[Openswan Users] Ipsec VPN from windows machines
Agent Smith
news8080 at yahoo.com
Thu Apr 3 13:34:34 EDT 2008
OK:
I finally got it working with strong-swan but its not
without issues, the problem is that when a nat client
makes a disconnect request, the connection entry is
deleted for that public ip alltogether from the
strongswan side and no one else can 'keep' their
connection.
I have at this point given up on making it work like
this, the way I see it, if 50 users are connecting in,
it justifies a $100 at bestbuy.
For home users the theory is that it will work if
there is only one person is connecting in, if more
then they'll have to buy a linksys box too.
Thanks marko for your help, it was a good learning
exp. (xfrm/slackware etc) if nothing else.
--- Marco Berizzi <pupilla at hotmail.com> wrote:
> Agent Smith wrote:
>
> > yup, did it manually before each restart and its
> > windows native ipsec via 'IP Security Policy on
> Local
> > Computer' snap-in.
>
> I think this is a windows bug. Your policies are
> all /32 <=> /32 and I think windows xp will create
> a transport mode ipsec sa instead of a tunnel mode
> one.
> This is confirmed by the ip -s x p output:
>
> src 146.9.nat.router/32 dst 146.9.osw.box/32 uid 0
> dir in action allow index 504 priority 2080 share
> any
> 16393(0x00004009) mode transport
>
> Could you try to build a policy like this:
>
> windows xp ip address/32 <==> 192.168.25.0/29
>
> conn CERT-29
> authby=rsasig
> pfs=yes
> left=a.b.c.d
> leftsubnet=192.168.25.0/29
> leftrsasigkey=%cert
> leftcert=servercert.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> rightrsasigkey=%cert
> auto=add
>
>
>
____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
More information about the Users
mailing list