Hi,
I've got Freeswan with x509 patches using a Pre Shared Key (PSK) to a win98
machine (with IPSEC L2TP client from MS) and also a Windows XP machine
working.
IMHO pptp with mppe patches is pretty darn secure unless your users use
their pet's name as a password. The only problem with it is that it is
susceptible to dictionary attacks and perhaps the encryption could be a
little stronger.
Anyway i'll get off the soapbox as I'm sure you're looking for help with
ipsec. I've included my ipsec.conf file
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn win2k
left=10.0.0.1
right=%any
type=transport
keyingtries=0
authby=secret
auto=add
pfs=no
* NOTE: You might want to change the interfaces line back to
#interfaces=%defaultroute. Also left is also going to need to be changed to
your ip address, not sure if %any works.
Your ipsec.secrets file will need a line like the following:
10.0.0.1: PSK "mysupersecretsecret"
once again 10.0.0.1 will need to be changed to your machine's ip.
The way you can spot that your IPSEC connection is working is by looking for
the message "Verifying username and password" on the win2k machine, this
means the ipsec transport has been setup properly.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Jake Bullet
Sent: Monday, December 30, 2002 7:11 AM
To: [EMAIL PROTECTED]
Subject: Re: L2TPd & Windows 2000
On Sun, 29 Dec 2002, Jacco de Leeuw wrote:
> Jake Bullet wrote:
>
> > I'm looking for some help setting up a VPN between a linux server and
> > Windows2000 client.
> > However there seems to be absolutly no documentation on anything and I'm
> > awfully confused. If there are some docs, where can I find them?
>
> Have you looked in the mailinglist archive?
> (http://l2tpd.graffl.net/threads.html)
>
> Because I recently posted a message about this. See:
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
Yeah, well L2TP was the next choice because I've been fighting trying to
get freeswan working and it just doesn't want to play. I get the
impression though that Window2000 uses IPSec to implement L2TP so I'm
going in circles.
FreeS/WAN just moans about an incomplete ISAKMP SA when I try to make the
IPSec tunnel.
> > When I try running l2tpd I get the following message
> > "This binary does not support kernel L2TP."
>
> It's not really an error. I guess it's more like a reminder
> that one day L2TP support should perhaps be in the kernel.
Oh right.
> > How do I setup or disable authenication? What usernames are they based
> > on? The linux box's users?
>
> PPP authenticates through the file /etc/ppp/chap-secrets or
> pap-secrets. You can also authenticate users with Linux
> accounts if you specify 'login' as one of the pppd parameters
> (man pppd). Perhaps you can also use other authentication
> mechanisms (PAM). Note that L2TP has its own authentication too,
> but I am not sure if Windows makes use of it.
>
> > Client Server
> > Virtual 10.0.0.2 ---------------PPP---------------- 10.0.0.1
> > Link ---------------L2TP---------------
> > Real 123.0.0.2 --------------UDP/IP-------------- 213.0.0.1
> >
> > Is there something I'm missing from this understanding?
>
> Yes, do you want encryption or not? If you use this setup,
> there will be no encryption unless you use MPPE/MS-CHAP
> as protocols for PPP. This is what PPTP uses so you might
> just as well go PPTP all the way:
> http://opensource.lineo.com/poptop/
>
> Or you could tunnel it all through IPSEC (i.e. FreeS/WAN
> on the Linux server). See the link mentioned at the top.
>
I just want to create a tunnel with virtual interfaces at each end.. I
didn't think it would be so difficult :-/
I was trying to get just IPSec working, but now I see that L2TP runs over
that I'm confused. Doesn't IPSec do the tunneling? Or is it just
encryption between two end-points?
Eventually I want a virtual network where I can have the following:
Client Server Client
Virtual 10.0.0.2 --------10.0.0.1 <-> 10.0.1.1--------- 10.0.1.2
Real 123.0.0.1 -------------- 213.0.0.1-------------- 231.0.0.1
The clients have to be Win2k/XP unforunatly, and need to communitcate with
each other. I realise this is a bit of an odd setup.
The only other option seems to PPTP, which is M$ and full of security
problems. I don't give two hoots about encrytption, there's nothing
sensitive going over the virtual network, it would be better without it as
that will give lower overhead. The eventual setup is going to have
anywhere up to 20-30 clients, if it works.
Thanks for your help.
Stephen
