Chapter 8
One minor criticism of this client is that it uses the color red in the tray icon to indicate that the IPsec tunnel is established, which can give the impression that something is seriously wrong.
As a final note, the GreenBow website contains a treasure trove of information. There is a FAQ, a number of problems listed with related Microsoft Knowledge Base articles, and an extensive list of VPN software that is known to work with the client. This often includes detailed descriptions with screenshots for those devices along with the specific options for the GreenBow client.
Astaro Secure Client
http://www.astaro.com/
The current Astaro Secure Client is based on the NCP IPsec client. It supports XAUTH, ModeConfig, PSK, and X.509. Configuration of the client is a bit cumbersome and confusing. The client throws many screens at you where only a single option needs to be specified, instead of trying to combine them all into a single page. After the initial installation, you get a New Profile Assistant, a straightforward wizard-type series of options, but when that has completed, you still need to configure some extra settings to make the connection work. On the screen, select Main Mode and DH-Group 2 or higher. Do not select IP compression, unless your bandwidth is really low, such as a GPRS or dialup connection.
The next screen in the Assistant can be confusing. It is headed Pre-shared key, while we're actually configuring an X.509 connection. Leave the Shared secret field blank, and select ASN.1 Distinguished Name in the Type dropdown. You do not need to fill in the ID with the DN from your certificate—the client will do this for you automatically.
189
Interoperating with Microsoft Windows and Apple Mac OS X
Once you have completed the Assistant, you then must address the extra settings. These settings are split over two separate configuration menus. One menu is called Configuration and is located on the main Configuration drop-down menu. The other menu appears when you select the newly created tunnel and then click the Configure button. In the window that opens, an entire menu of options appears on the left. Select Remote Networks from this menu and add the remote network and netmask.
190
Chapter 8
The next step is to import the X.509 Certificate. The certificate import process is separate and not attached to one specific tunnel. Select Configuration, then Certificates. On the User Certificate tab of the window that opens, select PKCS#12 and browse to the location of the cert.p12 file you have created for this client.
When you install the Astaro Secure Client, it stops the Microsoft IPsec Service and sets the startup type to manual. After uninstalling, the Microsoft IPsec Service is not re-enabled, so all clients relying on the native IPsec implementation, including L2TP connections, will fail to run with obscure errors. You can re-enable the IPsec Service through Control Panel | Administrative Tools | Services.
Finally, you are ready to hit the Connect button and start the IPsec connection.
Unfortunately, the Astaro VPN client does not store the certificate unencrypted, so every time you bring up the connection, you will be asked for the PIN on the certificate, which is the 'export
password' used when creating the PKCS#12 file with openssl. It will then establish your connection, and the tray icon traffic light will go from red, to yellow (negotiating), to green (established).
Mac OS X IPSecuritas
http://www.lobotomo.com/products/IPSecuritas/
Mac OS X comes with the KAME IPsec stack and the Racoon IKE daemon. These can be manually configured, but this is a hell of a task and not at all suited for end users (or most developers for that matter).
IPSecuritas provides a GUI wrapper around Racoon that works reasonably well. The only problem at the time of writing was that all Mac OS X versions up to and including Tiger have a broken NAT-T implementation. Even though IKE will negotiate ESPinUDP encapsulation, Tiger will still send out ESP packets, which are then further broken by the NAT router, and will surely be dropped by Openswan. Hopefully Apple will fix this bug in the next Tiger update. A partial workaround for this problem was added in Openswan 2.4.1.
IPSecuritas uses its own Racoon configuration files generated on the fly, which are placed in /tmp. Therefore, it does not require certificates to be imported with Apple's KeyChain Access.app.
191
Interoperating with Microsoft Windows and Apple Mac OS X
IPSecuritas has its own Import Certificate menu. It does not support PKCS#12 files, so you will have to copy the separate caCert.pem, hostCert.pem, and hostCert.key files. The IPSecuritas client supports both PSK and X.509 Certificates and comes with a manual that explains the features and limitations of the client quite well.
Select CA certificate, name it, and select Proceed. Then select Import Certificate again to import your own certificate. Point to your certificate and proceed. This will appear to have failed, but one word on the screen has changed. The word certificate changed for the word key, and you are in fact now importing your key file.
The key file must not be password protected. IPSecuritas cannot import password-protected key files.
To remove a password from a key file, use the following command:
# openssl rsa -in macosx.key -out macosx.unlocked.key.pem
You can view the details of the certificate at Certificate Details. To start a new connection, select
Edit connection. Name the connection. Choose Host To Network in the Mode of Operation dropdown. Type in the hostname of the VPN gateway, and the remote network with netmask. Select only Main for Exchange Mode.
192