[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN: solutions that interoperate with win xp



dick_(_at_)_uchicago_(_dot_)_edu wrote:
> heya,
> 
> i've been grinding away to get a VPN setup where i can have win xp clients
> connect to my openbsd firewall and access the network behind it. i have tried a
> number of things, none of which have yet worked for all my users. i am very much
> interested in hearing from other admins who have currently working solutions
> along these lines. i have setup isakmpd between my home and my business
> location, so i know i am not a complete idiot when it comes to this stuff ;).
> 

as for me, howto described in http://openbsd.cz/~pruzicka/vpn.html works
with no problems.
here are my config files:

######isakmpd.conf######

[General]
Policy-file=            /etc/isakmpd/isakmpd.policy
Retransmits=            4
Listen-On=              ext_if_ip

[Phase 1]
perr1_ext_ip=           peer1

[Phase 2]
Passive-Connections=    peer2

[peer1]
Phase=                  1
Transport=              udp
Configuration=          Default-main-mode
Authentication=         somepass

[peer2]
Phase=                  2
ISAKMP-peer=            perr1
Configuration=          Default-quick-mode
Local-ID=               local-net
Remote-ID=              peer-net

[peer-net]
ID-type=                IPV4_ADDR
Address=                peer_ext_ip

[local-net]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.1.0
Netmask=                255.255.255.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-GRP2

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

######isakmpd.policy######

KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:somepass"
Conditions: app_domain == "IPsec policy" &&
           esp_present == "yes" &&
           esp_enc_alg != "null" -> "true";

######xp settings######

ipseccmd.exe -u
ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -t obsd_ext_ip -n
ESP[3DES,SHA] -a PRESHARE:"somepass" -1s 3DES-SHA-2
ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -t xp_client_local_ip -n
ESP[3DES,SHA] -a PRESHARE:"somepass" -1s 3DES-SHA-2

if you want to preserve (after reboot for eg.) ipseccmd setting you can
add '-w reg -p somename' to your cmd line to store ipseccmd settings in
windows registry, and so they be'll also visible via mmc/ipsec console.

on obsd firewall you have to pass traffic on enc0 and on ext_ip incoming
udp on ports 500 (and 4500 if your xp clients are behind nat witch
changes source ports numbers)

read also:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipsecmd.mspx
http://support.microsoft.com/default.aspx?kbid=885407

hope it will help you.
sorry for my english ;)

--
raff