Chapter 8
Do not be tempted to just double-click certificates on Windows, since it will load the certificates in the wrong place and your IPsec connection will not work.
Xelerance offers a small open-source tool called certimport.exe on its FTP server that can import these PKCS#12 certificates properly and without user interaction.
Clients using Microsoft Native IPsec Implementation
Unfortunately, we are still not really ready to use Microsoft's native IPsec. The command-line options for ipsecpol.exe or ipseccmd.exe are so complex that humans should not try to use them. Marcus Müller has written a wrapper around these two programs called ipsec.exe, which
can be downloaded from http://vpn.ebootis.de/.
However, ipsec.exe still requires those additional programs mentioned previously. Alex Pankratov wrote ipsec2k lib, an API that handles all the Registry changes needed for Microsoft's IPsec without the need for ipseccmd.exe or ipsecpol.exe. The ipsec2k library has been used by various people to create Windows VPN clients that drive the Microsoft native IPsec implementation, such as the formidable lsipsectool client.
The ipsec.exe Wrapper
The advantage of the ipsec.exe wrapper is that configuration of the IPsec connection is performed through an Openswan-style ipsec.conf configuration file.
177
Interoperating with Microsoft Windows and Apple Mac OS X
conn %default dial=MSN Internet
conn west-roadwarriors left=%any right=aivd.xelerance.com rightsubnet=192.168.1.0/24
rightca="C=CA, S=Ontario, L=Toronto, O=Xelerance, OU=Support Staff, CN=Xelerance Root CA"
pfs=yes
network=auto
auto=start
#mac=xx-xx-xx-xx-xx-xx
#rekey=1800S/30000K
#authmode=MD5
You can also use rightid= and leftid= options if necessary. The mac= option is used to select a network adapter if there is more than one adapter present. The network= option can be set to ras, lan, or auto. If you wish to tunnel all traffic over the VPN, and you are using leftsubnet=0.0.0.0/0 on the Openswan server, you need to use the syntax rightsubnet=* in the ipsec.conf file on Windows.
The Windows ipsec.conf file uses rightca= to specify the DN of the Root CA that signed the certificates. It does not specify a rightid= and the DN of the remote certificate should not be used for the rightca= option. This is a very common mistake!
178
Chapter 8
This screenshot shows ipsec.exe running in verbose mode with the -debug flag on Windows 2000. You can see the ipsecpol.exe commands used to load the IPsec policies into the Microsoft IKE PolicyAgent service. Windows will only start the IKE negotiation after it receives traffic that is destined for the tunnel. In our case, we would need to issue ping 192.168.1.1 to trigger the IKE negotiation.
To bring the tunnel down, use ipsec -off or ipsec -delete.
IKE policies survive a reboot. If you uninstall ipsec.exe while you still have a loaded policy, you will need to use MMC to remove the policy.
The ipsec.exe utility is not a fancy IPsec client. It has no tray icon, no point and click. At this point, it should only be used for testing, though even that can probably be done more easily with any of the new free wrapper clients that have come out more recently.
The Linsys IPsec Tool (lsipsectool)
http://sourceforge.net/projects/lsipsectool/
The Linsys IPsec Tool is a VPN client that uses the ipsec2k library to interface with Microsoft's native IPsec implementation and therefore it does not need ipsecmcd.exe or ipsecpol.exe. It has a very clear tray icon, which changes color depending on the state of the tunnel, being either red (down), green (up), or yellow (negotiating). It has the proper default proposals using 3DES and MODP-1024 with PFS.
179
Interoperating with Microsoft Windows and Apple Mac OS X
It handles X.509 Certificate importing itself, and can import PKCS#12 formatted certificates, and it will automatically retrieve the DN of the CA it needs for the connection.
The Remote Internal IP address is used to trigger the connection, and monitor the state of the tunnel. It should be the private IP address of the gateway you are connecting to.
180