[Users] FreeS/WAN, L2TP and Windows clients

From: Jacco de Leeuw (jacco2_at_dds.nl)
Date: Sun Dec 15 2002 - 23:47:50 CET

• Next message: James P. Kinney III: "Re: [VF]Re: [Users] super-freeswan-1.99kb2 !pluto failure! <- FIXED"
• Previous message: Dossy: "[Users] Cannot subscribe to list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have made some documentation on using FreeS/WAN with the
Windows IPSEC clients released by Microsoft:

http://www.jacco2.dds.nl/networking/freeswan-l2tp.html

These Microsoft clients use IPSEC to transport L2TP.
L2TP then tunnels the payload traffic. One approach is to
actually disable L2TP on Windows 2000/XP. This is what
Marcus Mueller and Nate Carlson do (see:
http://www.natecarlson.com/linux/ipsec-x509.php)

I have tried an alternative approach and added an L2TP daemon
(l2tpd) to my FreeS/WAN server. The advantages are:

- It's free (an IPSEC client is included with Windows or can be
  downloaded from the Microsoft website).
- Available for Windows 95/98/ME/NT4/2000/XP.
- Relatively easy to install and configure at the client side.
  (I'd say the complexity is comparable to PPTP).
- Supports virtual IP addresses.
- Can tunnel IP, IPX and NetBEUI (IPX and NetBEUI not tested).

(Of course there are disadvantages too. See my webpage for that).

I am looking for someone who can confirm this setup. Any volunteers?
If you already have a working FreeS/WAN system it should boil down
to installing an extra RPM/Debian package for l2tpd. You will also
have to modify a few configuration files and enter your DNS and WINS
addresses plus your internal subnet range.

Unfortunately there is a major problem with Windows 2000. I get
an "Error 737: Loopback detected" when I disconnect and then
reconnect. The problem lies in the L2TP part, so I will contact
the l2tpd mailinglist about it.

I have a few remaining questions:

- l2tpd listens to all interfaces, including the external
  interface (eth0). That means I will have to firewall it for
  security reasons. But I would rather firewall it _and_ bind
  it to ipsec0 only. Does anyone know if servers can be told
  to bind to ipsec0 only?

- When Windows 2000 or XP is used the IPSEC part seems to work
  fine. Windows 9x/ME/NT4 clients on the other hand have a bit
  of a problem with disconnecting:

  #1: received Delete SA payload: deleting IPSEC State #4
  #1: ignoring Delete SA payload: IPSEC SA not found
  #1: received Delete SA payload: deleting ISAKMP State #1
  #6: initiating Main Mode
  #6: not enough room in input packet for ISAKMP Vendor ID Payload
  #6: malformed payload in packet
  #6: sending notification PAYLOAD_MALFORMED to x.x.x.x:500

  Any idea what is going wrong? Is there a bug in this Microsoft
  client? (For more details see:
  http://www.jacco2.dds.nl/networking/msl2tp.html#Rekeyingerror)

Jacco

-- 
Jacco de Leeuw                         mailto:jacco2_at_dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
Good guys don't finish last.
Good guys win before the race has even started.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: James P. Kinney III: "Re: [VF]Re: [Users] super-freeswan-1.99kb2 !pluto failure! <- FIXED"
• Previous message: Dossy: "[Users] Cannot subscribe to list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Dec 17 2002 - 05:21:05 CET