[Openswan Users] Windows XP Roadwarrior (FreeSWAN 2.05 + x509
patch): IPsec policy problem
Jeannot Langlois
jlanglois at actares.com
Mon Jun 21 14:39:03 CEST 2004
Paul Wouters wrote:
Hi Paul,
>On Fri, 18 Jun 2004, Jeannot Langlois wrote:
>
>
>>1-Using the ipsec.exe tool from Mark Mueller and an ipsec.conf file - it
>>worked;
>>and
>>2-using MMC directly -- which is graphical and easier and doesn't
>>require and ipsec.conf file -- it worked.
>>
>>
>
>Can you tell me how you did 2) ? Would you be able to privde screen shots?
>
>
Of course :).
But as my experiments aren't quite over yet, I'd like to finish them
first so I could document everything a little more globally (Windows
2000 and Windows XP).
So far I have managed to test the following:
Win2K: ipsec.exe ok, mmc ok, rw to rw tunnel: ok, rw to subnet tunnel:
NOT tested
WinXP: ipsec.exe ok, mmc NOT ok, rw to rw tunnel: ok, rw to subnet
tunnel: NOT tested
As you see, I still have to perform some minor modifications on the
freeswan side so the world (0.0.0.0/0) subnet is accessible. That
should be a no-brainer, but I want to make sure everything works
properly as expected before starting to document the process
(configuration changes will be necessary on the windows side too).
If you could provide some website to host this documentation, I'd be
glad to send it to you (most probably around July 1st - I believe that
by this date I should have figured most missing pieces).
>We did make 1) easier by creating out certimport.exe tool to import the X509
>certificate, but I am very interested in how you configured everything fully
>through the mmc without using ipsec.exe.
>
>
Okee. This isn't THAT complicated, but there are a few things necessary
to know (at least that's what I've found yet in Win2K... let's hope
things can work similarly in WinXP).
>
>
>
>> PFS : y
>> Auto : start
>> Auth.Mode : MD5
>> Rekeying : 3600S/50000K
>>Error 0xcbbb0012 occurred:
>>
>>The authentication method specified is invalid or unsupported.
>>
>>
>
>
>
>>conn rw
>> left=%any
>> right=192.168.89.1
>> rightca="C=CA,L=Amos,O=Actares Inc,OU=Security,CN=certificates,emailAddress=security at actares.com"
>> network=auto
>> auto=start
>> pfs=yes
>>
>>
>
>An earlier post about this suggested trying to change "emailAddress" to "E"
>
>
Yeps, as I posted yesterday on the mailing list, that's exactly what I
did and it worked eheheh :).
>>*NOTHING* gets logged to the Oakley log from the Windows XP machine
>>(except when deleting and refreshing IPsec tunnel policies, of course.
>>
>>
>
>Odd.
>
>
The "E" trick solved this on WinXP... but it did NOT solve my MMC problem.
>
>
>>On the Windows 2000 host however, in "TCP/IP properties" >> "Advanced"
>> >> "Options" I can clearly see BOTH "TCP/IP Filtering" and "IP
>>Security" options. The latter allows me to use the "IPsec tunnel"
>>policy I've defined in MMC.
>>
>>
>
>Perhaps XP Home edition has no ipsec?
>
>Paul
>
>
Hmmm, this is WinXP Pro edition, and ipsec.exe works. I still don't
get why this "IP security" option is missing though.
Talk to you later - thanks for your input! :)
--
Jeannot Langlois
Programmeur-Analyste / Software Developer
Administrateur Systeme/Reseau / System/Network Administrator
jlanglois AT actares DOT com
http://www.actares.com
More information about the Users
mailing list