[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: L2TP or IPSec?

To: Rickard Borgmäster <doktorn@realworld.nu>
Subject: Re: L2TP or IPSec?
From: Andreas Mollat <andreas@mollat.de>
Date: Wed, 27 Mar 2002 16:14:55 +0100
Cc: misc@openbsd.org
References: <20020326223717.287c23df.doktorn@realworld.nu>

On Tue, 26 Mar 2002 22:37:17 +0100, you wrote:

>I have clients wanting to connect to a private network from their W2K/XP
>laptops.
>
>I'm thinking about how to set this up. First of all, should I use L2TP
>or IPSec? What are the (dis)advantages of the respective choice?

I just set up an obsd vpn server with w2k/xp clients a few weeks ago.

If you take my advise (and bear up against my english) - you might
finish in about half an hour:

Start IPSec: (and change this in sysctl.conf)

# sysctl -w net.inet.esp.enable=1
# sysctl -w net.inet.ah.enable=1

Download my template files and put them into /etc/isakmpd/:
http://mollat.de/security/templates/isakmpd.conf
http://mollat.de/security/templates/isakmpd.policy

Change your external IP, the passphrase and your internal subnet in
isakmpd.conf and don't forget to open pf for encrypted traffic (fxp1
is here the outside interface):

# Allow IKE
pass in quick on fxp1 proto udp from any to fxp1 port 500 keep state
# Allow ESP traffic
pass in quick on fxp1 proto esp from any to fxp1 keep state
pass out quick on fxp1 proto esp from fxp1 to any keep state
# Allow some dumb NT boxes not responding with correct MTU size:
pass in quick on fxp1 inet proto icmp all icmp-type 3 code 4

Now start isakmpd with something like:

# /sbin/isakmpd -d &

If it should not work immediately - start with debugging options:

# /sbin/isakmpd -d -D A=95 > /root/logfile &

Set up your w2k/xp clients using Marcus Muellers IPSec tool:
http://vpn.ebootis.de/

You can use my template config file for that too:
http://mollat.de/security/templates/ipsec.conf

Be careful playing around with that - this tool is a little sensitive
for missing tab-signs and the order of some lines... But it works(!).
If you get to know any other working setup, e.g. for virtual IP
handling, please let me know. I am tired spending any more time with
Not-Documented-Not-Debuggable-Pray-That-It-Works-Black-Box-Windows.

To activate the client - just dial up networking, execute ipsec.exe
from Marcus Mueller's tool - and done.

(BTW: You should set up some firewall on the client side. And don't
try Norton Antivirus 2002 - ipsec traffic will slow down extremely.)

Have fun!

Andreas
--------
Andreas Mollat
mailto:andreas@mollat.de http://www.mollat.de

References:
- L2TP or IPSec?
  - From: Rickard Borgmäster <doktorn@realworld.nu>

Prev by Date: Serial console trouble
Next by Date: Tips for searching the archives
Prev by thread: Re: L2TP or IPSec?
Next by thread: Re: L2TP or IPSec?
Index(es):
- Date
- Thread