Board index Linux Security

Win2k (ipsec.exe) and freeswan

Win2k (ipsec.exe) and freeswan

Post by Chris Lowt » Sat, 29 Mar 2003 00:57:48



I have located the HOWTO for connecting a Win2k system to a linux freeswan
gateway, but cant get it to work. In fact ipsec.exe is not triggering any
IP traffic out of the Win2k box at all.

I have a Win2k (SP3) machine with address 192.168.0.2 at home, connected to
the public internet via a firewall/router with internal address 192.168.0.1
and a public external address (say: 80.1.1.1). I am trying to connect to a
freeswan system also on the 'net' and have installed the ipsecpol and ipsec,
and created a ipsec.conf file.

Desktop (192.168.0.2) -->
  HUB -->
    (192.168.0.1) Router (80.1.1.1) -->
      Public Internet -->
        (90.1.1.1) Freeswan (10.10.254.2) -->
          Office network (10.10.254.*)

(Addresses changed to protect the innocent)

For debug I have connected another machine to the hub to run tcpdump on, for
watching the low-level network traffic. When I run IPSEC on the desktop, it
creates no traffic on the LAN, but when I ping 10.10.254.3 (a machine on
the office network), I see the ping packets crossing the LAN as real ICMP
addressed to the target IP (I would expect to see IPSec traffic instead).

So the problem (currently) is that nothing is coming OUT of the desktop. I
have turned OFF all Win2k firewalling by the way.

The ipsec.conf file is...

conn KDI
   left=%any
   right=90.1.1.1
   rightsubnet=10.10.254.0/255.255.0.0
   presharedkey=verysecret
   network=lan
   auto=start
   pfs=yes

The IPSEC.exe output is...

IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Host name is: CHRIS_LOWTH
LAN IP address: 192.168.0.2
Setting up IPSec ...

   Deactivating old policy...
   Removing old policy...

Connection KDI:
   MyTunnel     : 192.168.0.2
   MyNet        : 192.168.0.2/255.255.255.255
   PartnerTunnel: 90.1.1.1
   PartnerNet   : 10.10.254.0/255.255.0.0
   CA (ID)      : Preshared Key ******************
   PFS          : y
   Auto         : start
   Auth.Mode    : MD5
   Rekeying     : 3600S/50000K
   Activating policy...

I also found that the "IP Sec Agent" was disabled in the "service" control
panel, so I have enabled it and can confirm that it starts when IPSEC.exe
runs (but still no traffic out of the desktop).

Any ideas?

Chris
--
My real address is: chris at lowth dot sea oh em
-> OpenSource e-mail virus protection : http://protector.sourceforge.net
-> iptables configuration wizards : http://www.lowth.com/LinWiz

 
 
 
Top

1. Win2k --> firewall --> ipsec /freeswan --> remote network

Hi, I want to set up a freeswan server that will be used basically to
create multiple "road warrior" tunnels from remote Win2k and XP
clients to a local network.  I want to put freeswan on a linux machine
inside a local network for other remote machines to access that
network.

I'm somewhat confused about this and have read differing reports about
under what situations this is possible.  I have a few questions if
anybody could answer one or more of them.  Thanks.

1.  Do you need a static IP address for the remote client connection?
2.  Will the freeswan server work if it is on a NAT machine, i.e. it's
local address is say 192.168.1.20 which corresponds to a real IP
address that is translated through a firewall/router?
3.   What is "opertunistic encryption" and why is it important?
4.  Do I need to use opertunistic encryption to accomplish what I want
to accomplish?
5.  Will the standard 2k and XP clients work without a lot of
configuration and any 3rd party products.

Thanks.

2. Remove LILO?

3. FreeSWAN IPsec and SSH Sentinel IPSec client

4. Surpress Server: Header

5. BayNetworks FreeSwan, IPSEC

6. ANNOUNCEMENT: OpenGL for Linux

7. uninstall freeswan (ipsec)

8. DMA on a FORCE CPU20VT

9. Win2k vs. Freeswan: No joy

10. !!! freeswan report IPsec SA established , but can not ping !!! ???

11. vpn: ipsec-freeswan on linux

12. freesWan Ipsec Installation

13. Freeswan ipsec VPN with one NATed gateway?


All times are UTC
Board index