>> I understand you use a PSK, I have only tested with a cert.
>> But that can't be it, can it?
> I don't know.
I'll try with a PSK next week.
> I perused the registry but was unable to find any L2TP
> looking entries that might have had significance to enabling or
> disabling that protocol on the connection.
There are certainly entries which look promising. E.g., in
[HKEY_LOCAL_MACHINE\Software\IRE\SafeNet/Soft-PK\ACL\1\REMOTEADDRESS]:
USESGW (use security gateway?), SGWOPTIONS, REMOTEADDRESS and
changing PROTOCOL/ PORT/ PORTNAME to "All" instead of just
UDP 1701 (similar to \ACL\0\). It would perhaps be interesting
to compare these registry settings with the ones of the full
SafeNet client. Unfortunately, I do not have this client.
Any volunteers willing to mail their
HKEY_LOCAL_MACHINE\Software\IRE\ registry to the list?
(Wipe keys before you do, though :-)
The problem is though that you never know if hacking the registry
will be enough. The SafeNet people could have removed the host-to-LAN
code completely from the client. And if not, a next version of this
client will certainly "correct" this problem. Another problem would
be that the user would still have to click "Connect" to set up
the IPSEC connection. There is a change that there will be an error
message complaining about a missing L2TP server, and this might
confuse the user.
So I tried l2tpd first.
> does this mean that once you connect to the Security Gateway
> via an L2TP/IPSec MS client connection, your machine is on the
> internal network that is connected to the SG? I guess the Windows
> client would receive an IP address from the SG via the PPP
> connection.
Correct. The PPP server gave me an IP address from an internal
range (configured in l2tpd.conf, actually). I configured the
gateway's side (ppp0) with a different IP address than the
internal network interface (eth1), just to be on the safe side.
Anyway, I could ping eth1's IP address from the remote Windows
client, and I also could access servers on the gateway (Squid,
Apache etc.) as if I were on the internal network. The Windows
client also got the DNS and WINS servers correctly, according
to winipcfg. I configured these in the PPP options (ms-dns,
wins-addr). However, I have not tried yet to access other
machines on the internal network protected by the FreeS/WAN
gateway. I would not be surprised if I had to configure proxy arp
(or iproute2?) on the gateway for those internal IP addresses,
before I get packets back from internal machines.
Jacco
---
Jacco de Leeuw mailto:jacco2_at_dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Windowsupdate: "This is done without sending any
information to Microsoft". (Honest, guv!)
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:24 CEST