Chapter 8
The only drawback is that it can only handle one IPsec connection at a time, but the author is currently working on extending the client to handle more tunnels. Since the client uses wxwidgets, a port to Linux is also fairly straightforward, and planned for the future. A few glitches in the internationalization support are still present, but they cause no problems.
Securepoint IPsec Client
http://www.securepoint.cc/
Securepoint is a vendor of VPN hardware machines. They seem to be based on FreeS/WAN. They also have a free client for Windows, called the Securepoint Personal Firewall and IPSec VPN Client. The license is "[...] free to use, [...] but not free to distribute, [...] apart from code based on GNU Public License". It is not clear what part is based on GPL, and what is not. There is currently no source available on sources.securepoint.cc indicating any GPL portion of the client. It might be based on ipsec2k-lib.
181
Interoperating with Microsoft Windows and Apple Mac OS X
This client works on Microsoft Windows 2000, XP, and 2003. It is also a graphical wrapper around Microsoft's native IPsec implementation. The VPN client is bundled with a firewall, which may actually be a problem if you are already using another firewall. It is unclear whether switching the firewall on and off also affects the VPN. The phrasing is also a bit misleading, since starting the VPN connections shows Establish VPN tunnel and VPN tunnel(s) established, while all it has done up to that point is to load the IKE policies in Microsoft PolicyAgent. You then need to send some traffic that would be routed over the VPN connection to actually start the IKE negotiation. If you make an error, for example you forget to enable Perfect Forward Secrecy in the Security tab, your VPN tunnel will in fact not be established at all.
There are also some pop-up boxes that come up in German instead of in English. We also had occasional problems when starting and stopping tunnels frequently. This seems to be an interop issue between Openswan and Microsoft. A restart of the Microsoft PolicyAgent using net stop policyagent and net start policyagent fixed this problem. This is probably a bug in Microsoft Windows.
The client supports both PSK and X.509 Certificates. However, certificates need to be imported both in the Securepoint client and in the Windows IPsec subsystem. It is not at all clear this last step is needed, until you actually read the online manual. It instructs you, similar to the previous instructions for importing certificates for ipsec.exe, how to accomplish this. This means Xelerance's certimport.exe can be used in combination with Securepoint's client to make the import of certificates much easier.
Creating a new connection is straightforward, though it might look a bit strange to choose ANY as local network in combination with the netmask 255.255.255.255. Do not forget to enable Perfect Forward Secrecy in the Security tab.
182
Chapter 8
Because this client uses Microsoft's native IPsec, you can look at the loaded IPsec policies using MMC. You can also enable Microsoft's Oakley.log debugging file without manually having to edit the Registry.
We ran successful interop tests for X.509-based IPsec tunnels, including NAT-Traversal. This client is probably the most mature wrapper for the Microsoft native IPsec implementation. It is free for personal use, but cannot be redistributed. It is not open source.
TauVPN (iVPN)
http://sourceforge.net/projects/ivpn/
This client was formerly known as iVPN. The TauVPN client is a GUI around the Windows ipseccmd.exe and ipsecpol.exe tools and therefore requires that the Windows XP Support Tools be installed. Be aware that the version on the XP CD is out of date, and a new version for use with Windows XP Service Pack 2 is available for download on the Microsoft website.
The advantage of this client is that it runs as a Windows service. It should therefore not need administrative privileges after it has been installed and the certificates have been imported. It can enable the oakley.log debug file for you, by setting the Windows Registry entry, and runs a tail command on the log file for viewing. TauVPN ships with Xelerance's certimport.exe tool for importing X.509 Certificates.
183
Interoperating with Microsoft Windows and Apple Mac OS X
TauVPN also offers an option to enable or disable PMTUD. Disable this if you experience fragmentation problems, which usually result in subtle things like the ping command working, but freezes in SSH or FTP clients. A reboot might be required for these changes to take effect.
The user interface is very clumsy and you'll probably find yourself continually hovering the mouse cursor above icons waiting for the help text to pop up and explain their use. You have to manually type in the Root CA's DN when using X.509 Certificates, which can lead to errors. It does provide a tray icon. It also requires a Server local IP address, which is the private IP of the gateway. This is used with the ping command to actually trigger the connection with the Microsoft native IPsec.
We could not get this client to work reliably on Windows XP SP2. We experienced crashes and failures to initiate the tunnel after it had loaded the Openswan IPsec policy into the PolicyAgent.
The WaveSEC Client
ftp://ftp.openswan.org/openswan/windows/wavesec/
Xelerance has written an NDIS-based installer around ipsec.exe, dubbed WaveSEC. This client combines ipsec.exe with the Microsoft binaries needed for 2000 or XP, together with certimport.exe, so that the Microsoft support CDs are not needed. This client was used in
demonstrations for WaveSEC as a proof of concept, but should not be used for production systems.
184