But How do you use PSK on Windows 2000? The guides seem to imply that it should be avoided..
Stephen On Mon, 30 Dec 2002, Kimble Young wrote: > Hi, > > I've got Freeswan with x509 patches using a Pre Shared Key (PSK) to a win98 > machine (with IPSEC L2TP client from MS) and also a Windows XP machine > working. > > IMHO pptp with mppe patches is pretty darn secure unless your users use > their pet's name as a password. The only problem with it is that it is > susceptible to dictionary attacks and perhaps the encryption could be a > little stronger. > > Anyway i'll get off the soapbox as I'm sure you're looking for help with > ipsec. I've included my ipsec.conf file > > > config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > #interfaces=%defaultroute > interfaces="ipsec0=eth0" > # Debug-logging controls: "none" for (almost) none, "all" for lots. > klipsdebug=none > plutodebug=none > # Use auto= parameters in conn descriptions to control startup > actions. > plutoload=%search > plutostart=%search > # Close down old connection when new one using same ID shows up. > uniqueids=yes > conn win2k > left=10.0.0.1 > right=%any > type=transport > keyingtries=0 > authby=secret > auto=add > pfs=no > > > > * NOTE: You might want to change the interfaces line back to > #interfaces=%defaultroute. Also left is also going to need to be changed to > your ip address, not sure if %any works. > > > Your ipsec.secrets file will need a line like the following: > > 10.0.0.1: PSK "mysupersecretsecret" > > once again 10.0.0.1 will need to be changed to your machine's ip. > > The way you can spot that your IPSEC connection is working is by looking for > the message "Verifying username and password" on the win2k machine, this > means the ipsec transport has been setup properly. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Jake Bullet > Sent: Monday, December 30, 2002 7:11 AM > To: [EMAIL PROTECTED] > Subject: Re: L2TPd & Windows 2000 > > > On Sun, 29 Dec 2002, Jacco de Leeuw wrote: > > > Jake Bullet wrote: > > > > > I'm looking for some help setting up a VPN between a linux server and > > > Windows2000 client. > > > However there seems to be absolutly no documentation on anything and I'm > > > awfully confused. If there are some docs, where can I find them? > > > > Have you looked in the mailinglist archive? > > (http://l2tpd.graffl.net/threads.html) > > > > Because I recently posted a message about this. See: > > http://www.jacco2.dds.nl/networking/freeswan-l2tp.html > > Yeah, well L2TP was the next choice because I've been fighting trying to > get freeswan working and it just doesn't want to play. I get the > impression though that Window2000 uses IPSec to implement L2TP so I'm > going in circles. > > FreeS/WAN just moans about an incomplete ISAKMP SA when I try to make the > IPSec tunnel. > > > > When I try running l2tpd I get the following message > > > "This binary does not support kernel L2TP." > > > > It's not really an error. I guess it's more like a reminder > > that one day L2TP support should perhaps be in the kernel. > > Oh right. > > > > How do I setup or disable authenication? What usernames are they based > > > on? The linux box's users? > > > > PPP authenticates through the file /etc/ppp/chap-secrets or > > pap-secrets. You can also authenticate users with Linux > > accounts if you specify 'login' as one of the pppd parameters > > (man pppd). Perhaps you can also use other authentication > > mechanisms (PAM). Note that L2TP has its own authentication too, > > but I am not sure if Windows makes use of it. > > > > > Client Server > > > Virtual 10.0.0.2 ---------------PPP---------------- 10.0.0.1 > > > Link ---------------L2TP--------------- > > > Real 123.0.0.2 --------------UDP/IP-------------- 213.0.0.1 > > > > > > Is there something I'm missing from this understanding? > > > > Yes, do you want encryption or not? If you use this setup, > > there will be no encryption unless you use MPPE/MS-CHAP > > as protocols for PPP. This is what PPTP uses so you might > > just as well go PPTP all the way: > > http://opensource.lineo.com/poptop/ > > > > Or you could tunnel it all through IPSEC (i.e. FreeS/WAN > > on the Linux server). See the link mentioned at the top. > > > > I just want to create a tunnel with virtual interfaces at each end.. I > didn't think it would be so difficult :-/ > > I was trying to get just IPSec working, but now I see that L2TP runs over > that I'm confused. Doesn't IPSec do the tunneling? Or is it just > encryption between two end-points? > > Eventually I want a virtual network where I can have the following: > > Client Server Client > Virtual 10.0.0.2 --------10.0.0.1 <-> 10.0.1.1--------- 10.0.1.2 > Real 123.0.0.1 -------------- 213.0.0.1-------------- 231.0.0.1 > > The clients have to be Win2k/XP unforunatly, and need to communitcate with > each other. I realise this is a bit of an odd setup. > The only other option seems to PPTP, which is M$ and full of security > problems. I don't give two hoots about encrytption, there's nothing > sensitive going over the virtual network, it would be better without it as > that will give lower overhead. The eventual setup is going to have > anywhere up to 20-30 clients, if it works. > > Thanks for your help. > > Stephen > > > >
