6.4. Windows/XP Client

6.4. Windows/XP Client
Prev	Chapter 6. Virtual Private Network Server	Next

Windows is assumed to be Windows XP with at least SP2 installed. ^[43]

6.4.1. Import Certificates

There is no easy way of automating these steps. Watch your steps, because it is easy to make a mistake.

From the start menu run certmgr.msc
Under the Certificates, right-click on Trusted Root Certification Authorities. From All Tasks choose Import.
1. Click Next
2. Browse to select the Personal Information Exchange certificate CAcert.p12.
3. Click Next
4. Type in the password, and Mark this key as exportable
5. Click Next
6. Place all certificates in Personal Certificates Store
7. Click Next; Click Finish
8. Verify that the certificate is listed under the Root Certification Authorities
Under the Certificates, right-click on Personal. From All Tasks choose Import.
1. Click Next
2. Browse to select the Personal Information Exchange certificate for this computer (bor.vonk.p12).
3. Click Next
4. Type in the password, and Mark this key as exportable
5. Click Next
6. Place all certificates in Personal Store
7. Click Next; Click Finish
8. Verify that the certificate displays correctly, and the Root CA is known.

If your personal certificate is correctly signed it will than be used for isakmp key negotiation. If you are having trouble, run racoon in debug mode on the SISO router. It will display the whole certificate in the debug output.

6.4.2. Setting up the VPN

Start the new connection wizard by
1. click on Start; Control Panel then Network Connections
2. do not display the folders.
3. click on Create a new connection; and click on Next
4. select Connect to the network at my workplace; and click Next
5. select Virtual Private Network connection; and click Next
6. enter a name for the connection (i.e. siso.vonk VPN); and click Next
7. Enther the VPN server's static IP address (i.e. siso.vonk) ^[44] external IP address (i.e. siso.vonk VPN); and click Next
8. Select Add a shotcut to this connection to my desktop; click Finish
A connect dialog box will appear. Click on properties to continue the VPN configuration.
1. Select the security tab.
  1. Unselect require data encryption. This sounds odd, but it would only cause double encryption.
  2. (When using pre-shared-keys (PSK) instead of certificates, click on IPsec Settings, and enter the PSK.)
2. Select the networking tab.
  1. Change the Type of VPN to L2TP IPsec VPN; click OK.
At the Connect To window, enter the username and password (as in /etc/sysconfig/ppp/chap-secrets).
Click Connect

6.4.3. Succesfull connection

The syslog on the server for a Windows/XP client connecting looks like shown below. Note that the "FRAGMENTATION" might be due to Path MTU Discovery not being implemented on Windows/XP, or PMTUD unable to do its job because the firewall blocks ICMP-host-unreachable messages.

racoon: INFO: respond new phase 1 negotiation: 10.0.1.1[500]<=>10.0.1.100[500] 
racoon: INFO: begin Identity Protection mode. 
racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
racoon: INFO: received Vendor ID: FRAGMENTATION 
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Oregon/L=Portland/O=Coert Vonk/CN=bor.vonk/emailAddress=cvonk@mail.vonk 
racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Oregon/L=Portland/O=Coert Vonk/CN=Coert Vonk CA/emailAddress=coert.vonk@gma
7 siso  racoon: INFO: ISAKMP-SA established 10.0.1.1[500]-10.0.1.100[500] spi:d030dba9e7ca741f:bc6758c8abd0400d 
racoon: NOTIFY: the packet is retransmitted by 10.0.1.100[500]. 
racoon: INFO: respond new phase 2 negotiation: 10.0.1.1[0]<=>10.0.1.100[0] 
racoon: INFO: Update the generated policy : 10.0.1.100/32[1701] 10.0.1.1/32[1701] proto=udp dir=in 
racoon: INFO: IPsec-SA established: ESP/Transport 10.0.1.100->10.0.1.1 spi=168974618(0xa12591a) 
racoon: INFO: IPsec-SA established: ESP/Transport 10.0.1.1->10.0.1.100 spi=2003034160(0x7763e030) 
racoon: ERROR: such policy does not already exist: 10.0.1.100/32[1701] 10.0.1.1/32[1701] proto=udp dir=in 
racoon: ERROR: such policy does not already exist: 10.0.1.1/32[1701] 10.0.1.100/32[1701] proto=udp dir=out 
l2tpd[389]: control_finish: Connection established to 10.0.1.100, 1701.  Local: 26759, Remote: 22.  LNS session is 'default' 
pppd[409]: pppd 2.4.3 started by root, uid 0
l2tpd[389]: control_finish: Call established with 10.0.1.100, Local: 27606, Remote: 1, Serial: 0 
pppd[409]: Using interface ppp0
pppd[409]: Connect: ppp0 <--> /dev/ttyp0
pppd[409]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
pppd[409]: Cannot determine ethernet address for proxy ARP
pppd[409]: local  IP address 10.0.3.1
pppd[409]: remote IP address 10.0.3.128

A tcpdump made from another host on the network, shows the IKE negotiation and the ESP encapsulated packets:

IP bor.vonk.isakmp > siso.ext.vonk.isakmp: isakmp: phase 1 I ident
IP siso.ext.vonk.isakmp > bor.vonk.isakmp: isakmp: phase 1 R ident
IP bor.vonk.isakmp > siso.ext.vonk.isakmp: isakmp: phase 1 I ident
IP siso.ext.vonk.isakmp > bor.vonk.isakmp: isakmp: phase 1 R ident
IP bor.vonk.isakmp > siso.ext.vonk.isakmp: isakmp: phase 1 I ident[E]
IP siso.ext.vonk.isakmp > bor.vonk.isakmp: isakmp: phase 1 R ident[E]
IP bor.vonk.isakmp > siso.ext.vonk.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP siso.ext.vonk.isakmp > bor.vonk.isakmp: isakmp: phase 2/others R oakley-quick[E]
IP bor.vonk.isakmp > siso.ext.vonk.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x1)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x2)
IP siso.ext.vonk > bor.vonk: ESP(spi=0x29979fea,seq=0x1)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x3)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x4)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x5)
IP siso.ext.vonk > bor.vonk: ESP(spi=0x29979fea,seq=0x2)
IP siso.ext.vonk > bor.vonk: ESP(spi=0x29979fea,seq=0x3)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x6)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x7)
IP siso.ext.vonk > bor.vonk: ESP(spi=0x29979fea,seq=0x4)
IP bor.vonk > siso.ext.vonk: ESP(spi=0x091e5c55,seq=0x8)

^[43] When you get an Error 789: encountered processing error, then verify that you IPsec stack is enabled. A common cause is when a third party IPsec client is installed and then uninstalled. Of cause you could also use the third party IPsec stack. See http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html.

^[44]When using a dynamic IP address you can use a service such as http://no-ip.com

Prev	Up	Next
6.3. Linux Client (FC3)	Home	6.5. Debugging Tips