Do you get an error mesage on the XP client? Do you have a VPN client installed on your machine (this will break native IPSec), or did you have one installed before?
Basically, for Windows XP and PSK, the following settings need to be done: - Networking: Type of VPN = L2TP IPSec VPN - Security: *Disable* "Require data encryption" - Security: set PSK in "IPSec Settings"
Concerning MS_DEFAULT: there is a bug in the backup converter for importing ASLv4 backups. The MS_DEFAULT policy gets erased by the import. You can either add it manually afterwards (see my previous post) or wait for the next Up2Date, which contains a fix for this issue.
Hi Simon, here are is a short description of my settings, i got it working with preshared-keys and NAT: - First create a new network-connection on XP - As connection-type choose: Connection with network at work - Then select VPN-connection - Name the connection - Choose if you want to establish a connection to the internet before - Enter the IP for your Gateway, the external IP of your ASL - Now choose for own use - Now do a rightclick on the new connection -->choose Properties - On the tab "Options" activate "Ask for Name,Password,certificate..." -I deactivated "include Windows-domain" -On the tab security i chose under security-options "Advanced(custom settings) and then under -->settings i set encryption to optional (because IPsec encrypts already) I activated as Protocols CHAP,MS-CHAP,MS-CHAP v2. Back on the front tab choose IPsec-settings and activate and enter the PSK you have on the ASL as well Under the tab network make sure that as VPN-Type "L2TP-IPsec-VPN" is selected. That's it on the client side. On the ASL config for Preshared Keys is easy: -Choose a new IPsec-connection -Type: MS L2TP over IPsec -L2TP-Encapsulation is automatically enabled -Enter your PSK L2TP over IPsec-Settings: As Authentication-Method i selected local users , therefore you have to create under ->Definitions ->User your users with proper rights. L2TP over IPsec-IP-Pool: As IP-Pool i selected the default predefined IPsec-Pool L2TP over IPsec client parameters: Enter your WINS and DNS-Server from LAN Finally enable NAT-T under Advanced-IPsec-options For using certificates on the client you just have to import the certificate properly and deactivate PSK-Authentication under IPsec-settings. But on the Astaro there is more to do because you need to configure your connection manually and not to select the predefined type MS-L2TP (it only works with PSKs). So far, Jan
I still have some issues here with my setup using PSKs. I can connect to the ASL and create a tunnel and even ping hosts on the remote subnet. But windows shares from the fileserver arent available at the moment. On the ASL i specified my WINS and DNS-Server but apparently that`s not sufficient. If anybody can give me a hint on that i would be thankful.
have you checked the packet filter rules? Per default, traffic is not permitted. You can either use the "IPSec-Pool" object or the L2TP User objects for packet filtering,
Hi Stephan, Now i got L2TP over IPsec with authentification over certificates working! If there is interest i can post a small HOWTO. My main problem was due to a misbehaviour of stinky windows as mentioned at: http://www.strongsec.com/freeswan/install.htm#section_9.5 However the clue is when generating a host-certificate on the ASL to choose Distinguished Name(DN) as VPN-ID! Yes i think the missing packet-filter rule is the reason for my remaining problem with windows shares. I have added a new rule and in the evening i will do some testing again. Thanks for your assistance on that subject Stephan!
Hi Stephan, Now i got L2TP over IPsec with authentification over certificates working! If there is interest i can post a small HOWTO. My main problem was due to a misbehaviour of stinky windows as mentioned at: http://www.strongsec.com/freeswan/install.htm#section_9.5 However the clue is when generating a host-certificate on the ASL to choose Distinguished Name(DN) as VPN-ID! Yes i think the missing packet-filter rule is the reason for my remaining problem with windows shares. I have added a new rule and in the evening i will do some testing again. Thanks for your assistance on that subject Stephan!
Ok here is what i did to configure L2TP over IPsec with certificates:
The client configuration on W2K/XP is as described above for PSKs just deactivate under -->Security-->IPsec-settings the authentication via PSKs then Windows automatically searches for certificates. Of course you have to import the certificate that you created with your CA. When you create the certificate on the ASL make sure to select DN (Distinguished Name) as VPN-ID and leave the right field blank (it is filled automatically)! To import the certificate correctly follow this instructions: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html#ImportingCertificates Now configure the ASL-side: - Create a new IPsec-Connection - choose Roadwarrior as type - activate L2TP-encapsulation - as policy choose MS-DEFAULT if MS-DEFAULT is not predefined,here the settings: Encryption Algorithm: 3DES 168bit Authentication Algorithm: SHA1 160 bit IKE DH group: DH Group X (MODP2048) SA Lifetime: 28800 IPsec settings: Encryption Algorithm: 3DES-CBC 168bit Enforce Algorithms: Off Authentication Algorithm: MD5 160bit SA lifetime: 3600 PFS: No PFS Compression: Off - Now you can select your remote-key-object for the connection - Finally you have to add Packetfilter-rules to allow traffic between the IPsec-Pool-Network and your internal network. And if you want your remote-clients to have internet-access through the firewalled-office-network you have to add a masquerading rule for the IPsec-Pool-IPs. That`s it! At the momentthe connection works, pings too but i am still facing a problem with windows shares with my configuration and i would be glad for some reports on that issue! Jan
After changing my packetfilter-rule on the ASL everything is working 100%, L2TP over IPsec, with NAT and with authentication through certificates. I selected as source for my allow-rule the IPsec-pool instead of the remote-key-object. That fixed my problems.
