[Openswan Users] Help for Pocket PC 2003
Jacco de Leeuw
jacco2 at dds.nl
Thu Aug 25 19:00:53 CEST 2005
Michael Tinsay wrote:
> I have a need to connect PocketPC-based clients
> for our field guys.
>
> "roadwarrior"[2] 202.57.98.70:12563 #2: NAT-Traversal:
> Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
> NATed
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
You need to exclude the internal subnet of the Openswan server here,
e.g. add:
... ,%v4:!192.168.1.0/24
> conn roadwarrior
> authby=secret
>
> My test server is running on Trustix v2.2, kernel
> 2.4.31, and openswan 2.2.0
There seem to be NAT-T issues with Pocket PC clients and KLIPS
while authenticating through a PSK (according to my own notes).
You could either:
- upgrade to a 2.6 kernel with NETKEY
- switch to certificates instead of a PSK
- avoid NAT
- buy third-party IPsec clients
Regarding the second option, I have made a program that can be used to
install certificates on Pocket PC 2003 (Crtimprt) but the procedure is
a bit complex. (On the upcoming Windows Mobile 5.0 it should be much
easier to do but nobody has made a program for it yet). However, I just
noticed that the OpenSSL development team has started to pick up support
for Windows CE again. So perhaps some day a program will be available
that can import PKCS#12 files directly on Pocket PC 2003 and higher.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list