[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN: solutions that interoperate with win xp

Heinrich Rebehn wrote:
dick_(_at_)_uchicago_(_dot_)_edu wrote:


i've been grinding away to get a VPN setup where i can have win xp clients
connect to my openbsd firewall and access the network behind it. i have tried a
number of things, none of which have yet worked for all my users. i am very much
interested in hearing from other admins who have currently working solutions
along these lines. i have setup isakmpd between my home and my business
location, so i know i am not a complete idiot when it comes to this stuff ;).

when i tried to use the native windows IPsec implementation, both as described
in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not
able to get anywhere. when i used ipseccmd.exe, it would not give me any useful
debugging outputs and crashed a couple times while i was trying to set this up.
i would very much like to have a setup using the native IPsec in win xp, but am
utterly in the dark as to the win xp configuration side of things.

i have also setup openvpn, which works great for me from home, and i have been
able to successfully get this working. however, one of the users that connects
to my VPN is having problems making openvpn and his kerio firewall "play nice",
and a working openvpn configuration cannot survive a reboot due to win xp being
such a great OS.

i am also aware of "the green bow" VPN client that is known to interoperate with
isakmpd. i have avoided using this solution since i know it to be a resource hog
on win xp. anybody else's views on this software would be nice.

anything that you think could help me get a VPN with win xp talking to my
openbsd firewall would be awesome. i would love a "howto" for the win xp boxes,
but a smack with the cluestick is likely all i need. it would be nice for this
to NOT use certificates, as i'd like to get a shared secret setup working first,
then switch to certs later.


Hi jake,

I have been successfully using the Windows XP native IPSec client for some 2 years now. There is a good configuration tool at http://vpn.ebootis.de/ which reads a configuration file and executes the ipseccmd commands needed for setting up the tunnel. Latest version is 2.2, i am using 2.1.4.

You do need XP Service Pack 2. Also you must install the windows support tools as mentioned on Marcus' web page. Note that if you already installed them before installing SP2, you must also upgrade the support tools after installing SP2.

As for windows debug output, look for "oakley log" in http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx

This works with certificates (somewhat tricky to setup) as well as with preshared secret.


The tool mentioned by Henrich has worked for me quite well. I
have used it against a Linux freewswan server for three years, and OBSD for the last six months. The following link eplains how to use x509 certs http://mirror.huxley.org.ar/ipsec/isakmpd.htm

The script he provided on the page had a small type-o that prevented it from working, he seems to have fixed it now. You will find certs to be simple actually, more secure, and easier to manage.

Although I have yet to get a certificate revocation list to work with isakmpd.


Visit your host, monkey.org