[Openswan Users] Success with Windows Vista

Jacco de Leeuw jacco2 at dds.nl
Sun Nov 5 17:13:50 EST 2006 

Hello all,

I downloaded Windows Vista RC2 from the Microsoft website a while ago,
and decided to give it a spin. Here's the write-up:
http://www.jacco2.dds.nl/networking/vista-openswan.html

In a nutshell, there's good news and there's bad news. First the good news:

- Vista worked out of the box with the L2TP/IPsec setup described in the
   Openswan book and on my webpage.

- By default it uses strong crypto, i.e. AES-128, SHA-1, DH group 14 etc.

- It now verifies the hostname in the server certificate (subjectAltName),
   similar to what MacOS X does. This setting can be disabled, though, so
   you get the old Windows 2000/XP behaviour back.

Of course, it's not all smooth sailing:

- There is (currently) little to no documentation. I find the user interface
   less intuitive and less userfriendly than, say, Windows 2000/XP or the
   Mac. Sometimes I wonder if the VPN user-interface is just confusing or
   plain out buggy...

- Microsoft have "embraced and extended" IKE and called it AuthIP:
   http://www.microsoft.com/technet/community/columns/cableguy/cg0806.mspx
   I don't know what the idea behind this is...

- VPN connections are now set to PPTP by default, instead of the more secure
   L2TP/IPsec (like Windows 2000/XP).

- Vista cannot connect to an L2TP/IPsec server that is behind NAT. Windows XP
   SP2 could not do that either, but at least there is a registry patch for XP
   that fixes this. No such thing for Vista.

- I can't get it configured to use even stronger crypto, such as AES-256.

- Vista's kernel protection makes it hard to write a third-party IPsec client.
   (Ask McAfee and Symantec). You'll probably be stuck with PPTP and L2TP/IPsec
   for some time.

I have not looked into everything new. For instance, there seems to be
CRL checking in Vista but it's not even clear what the default is, enabled
or disabled.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list