• view
• edit
• upload
• print
• history

Windows 2000 and Windows XP

• IPsec is included with Windows 2000 and Windows XP. On Win2k you will need Service Pack 2 or higher (or the High Encryption Pack) to increase the encryption strength from 1DES to 3DES. WinXP users have also reported better results with Service Pack 1 and higher.
• The Road Warrior setup works either way round. Windows (XP or 2K) IPsec can connect as a Road Warrior to Openswan. However, Openswan can also successfully connect as a Road Warrior to Windows IPsec (see Nate Carlson's configs below).
• FreeS/WAN version 1.92 or later is required to avoid an interoperation problem with Windows native IPsec. Earlier FreeS/WAN versions did not process the Commit Bit as Windows native IPsec expected. Openswan does not have this issue.
• For NAT-T you need an update from Microsoft. See below.
• Some people choose to use L2TP over IPsec, which allows you to do additional username/password authentication (PAP/CHAP/MS-CHAP/EAP/RADIUS/SMB etc.). It also allows you to assign IP addresses from the internal network to Road Warriors.
• Alternatively, third-party IPsec clients are available: SSH Sentinel, Safenet SoftPK/SoftRemote, NCP, TheGreenBow VPN Client. The clients are commercial, they are not free. Most of these clients support both Win9x/Me and Win2k/XP.

NAT-T

Make sure you have one of the following to get NAT-T working:

• Windows 2000 Service Pack 3 or higher + NAT-T update.
• Windows XP Service Pack 1 + NAT-T update.
• Windows XP Service Pack 2 (already includes NAT-T update). Requires a registry patch (Q885407) if the IPsec server is NATed.
• A third-party IPsec client with NAT-T support.

A note about generating your CAs. If you want to use the names in ipsec.secrets (vs making the key the default key), then you should avoid spaces in the DN.

Known hacks/tips/tweaks

• How to Enable Oakley.Log to get detailed IPsec log messages on MS Windows.
• A Note about Port 88

Various Guides

Jacco de Leeuw's HOWTO on using L2TP/IPsec with Windows 2000/XP.

Nate Carlson's HOWTO on using Marcus Mueller's VPN config tool (Road Warrior with X.509). Includes directions with FreeS/WAN as the Road Warrior.

Tim Carr's Windows Interop Guide (X.509)

James Carter's instructions (X.509, NAT-T)

Jean-Francois Nadeau's Net-net Configuration (PSK)

Marcus Mueller's HOWTO using his VPN config tool (X.509). Tool also works with PSK.

Oscar Delgado's PDF (X.509, no configs)

Albert Strasheim's notes (X.509, L2TP, Fedora Core 4)

(broken link)Tim Scannell's Windows XP Additional Checklist (X.509)