IPSec WinXP interop
Hi all,
My first post here - long time d-u subscriber. I'm trying to set up a
VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
router. I want to use X.509 certificates rather than PSKs.
So I've installed freeswan and l2tpd on the router. There is quite a
bit of documentation out there and I have read:
http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html and
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention
http://www.natecarlson.com/linux/ipsec-x509.php.
I'm running Woody, hence:
Package: freeswan
Version: 1.96-1.4
I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and
built 0.69.
I have created a .p12 certificate, which I have successfully imported
into XP. It's valid. The XP VPN connection is set up properly (e.g.
CHAP on, no PPTP etc.)
But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp
config that I have a problem. The firewall does run iptables, but I've
disabled it and tried, with the same results. I'm confident that I've
altered the iptables rules as specified in the docs.
Here's some various configs:
mailhost:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
roadwarrior * roadwarrior *
mailhost:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for
# lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions to control startup
# actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly
# chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn mailhost-rw
left=<firewall public IP>
leftcert=mailhostCert.pem
leftnexthop=<what it says!>
leftsubnet=10.0.0.0/8
right=%any
auto=add
keyingtries=1
pfs=yes
mailhost:~# cat /etc/l2tp/l2tpd.conf
; Sample l2tpd.conf
;
[global]
; listen-addr = 192.168.1.98
[lns default]
ip range = 10.100.100.1-10.100.100.100
local ip = 10.100.100.101
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
mailhost:~# cat /etc/ppp/options.l2tpd
ipcp-accept-local
ipcp-accept-remote
auth
crtscts
idle 1800
debug
lock
proxyarp
connect-delay 5000
When I try to log in, I get "Error 792: The L2TP connection attempt
failed because security negotiation timed out." I don't get any
"verifying username..." message.
Nothing in /var/log appears to be of much use. There's lots of klips
stuff which is very verbose, but nothing sticks out.
Any insight would be much appreciated. I must admit I'm still a little
unclear how the whole idea works, but I believe that IPSec receives the
connection, then calls l2tpd, which starts ppp. I can post more config
/ debug if needed.
A
--
Documentation - http://www.debian.org/doc/
FAQ - http://www.debian.org/doc/FAQ/
Install manual (i386) - http://www.debian.org/releases/stable/i386/install
Reply to: