981            |
>------------------------------------------------------------------------
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040226/69528efe/attachment.htm

More information about the Users mailing list