[Openswan Users] Windows vpn clients

Andreas Steffen andreas.steffen at strongsec.net
Wed Sep 7 21:50:16 CEST 2005 

Paul Wouters wrote:
> On Wed, 7 Sep 2005, Norbert Wegener wrote:
> 
>> Hello Andreas,
>> if you configure a vpn connection on a windows client via DUN, Windows 
>> by default creates l2tp/ipsec connections, with ipsec in transport mode.
>> This mode is disabled in strongswan by default and can only be 
>> activated via a compiletime switch. Therefore I wonder,
>> what is the recommended way to setup a vpn with a window client and a 
>> strongswan server?
>> Do I need a third party client for the windows system?
> 
> 
> If you are happy with X509 based IPsec tunnels, use "lsipsectool.exe" from
> sourceforge.net. It's the best Windows client (for win2k and upwards) that
> uses the native microsoft ipsec stack and ipsec2k-lib. It does not require
> transport mode. so it has much less issues, especially with NAT-T and
> having multiple clients behind the same NAT router.
> 
> If you need L2TP (eg you need to get an IP address from your remote 
> network)
> then you will need to go through the windows wizard, and yes it will use
> transport mode IPsec. It is well documented on Jacco de Leeuw's pages. It
> currently seems to be having some problems in the later openswan-2.4rc 
> trees.
> 
> I cannot make any statement on strongswan, since i have no idea what 
> openswan
> fixes get backported to it, since there are no references or 
> attributions to
> openswan in strongswan.

Paul, this is not quite true! Excerpts from the strongSwan ChangeLog:

strongswan-2.5.0

- Applied a one-line patch courtesy of Michael Richardson
   from the Openswan project which fixes the kernel-oops
   in KLIPS when an snmp daemon is running on the same box.

strongswan-2.4.2

- Added two patches by Herbert Xu. The first uses ip xfrm
   instead of setkey to flush the IPsec policy database. The
   second sets the optional flag in inbound IPComp SAs only.

- Applied Ulrich Weber's patch which fixes an interoperability
   problem between native IPsec and KLIPS systems caused by
   setting the replay window to 32 instead of 0 for ipcomp.

strongswan-2.3.1

- Added Ulrich Weber's netlink replay window size and
   maximum udp size patches.

strongswan-2.2.1

- Applied another of Herbert Xu's Netlink patches.

strongswan-2.2.0

- Applied Herbert Xu's patch which sets the compression algorithm correctly.

- Applied Herbert Xu's patch fixing an ESPINUDP problem

- Applied Herbert Xu's patch setting source/destination port numbers.

- Reapplied one of Herbert Xu's NAT-Traversal patches which got
   lost during the migration from SuperFreeS/WAN.

strongswan-2.1.0

- Fixed cosmetic corruption of /proc filesystem by integrating
   D. Hugh Redelmeier's freeswan-2.06 kernel fixes.

strongswan-2.0.2

- Fixed a couple of 64 bit issues (mostly casts to int).
   Thanks to Ken Bantoft who checked my sources on a 64 bit platform.

- Replaced s[n]printf() statements in the kernel by ipsec_snprintf().
   Credits go to D. Hugh Redelmeier, Michael Richardson, and Sam Sgro
   of the FreeS/WAN team who solved this problem with the 2.4.25 kernel.

strongswan-2.0.1

- applied Herbert Xu's NAT-T patches which fixes NAT-T under the native
   Linux 2.6 IPsec stack.

> 
> Paul

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list