IPSec WinXP interop
My first post here - long time d-u subscriber. I'm trying to set up a
VPN where WinXP roadwarriors can access a LAN that sits behind a Linux
router. I want to use X.509 certificates rather than PSKs.
So I've installed freeswan and l2tpd on the router. There is quite a
bit of documentation out there and I have read:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. Not to mention
I'm running Woody, hence:
I heard that Woody l2tpd (0.67) wouldn't work, so I downloaded and
I have created a .p12 certificate, which I have successfully imported
into XP. It's valid. The XP VPN connection is set up properly (e.g.
CHAP on, no PPTP etc.)
But I still can't connect, and I'm sure it's somewhere in the l2tpd/ppp
config that I have a problem. The firewall does run iptables, but I've
disabled it and tried, with the same results. I'm confident that I've
altered the iptables rules as specified in the docs.
Here's some various configs:
mailhost:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
roadwarrior * roadwarrior *
mailhost:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# Debug-logging controls: "none" for (almost) none, "all" for
# Use auto= parameters in conn descriptions to control startup
# Close down old connection when new one using same ID shows up.
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly
left=<firewall public IP>
leftnexthop=<what it says!>
mailhost:~# cat /etc/l2tp/l2tpd.conf
; Sample l2tpd.conf
; listen-addr = 192.168.1.98
ip range = 10.100.100.1-10.100.100.100
local ip = 10.100.100.101
require chap = yes
refuse pap = yes
require authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
mailhost:~# cat /etc/ppp/options.l2tpd
When I try to log in, I get "Error 792: The L2TP connection attempt
failed because security negotiation timed out." I don't get any
"verifying username..." message.
Nothing in /var/log appears to be of much use. There's lots of klips
stuff which is very verbose, but nothing sticks out.
Any insight would be much appreciated. I must admit I'm still a little
unclear how the whole idea works, but I believe that IPSec receives the
connection, then calls l2tpd, which starts ppp. I can post more config
/ debug if needed.
Documentation - http://www.debian.org/doc/
FAQ - http://www.debian.org/doc/FAQ/
Install manual (i386) - http://www.debian.org/releases/stable/i386/install