Re: Win XP VPN
Petr, Just one question: how do you firewall your WinXP machine? Or is it just fully open (i.e. no firewall at at all)?? --Nino On Mon, 29 Aug 2005, Petr Ruzicka wrote: Just to let you know, I spend better part of night configuring my old setup in VMWare machines and everything work as expected. I will try add NATing if I found time. Best regards Petr R.
Re: Win XP VPN
Fully open now. But I will add a firewall+NAT and let you know. Petr R. On 8/31/05, Nino Margetic [EMAIL PROTECTED] wrote: Petr, Just one question: how do you firewall your WinXP machine? Or is it just fully open (i.e. no firewall at at all)?? --Nino On Mon, 29 Aug 2005, Petr Ruzicka wrote: Just to let you know, I spend better part of night configuring my old setup in VMWare machines and everything work as expected. I will try add NATing if I found time. Best regards Petr R.
Re: Win XP VPN
NAT-T should work out of the box as long as you have WinXP SP2 instaled (more details on the MS KB site - e.g. http://support.microsoft.com/default.aspx?scid=kb;en-us;818043 ). --Nino On Wed, 31 Aug 2005, Petr Ruzicka wrote: Fully open now. But I will add a firewall+NAT and let you know. Petr R. On 8/31/05, Nino Margetic [EMAIL PROTECTED] wrote: Petr, Just one question: how do you firewall your WinXP machine? Or is it just fully open (i.e. no firewall at at all)?? --Nino On Mon, 29 Aug 2005, Petr Ruzicka wrote: Just to let you know, I spend better part of night configuring my old setup in VMWare machines and everything work as expected. I will try add NATing if I found time. Best regards Petr R.
Re: Win XP VPN
Hi,
so I introduced fw in front of XP workstation. Topology as follows:
XP -- BSD_FW1 -- BSD_FW2 -- BSD_Server
- XP (ipsec client) connects through BSD_FW2 (ipsec GW) to BSD_Server just fine.
- XP and BSD_FW2 are setup according to my document mentioned earlier
- XP's IP address is nated on BSD_FW1 to external interface IP address
BSD_FW1 policies
set skip on { lo0, enc0, $int_if }
nat on $ext_if inet from 10.0.0.0/24 to any - $ext_if
block drop all
pass out on $ext_if all keep state
BSD_FW2 policies
set skip on { lo0, enc0, $int_if }
block drop all
pass in on $ext_if proto esp from any to $ext_if keep state
pass in on $ext_if proto udp from any to $ext_if port = isakmp keep state
Please note that all BSD's are 3.8-current, XP is without SP2, so
your situation could be different.
Summary : to my suprise everything work as expected :o)
Best regards
Petr Ruzicka
Re: Win XP VPN
so I introduced fw in front of XP workstation. Topology as follows: XP -- BSD_FW1 -- BSD_FW2 -- BSD_Server - XP (ipsec client) connects through BSD_FW2 (ipsec GW) to BSD_Server just fine. - XP and BSD_FW2 are setup according to my document mentioned earlier - XP's IP address is nated on BSD_FW1 to external interface IP address *** Perhaps there was a misunderstanding. When I asked: Just one question: how do you firewall your WinXP machine? Or is it just fully open (i.e. no firewall at at all)?? I ment if you had any kind of firewall active _within_ your WinXP installation - not an extra box in front. Namely, I was thinking in terms of roaming WinXP clients (where carrying an extra OpenBSD box as a firewall is not an option). In other words, my primary interest was in obtaining the rules that permit IPsec traffic for either the native WinXP firewall or some other (software) firewall product that runs on WinXP. --Nino
Re: Win XP VPN
Oh I see, I previous message was meant as answer to original message from Steve Murdoch. XP with SP2 firewall on needs rules at all. If you have any other firewall you basically need to allow esp protocol and udp port 500 (isakmp) to your IPSec GW and vice versa. Regards Petr R. On 8/31/05, Nino Margetic [EMAIL PROTECTED] wrote: so I introduced fw in front of XP workstation. Topology as follows: XP -- BSD_FW1 -- BSD_FW2 -- BSD_Server - XP (ipsec client) connects through BSD_FW2 (ipsec GW) to BSD_Server just fine. - XP and BSD_FW2 are setup according to my document mentioned earlier - XP's IP address is nated on BSD_FW1 to external interface IP address *** Perhaps there was a misunderstanding. When I asked: Just one question: how do you firewall your WinXP machine? Or is it just fully open (i.e. no firewall at at all)?? I ment if you had any kind of firewall active _within_ your WinXP installation - not an extra box in front. Namely, I was thinking in terms of roaming WinXP clients (where carrying an extra OpenBSD box as a firewall is not an option). In other words, my primary interest was in obtaining the rules that permit IPsec traffic for either the native WinXP firewall or some other (software) firewall product that runs on WinXP. --Nino
Re: Win XP VPN
Just to let you know, I spend better part of night configuring my old setup in VMWare machines and everything work as expected. I will try add NATing if I found time. Best regards Petr R. On 8/23/05, Steve Murdoch [EMAIL PROTECTED] wrote: Hi all. I have several sites linked with ipsec on 3.7 release. Everything works great. I have tried to add some remote win xp machines into the mix using the howto http://openbsd.cz/~pruzicka/vpn.html without any joy. the winxp in my test case is behind a nat router will this cause me grief ? Secondly has anyone found an ipsec client that will work with pocket pc 2003 connecting to openbsd ? I guess thirdly, is poptop under openbsd recommended ? Any other thoughts or recommendations appreciated. Steve
Re: Win XP VPN
--On 23 August 2005 20:15 +1000, Steve Murdoch wrote: without any joy. the winxp in my test case is behind a nat router will this cause me grief ? If the router has nat helpers for ipsec (e.g. speedtouch), try disabling them in case they interfere. Otherwise, you'll need to give some more information - isakmpd debug output, tcpdump traces, errors logged on Windows side, attempted config, router type, etc. I guess thirdly, is poptop under openbsd recommended ? If you're looking for an easier-to-configure alternative to ipsec, try OpenVPN instead - all you need is a single UDP port or, if really pushed, TCP, and it's a lot saner than PPTP.
Re: Win XP VPN
As OpenVPN was mentioned before, I've wrote a HOWTO here: http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd It is very easy to configure and supports Unix, Win, and OS X. Jonathan -- Jonathan Weiss http://blog.innerewut.de
Re: Win XP VPN
hi, On 8/23/05, Steve Murdoch [EMAIL PROTECTED] wrote: I have tried to add some remote win xp machines into the mix using the howto http://openbsd.cz/~pruzicka/vpn.html without any joy. (the site isn't available to me at the moment). I've managed to connect Win2k and WinXP machines to OpenBSD 3.5 and 3.7 routers. IP connectivity only, e.g I wasn't able to log in to an Active Directory an the other side. *I think* part of this problem is, Active Directory does quite a bit with dynamic DNS, and I didn't want to have every DNS request via this IPSec Session. But to get back on topic, yes it's possible and works well with TCP/IP ;) the winxp in my test case is behind a nat router will this cause me grief ? this is possible. I guess thirdly, is poptop under openbsd recommended ? I tried it, and it works. I didn't try to integrate it into an Active Directory, but I see (technically) no hard reason why it shouldn't work. Any other thoughts or recommendations appreciated. be more detailed about what you are trying to do ;) --knitti
