[Openswan Users] Success with Windows Vista

Jacco de Leeuw jacco2 at dds.nl
Sun Nov 5 17:13:50 EST 2006

Hello all,

I downloaded Windows Vista RC2 from the Microsoft website a while ago,
and decided to give it a spin. Here's the write-up:

In a nutshell, there's good news and there's bad news. First the good news:

- Vista worked out of the box with the L2TP/IPsec setup described in the
   Openswan book and on my webpage.

- By default it uses strong crypto, i.e. AES-128, SHA-1, DH group 14 etc.

- It now verifies the hostname in the server certificate (subjectAltName),
   similar to what MacOS X does. This setting can be disabled, though, so
   you get the old Windows 2000/XP behaviour back.

Of course, it's not all smooth sailing:

- There is (currently) little to no documentation. I find the user interface
   less intuitive and less userfriendly than, say, Windows 2000/XP or the
   Mac. Sometimes I wonder if the VPN user-interface is just confusing or
   plain out buggy...

- Microsoft have "embraced and extended" IKE and called it AuthIP:
   I don't know what the idea behind this is...

- VPN connections are now set to PPTP by default, instead of the more secure
   L2TP/IPsec (like Windows 2000/XP).

- Vista cannot connect to an L2TP/IPsec server that is behind NAT. Windows XP
   SP2 could not do that either, but at least there is a registry patch for XP
   that fixes this. No such thing for Vista.

- I can't get it configured to use even stronger crypto, such as AES-256.

- Vista's kernel protection makes it hard to write a third-party IPsec client.
   (Ask McAfee and Symantec). You'll probably be stuck with PPTP and L2TP/IPsec
   for some time.

I have not looked into everything new. For instance, there seems to be
CRL checking in Vista but it's not even clear what the default is, enabled
or disabled.

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list