[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: VPN client for Windows for NetBSD VPN gateway
On Sun, Feb 15, 2009 at 04:09:05PM +0000, Matthias Scheler wrote:
> On Sun, Feb 15, 2009 at 09:54:24AM -0500, Thor Lancelot Simon wrote:
> > > can somebody recomment a freely available IPsec/IKE based VPN client
> > > that works well with a NetBSD VPN gateway?
> > What's already built into Windows will work -- though it would work
> > somewhat more smoothly if we supported Microsoft's preferred L2TP over
> > IPsec encapsulation.
> How do you configure Windows *not* to use that?
On very old releases of Windows (e.g. win2k) you do it by using the
relevant MMC snap-in to configure an IPsec association by hand, instead
of using the "create a vpn connection" wizard.
On more recent releases, you have a choice of protocol and options when
you create a VPN connection. You will find buried _somewhere_ in the
options -- it's been a long time! -- the choice to use standard IPsec
tunnel mode without L2TP.
This will, though, require you to use certificate authentication, and
there is an associated security hole: Windows allows you to specify only
the _certificate authority_ who must have signed the server's certificate,
not the actual DN or CN from the certificate itself. That means that if
you have what most people would consider a "typical" PKI -- where client
and server's certificates are signed by the same authority -- any other
client can impersonate the server towards you, and carry out a MITM attack.
However, the L2TP encapsulation doesn't make that problem go away either.
At one point Microsoft told me they were going to fix the certificate
problem -- and maybe they have -- I haven't looked since about 2003.
Thor Lancelot Simon
"Even experienced UNIX users occasionally enter rm *.* at the UNIX
prompt only to realize too late that they have removed the wrong
segment of the directory structure." - Microsoft WSS whitepaper
Main Index |
Thread Index |