[Openswan Users] Ipsec VPN from windows machines

[Agent Smith]

OK:

I finally got it working with strong-swan but its not
without issues, the problem is that when a nat client
makes a disconnect request, the connection entry is
deleted for that public ip alltogether from the
strongswan side and no one else can 'keep' their
connection.

I have at this point given up on making it work like
this, the way I see it, if 50 users are connecting in,
it justifies a $100 at bestbuy.

For home users the theory is that it will work if
there is only one person is connecting in, if more
then they'll have to buy a linksys box too.

Thanks marko for your help, it was a good learning
exp. (xfrm/slackware etc) if nothing else. 



--- Marco Berizzi <pupilla at hotmail.com> wrote:

> Agent Smith wrote:
> 
> > yup, did it manually before each restart and its
> > windows native ipsec via 'IP Security Policy on
> Local
> > Computer' snap-in.
> 
> I think this is a windows bug. Your policies are
> all /32 <=> /32 and I think windows xp will create
> a transport mode ipsec sa instead of a tunnel mode
> one.
> This is confirmed by the ip -s x p output:
> 
> src 146.9.nat.router/32 dst 146.9.osw.box/32 uid 0
> dir in action allow index 504 priority 2080 share
> any
> 16393(0x00004009) mode transport
> 
> Could you try to build a policy like this:
> 
> windows xp ip address/32 <==> 192.168.25.0/29
> 
> conn CERT-29
> authby=rsasig
> pfs=yes
> left=a.b.c.d
> leftsubnet=192.168.25.0/29
> leftrsasigkey=%cert
> leftcert=servercert.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> rightrsasigkey=%cert
> auto=add
> 
> 
> 



      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com