Re: IPSec WinXP interop

To: debian-security@lists.debian.org
Subject: Re: IPSec WinXP interop
From: Antony Gelberg <antony@antgel.co.uk>
Date: Wed, 24 Dec 2003 19:51:49 +0000
Message-id: <[🔎] 20031224195149.GA14056@brain.pulsesol.com>
In-reply-to: <[🔎] 20031224124046.GB8701@localhost>
References: <[🔎] 20031224004931.GA8747@brain.pulsesol.com> <[🔎] 20031224124046.GB8701@localhost>

On Wed, Dec 24, 2003 at 01:40:46PM +0100, Jose Luis Domingo Lopez wrote:
> On Wednesday, 24 December 2003, at 00:49:31 +0000,
> Antony Gelberg wrote:
> 
> > When I try to log in, I get "Error 792: The L2TP connection attempt
> > failed because security negotiation timed out."  I don't get any
> > "verifying username..." message.
> > 
> Why do you need freeswan if you are trying to set up L2TP tunnels from
> the Windows box to your Linux box ?. FreeS/WAN is an implementation of
> the IPsec protocol suite, and as far as I know WXP has support by
> default for it, so maybe you could have better luck with this standard
> protocol than with the less one L2TP.

See http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#RemovingL2TP.
I'll quote it:
!Ad 6.6: By default, the IPsec client included with Windows 2000/XP,
!Pocket PC 2003 and MacOS Panther can only be used to tunnel L2TP. You
!might want to get rid of L2TP, so that you don't have to install an L2TP
!daemon on your Linux server. This leaves you with 'plain' IPsec.
!Unfortunately, this is very difficult to do manually.

> > Any insight would be much appreciated.  I must admit I'm still a little
> > unclear how the whole idea works, but I believe that IPSec receives the
> > connection, then calls l2tpd, which starts ppp.  I can post more config
> > / debug if needed.
> > 
> I could be way mistaken, but L2TP and IPsec (FreeS/WAN and others) are
> completely different and independent tunneling mechanisms, and so there
> is no mix between them. Configure just L2TP XOR IPsec.

>From http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html:
!As mentioned on one of those webpages, Windows 2000/XP can be configured
!to use IPsec without L2TP. See Nate Carlson's webpage for that. This
!page, however, is about using IPsec with L2TP.

I must admit that I didn't spot this first time around.  I'm happy to
get rid of l2tpd and ppp, even though it's frustrating not having got it
to work that way.  

It seems that configuring XP to use vanilla IPSec is a pain, see
http://www.snapgear.com/ftp/snapgear/documentation/IPSec/SnapGear_with_Win2k.pdf.
There is a third-party tool available at http://vpn.ebootis.de/ that
takes care of this - I was hoping to avoid any third-party software, but
it looks like it could make my life much easier.

I'll post my findings.

A

-- 
Now playing: Genesis - Down and Out

Reply to:

References:
- IPSec WinXP interop
  - From: Antony Gelberg <antony@antgel.co.uk>
- Re: IPSec WinXP interop
  - From: Jose Luis Domingo Lopez <debian-security@24x7linux.com>

Prev by Date: Re: Attempts to poison bayesian systems
Next by Date: Re: suspicious smbd connections
Previous by thread: Re: IPSec WinXP interop
Next by thread: Re: IPSec WinXP interop
Index(es):
- Date
- Thread