[Openswan Users] Success with Windows Vista
Jacco de Leeuw
jacco2 at dds.nl
Sun Nov 5 17:13:50 EST 2006
I downloaded Windows Vista RC2 from the Microsoft website a while ago,
and decided to give it a spin. Here's the write-up:
In a nutshell, there's good news and there's bad news. First the good news:
- Vista worked out of the box with the L2TP/IPsec setup described in the
Openswan book and on my webpage.
- By default it uses strong crypto, i.e. AES-128, SHA-1, DH group 14 etc.
- It now verifies the hostname in the server certificate (subjectAltName),
similar to what MacOS X does. This setting can be disabled, though, so
you get the old Windows 2000/XP behaviour back.
Of course, it's not all smooth sailing:
- There is (currently) little to no documentation. I find the user interface
less intuitive and less userfriendly than, say, Windows 2000/XP or the
Mac. Sometimes I wonder if the VPN user-interface is just confusing or
plain out buggy...
- Microsoft have "embraced and extended" IKE and called it AuthIP:
I don't know what the idea behind this is...
- VPN connections are now set to PPTP by default, instead of the more secure
L2TP/IPsec (like Windows 2000/XP).
- Vista cannot connect to an L2TP/IPsec server that is behind NAT. Windows XP
SP2 could not do that either, but at least there is a registry patch for XP
that fixes this. No such thing for Vista.
- I can't get it configured to use even stronger crypto, such as AES-256.
- Vista's kernel protection makes it hard to write a third-party IPsec client.
(Ask McAfee and Symantec). You'll probably be stuck with PPTP and L2TP/IPsec
for some time.
I have not looked into everything new. For instance, there seems to be
CRL checking in Vista but it's not even clear what the default is, enabled
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users