Interoperating: NCP Secure Entry Client/Secure VPN/PKI Client
Available from NCP Germany.
- Secure Entry Client is the "low end" version
- Secure VPN/PKI Client has lots of advanced features useful for larger installations.
Pros:
- I find this the best damn Win32 client since SSH Sentinel.
- Support is VERY good; fast response, knowlegeable techs
- Free 30 day evaluation of their products
- Understands how to establish connections over modems, DSL, ISDN and plain IP connections
- Can handle PKCS#12 smartcards/USB tokens
- Systray icon is clean, simple and not hideously gawdy like SafeNet?'s
- The install can be easily customized to include CA certs and tunnel configurations
- Multiple network/subnet with one connection support
- Nice logging/debugging subsystem for troubleshooting
- NT Domain Login system Just Works -- very straightforward
- Can automatically establish the VPN if you try to access the remote network (with configurable "auto disconnect" time based on traffic flow over the connection)
Cons:
- 30 day eval can only be installed twice -- no warning of this anywhere
- LZS compression only -- deflate coming soon
- No support for DHCP over IPSec
Differences between Secure Entry ("low end") and Secure VPN/PKI ("high end") clients:
- Secure Entry can only handle one PKCS#12 file
- Secure VPN/PKI client has configuration server support -- trivial to publish connection information for hundreds of clients
- Secure Entry Client "only" handles straight IPSec connections
- VPN/PKI client can also IPSec, L2TP and L2SEC connections
Tips and Tricks
XAUTH seems required for VPN/PKI but if you leave credentials blank it'll fail "open." This isn't intuitive.
The PKCS#12 import password must not be blank.
VPN/PKI client will try and negotiate compression even if you have it turned off -- you must go and specify IPSec proposals manually (Using the default supplied one is fine if your endpoint handles AES128/MD5). Automatic ("Assigned by Destination") proposals all seem to include LZS compression requests and you will see "Invalid CPI (0x3)" errors in the OpenS/WAN logs.
With either client if you do specify an IP of 0.0.0.0 or say to use IKE Config mode OpenS/WAN will fail since it doesn't support XCONFIG.
Sample config (VPN/PKI Client, only listing what I change from defaults)
- Destination
- Line Management
- Incoming Call
- Security
- IKE Policy: RSA Signature
- IPSec Policy: ESP-AES128-MD5
- IKE ID Type: ASN1 Distinguished Name
- IKE ID: (blank, it will pull from certificate)
- Advanced
- IP NAT
- Permit Incoming IP Traffic
- Permit IP Broadcast
- Enable NetBIOS over IP
- VPN Tunneling
- Obtain VPN User ID and Password from: Certificate 'cn' field
- (That's the XAUTH part, you OpenS/WAN will ignore it and NCP will fail "open")
- VPN IP Networks
- 192.168.1.0/255.255.255.0
- IPSec Options
- Private IP Address: 192.168.6.5 (anything will do, just can't leave it 0.0.0.0 or you'll get XCONFIG failure on OpenS/WAN side)
- HA Support (not used)
- DNS/WINS
- I throw in the WINS and DNS server info to help with Win32 domain stuff
- Certificate Check (I don't use this)
- Firewall Settings (I disable the firewall, not sure how to use it right yet)
Configuration/Certificates will let you define where your certificates come from; I've only used "from PKCS#12 file". The clients do not let you use a certificate with a blank import password which is kind of a pain in the ass but understandable.
If you want to be able to do domain login at boot time, use the Configuration/Logon Options and check "Inquire unsaved passwords and PIN before Windows Login" -- you'll have to reboot to have it take effect and once you do you'll get the NCP screen coming up asking if you want to establish a VPN or login locally. Very nice.
You can also have it establish a VPN automatically on boot but I haven't tried.
Warning
Do not install? NCP client version 8.11 build 106 on Windows XP SP2. Use a later version.
