[Openswan Users] Winxp could not connect to Linux OPENSWAN server

Paul Wouters paul at xelerance.com
Sat Apr 11 12:28:02 EDT 2009 

On Fri, 10 Apr 2009, shawnlau wrote:

>          My openswan configure of LINUX VPN SERVER like below: it’s
> almost copy from /etc/ipsec.d/example/l2tp-cert.conf

Which means you are going to use IPsec with L2TP.

>         left=10.255.255.8
>         leftid=%fromcert
>         leftrsasigkey=%cert
>         leftcert=westcert.pem
>         leftprotoport=17/1701

>         right=%any
>         rightca=%same
>         rightrsasigkey=%cert
>         rightprotoport=17/%any
>         rightsubnet=vhost:%priv,%no

>         pfs=yes

That should probably be no for windows?

> In this configure , I have a question. Which certificate file should be
> set on leftcert=, the westcert.pem (my vpn gateway’s pem file) or
> winxp.pem (the pem file for winxp client)

Assuming left is your gateway, you set your gateway's cert. The other
cert will be send to you by client for verification by the CA you put
in /etc/ipsec.d/cacerts/

> After this config, In my winxp client , I have used ipsec.exe, and the
> config file like below:

You should NOT use ipsec.exe. It's too old for modern Windows machines.
Also, ipsec.exe was used for non-lt2p connections. Since you are using l2tp
with ipsec, you ONLY need to use the "new connection wizard" to setup the
Windows client end.

See: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

> conn l2tpx509

> conn l2tpx509-net

There is no such thing as "l2tp host" and "l2tp net", since l2tp will
hand out an IP address from your LAN to the windows client and will appear
to be on the LAN itself.

> When I boot ipsec.exe, from winxp client I ping the hosts of vpn network.
> But result always: Negotiating IP Security

Note that using ipsec.exe might have screwed up some registry settings. I've
heard reports of people needing to reinstall just to undo those, but also
heard from other people that they had no problems.

> I have made a new key and pem file for windows, and transform the to
> PKCS#12 file. But the error still like above.

Did you use the xelerance certimport.exe to import this file to the proper
location? Double clicking will not work!

Paul

More information about the Users mailing list