Re: VPN client for Windows for NetBSD VPN gateway

[Thor Lancelot Simon <tls%rek.tjls.com@localhost>]

On Sun, Feb 15, 2009 at 04:09:05PM +0000, Matthias Scheler wrote:
> On Sun, Feb 15, 2009 at 09:54:24AM -0500, Thor Lancelot Simon wrote:
> > > can somebody recomment a freely available IPsec/IKE based VPN client
> > > that works well with a NetBSD VPN gateway?
> > 
> > What's already built into Windows will work -- though it would work
> > somewhat more smoothly if we supported Microsoft's preferred L2TP over
> > IPsec encapsulation.
> 
> How do you configure Windows *not* to use that?

On very old releases of Windows (e.g. win2k) you do it by using the
relevant MMC snap-in to configure an IPsec association by hand, instead
of using the "create a vpn connection" wizard.

On more recent releases, you have a choice of protocol and options when
you create a VPN connection.  You will find buried _somewhere_ in the
options -- it's been a long time! -- the choice to use standard IPsec
tunnel mode without L2TP.

This will, though, require you to use certificate authentication, and
there is an associated security hole: Windows allows you to specify only
the _certificate authority_ who must have signed the server's certificate,
not the actual DN or CN from the certificate itself.  That means that if
you have what most people would consider a "typical" PKI -- where client
and server's certificates are signed by the same authority -- any other
client can impersonate the server towards you, and carry out a MITM attack.

However, the L2TP encapsulation doesn't make that problem go away either.
At one point Microsoft told me they were going to fix the certificate
problem -- and maybe they have -- I haven't looked since about 2003.

-- 
Thor Lancelot Simon                                        
tls%rek.tjls.com@localhost
    "Even experienced UNIX users occasionally enter rm *.* at the UNIX
     prompt only to realize too late that they have removed the wrong
     segment of the directory structure." - Microsoft WSS whitepaper