We have been using freeswan on linux (slackware distribution) for a couple
years now with great results. We use the vpn systems to connect several
offices around the country and most recently, an office in Japan. In the
past we were using IRE's SafeNet to connect individuals PCs and/or laptops
to the office, but when I discovered that the version of SafeNet we were
using was not Win2K compatible we had to find some other solution.
I decided to try the ip security policy manager that ships with Win2k.
After a couple days of struggling with the MMC interface I eventually got
the connection set up. The instructions at
http://linux.nbs.at/ipsec/ipsec_practical_config.html are very helpful if
you want to do it the hard way.
The problem with setting up the security policies in this manner is that
they are static. The users will be dialing in to an ISP which means they
will have dynamic IP addresses, and they would have to go in and reconfigure
the security policies every time they connected to the internet. This was
not an option for most of our semi-computer-literate users.
That is when I ran across a post in a newsgroup that was explaining the use
of a tool called ipsecpol. It is a command-line-only interface that
provides commands to add, modify, delete, etc, security policies. You can
get more info and download the tool from Microsoft at
http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
The download includes an html help file with details that I will not get
into here.
I just wanted to share the commands that I have found to work for setting up
a vpn connection with freeswan using a pre-shared key.
There are two types of policies; dynamic and static. A dynamic policy will
no longer exist after the "IPSEC Policy Agent" system service gets stopped.
A static policy will get added to the registry and will be available for
editing using the MMC interface.
Dynamic policy for PC connected via ISP to connect to subnet behind freeswan
server...
You can create a script to run each time you dial in to the internet that
will run these commands with the appropriate (local) IP address. See script
below...
The following is used for the example
PC's (dynamic) IP address is 123.123.123.321
Freswan is on server with IP address 200.321.321.11
Office subnet is 192.168.1.0/255.255.255.0
#This command is for traffic from the server to the PC
ipsecpol -f 192.168.1.*=0 -t 123.123.123.321 -1s 3DES-MD5-2 -n
ESP[3DES,MD5]480SP -1p -a PRESHARE:"my_shared_key" -dialup
#This command is for traffic from the PC to the server
ipsecpol -f 0=192.168.1.* -t 200.321.321.11 -1s 3DES-MD5-2 -n
ESP[3DES,MD5]480SP -1p -a PRESHARE:" my_shared_key " -dialup
If you wanted to add these policies as static polices you could do the
following
#This command is for traffic from the server to the PC
ipsecpol -f 192.168.1.*=0 -t 123.123.123.321 -1s 3DES-MD5-2 -n
ESP[3DES,MD5]480SP -1p -a PRESHARE:"my_shared_key" -dialup -w REG -p
"MyIPSECPolicy" -r "ServerToPc"
#This command is for traffic from the PC to the server
ipsecpol -f 0=192.168.1.* -t 200.321.321.11 -1s 3DES-MD5-2 -n
ESP[3DES,MD5]480SP -1p -a PRESHARE:"my_shared_key " -dialup -w REG -p
"MyIPSECPolicy" -r "PcToServer"
As stated before, see the help file provided with the ipsecpol download for
details on what all this means.
Here is a vbScript that can be run after a PC is connected to the internet
pppAddress = GetPPPAddress()
'msgbox pppAddress
if trim(pppAddress) <> "" then
set shell = createobject("wscript.shell")
'Stop and Restart the IPSEC Policy Agent to clear out any old
"dynamic" policies.
shell.run "net stop ""IPSEC Policy Agent""",0,1
shell.run "net start ""IPSEC Policy Agent""",0,1
'Set up the connection to the Office LAN
shell.run """c:\program files\resource kit\ipsecpol"" -f
192.168.1.*=0 -t " & pppAddress & " -1s 3DES-MD5-2 -n ESP[3DES,MD5]480SP -1p
-a PRESHARE:"" my_shared_key "" -dialup ",0,1
shell.run """c:\program files\resource kit\ipsecpol"" -f
0=192.168.1.* -t 200.321.321.11 -1s 3DES-MD5-2 -n ESP[3DES,MD5]480SP -1p -a
PRESHARE:"" my_shared_key "" -dialup ",0,1
'Ping an address on Office LAN to establish the connection
shell.run "ping 192.168.1.112",0,1
set shell = nothing
msgbox "VPN setup complete"
else
msgbox "Unable to set up VPN security policy" & vbCr & "Unable to
determine PPP (dial-up) adapter IP address" & vbCr & "Please verify that
your dial-up connection is established"
end if
Function GetPPPAddress()
PPPFound = False
set sh = createobject("wscript.shell")
set fso = createobject("scripting.filesystemobject")
Set Env = sh.Environment("PROCESS")
'msgbox(Env("OS"))
if Env("OS") = "Windows_NT" then
workfile = fso.gettempname
sh.run "%comspec% /c ipconfig > " & workfile,0,true
else
'winipcfg in batch mode sends output to filename
winipcfg.out
workfile = "winipcfg.out"
sh.run "winipcfg /batch" ,0,true
end if
set sh = nothing
set ts = fso.opentextfile(workfile)
data = split(ts.readall,vbcrlf)
ts.close
set ts = nothing
fso.deletefile workfile
set fso = nothing
for n = 0 to ubound(data)
if PPPFound then
if instr(data(n),"IP Address") then
parts = split(data(n),":")
GetPPPAddress = trim(cstr(parts(1)))
Exit For
end if
else
if instr(lcase(data(n)),"ppp adapter") then PPPFound
= True
end if
next
End Function
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST