Chapter 8
However, the certimport.exe command-line tool is stable and is a great way to easily import certificates into Windows. It will warn you if doing so would replace an existing certificate, and you can specify a password using -p.
Third-Party Replacement Clients for Windows
The following clients do not use the Microsoft native kernel IPsec driver, nor do they use the Microsoft IKE PolicyAgent, nor the Certificate Store in the Windows Registry. Therefore there is no oakley.log debugging file present and the PolicyAgent service should not be running. MMC is not needed to manage or import X.509 Certificates.
The GreenBow VPN Client
http://www.thegreenbow.com/
This is a commercial VPN client under active development that runs on all Windows platforms, ranging from Windows 98 to Windows XP. It has a 30-day evaluation period, with no further limitations during evaluation, so you can really test before committing an entire company to this client.
Certificates can be stored on a USB device to give some extra security. It supports XAUTH (untested with Openswan so far) and properly works with NAT-traversal. The GUI is quite comfortable to use, though it does assume that the end user has some knowledge of IPsec, such as knowing what a Phase 1 and a Phase 2 connection are. Of course, this is not an issue if an administrator is setting up the VPN for the end user.
In fact, the GreenBow client offers a recording mode if you run setup with the -r option that creates a configuration file called setup.iss. This way, the administrator can manually configure the client and ship a complete self-installable version for the end user that does not ask a single question, and does not even appear in the tray icon list, so the user cannot disable the VPN.
185
Interoperating with Microsoft Windows and Apple Mac OS X
Configuration is fairly straightforward. First, a new Phase 1 is created by right-clicking the configuration tab and choosing New Phase 1. You then specify the Phase 1 parameters. The GreenBow client comes with good defaults, such as 3DES and Diffie-Hellman group 2 (MODP1024) and PFS and Main Mode enabled. However, it does default to Pre-shared Key (PSK) instead of X.509 Certificates.
When choosing X.509 Certificates instead of Pre-Shared Key, an import window appears letting you import the Root CA, the certificate, and the private key.
Note that the private key needs to be unlocked. The client we tested did not support PKCS#12 (.p12) format files yet. Ensure that the root and user certificate filename extension is .pem, and that the private key file has the extension .key.
Once you have imported the certificates and key files, select the Advanced tab, where you can set a few more options. When using certificates with a Root CA, you should set both ID field types to
DER ASN1 DN.
186
Chapter 8
Here you can further fill in the XAUTH options, or enable Aggressive Mode if needed. This client even allows you to change the IKE port, so if your ISP blocks UDP port 500, you could change it on both the client and Openswan, though it will likely not work as expected for NAT-Traversal in such a case.
Unfortunately, the GreenBow client does not read the ID from the imported certificate, so you will have to type in the local ID yourself. You can use the openssl command on the Openswan server to get this:
# openssl x509 -in YourCert.pem -noout -subject
The GreenBow VPN client does not support commas (,) as DER ASN1 DN separators and you must use slashes '/'. Note that the first character in the DN is a slash as well.
Once you are done with Phase 1, right-click the Phase1 to add as many Phase 2 items as needed. Again, sane defaults are used by the GreenBow client, such as 3DES, tunnel mode, and PFS. You should not fill in the VPN Client address, as it will be filled in automatically with your current IP address, which could be the local LAN address that will be NATed later on.
187
Interoperating with Microsoft Windows and Apple Mac OS X
In our example we have created two Phase 2 items, which have as the only difference the 'Remote LAN' address. We have set up two tunnels between the same two machines, one for 192.168.1.0/24 and one for 192.168.2.0/24.
With Phase 2 configured, you can now Save and Apply the connection and start it with Open Tunnel, though this is not needed as the GreenBow client automatically brings up a tunnel if there is traffic for it defined in one of its Phase 2 connections.
The console log supports various kinds of logging. The screenshot below shows fairly minimal logging during setting up our VPN tunnel:
188