Using a Linux L2TP/IPsec VPN server with Windows Vista
Last update: Jun 8, 2008
1.1 Introduction
I have made the following webpages on using L2TP/IPsec with Linux:
The page you are now reading describes how you can use Windows Vista
with Openswan. It assumes you are already familiar with setting up
Openswan with L2TP/IPsec. If you are not, it's probably a good idea to
start with reading this page (the
first
one in the list). It includes information on setting up the Linux side.
The other pages contain specifics on several L2TP/IPsec clients which
are available for Windows and Mac OS X.
Windows Vista can also be configured to use IPsec without
L2TP (see below). If you are looking
for a third-party VPN
client for Vista, check out that section too.
There are basically two methods of authenticating Windows
2000/XP/Vista
clients in IPsec VPNs: Preshared
Keys (PSKs) and X.509
certificates. Windows Vista also supports Kerberos V5, NTLMv2 and
"health certificates" but these are Microsoft proprietary "standards"
and not supported by Openswan. If you
have a Windows XP or Vista client, I
recommend that you start with a PSK and test that first. It should be
easier to do than setting up certificates. Once
you
got a basic setup working, you can proceed with certificates. On
Windows
2000 clients, however, it is more difficult to configure a PSK. So if
you only have Windows 2000 clients, I suggest that you skip PSKs
altogether and use certificates. Note that if you want to use PSKs then
either each client shares this single PSK (not recommended for security
reasons!) or each client has its own PSK but is also required to have a
fixed IP address. For testing purposes
this should not be a problem. Fixed IP addresses are not required for
clients which use certificates. Don't forget to disable the PSK
configuration files once you switch to certificates! Openswan will
get confused if there are PSK and certificate configuration files for
the same client / IP address. The PSK configuration will get the upper
hand.
There is a snag. Microsoft believes that certificates
should only be used for authenticating computers, not users (never mind
that third-party IPsec clients authenticate
users with certificates just fine!). This means that the certificate of
the user has to be imported as a 'local computer certificate'
(requires Administrator privileges). The result is that the certificate
is shared by all users on the client machine (if there is only one user
this should not be a problem of course). You can use different
usernames
and PAP/CHAP passwords to distinguish the users on a client, but
passwords provide weaker security than user certificates. One final
remark: I believe it is not possible to store the 'local computer
certificate' on a smartcard or USB token, unfortunately (please correct
me if I am wrong!).
You can import a certificate to Windows Vista manually (through
MMC) but it can also be automated. See the "Advanced"
section for that.
1.2 Author
The author of this document is Jacco de Leeuw.
Corrections, additions, extra information etc. are much appreciated.
Back to Contents
2. Contents
3. Installation and configuration
The L2TP/IPsec client is installed on Windows
Vista by default. You might want to check the Microsoft
Knowledgebase to see if there are any Hotfixes or other bugfixes
for Vista.
3.1 Personal
firewall issues
I have not encountered problems with Vista's built-in firewall and
its
default settings when used with L2TP/IPsec. But there is one issue that
you
have to keep in mind: the default settings
block incoming "ping" requests (ICMP echo). This is a bit annoying if
you are testing and troubleshooting connections. Ping can
be enabled on Vista but I could not find any official documentation on
that. What worked for me is the following procedure:
Click "Start",
and then "Control panel". Click "System and Maintenance" (or switch to
"Classic View",
which I prefer anyway).
Click
"Administrative Tools". Click "Windows Firewall with Advanced
Security". Select "Inbound Rules". Select "File and Printer Sharing
(Echo Request - ICMPv4-In". Use the right mouse button to enable the rule.
However, problems have been reported with the personal firewall
included with Microsoft OneCare. This is a complete different firewall
made by another team at Microsoft. It should not be confused with
Vista's built-in personal firewall. It appears that VPN
ports have to be opened for the OneCare firewall (note that opening
TCP 1723 is not required for L2TP/IPsec, only for PPTP). The easiest
solution would be to tick off the checkbox "VPN - connect to another
computer over a virtual private network" in the OneCare settings
("Firewall
connection tool"). This was reported on Alec
Saunders' blog.
Back to Contents
4. Setting up connections with Preshared keys
We'll start with Preshared Keys (PSKs). The IPsec client included
with Windows Vista supports PSKs out of the
box. The
routine for authenticating Windows Vista through certificates is
almost the same, but more work in advance because you have to generate
and import a certificate. PSKs are easier to use than certificates but
they have the
disadvantage that in practice you can use them only for clients which
have fixed IP addresses. Preferably, the PSK is distributed
out-of-band,
e.g. you write it down on a piece of paper and walk to the other
machine.
Here is the procedure for configuring a Preshared Key based
L2TP/IPsec connection on Windows Vista. Click on the links for
screenshots. (Note that Vista supports various themes and styles. There
may be some GUI differences on your screen).
- Click "Start",
and then "Control panel". Click "Network and Internet" (or switch to "Classic View").
- Start the "Network and Sharing Center".
- Click "Set
up a connection or network".
- Select "Connect
to a workplace".
- Optionally you can select an existing connection
to run the new VPN connection over. If you do
not have a direct connection to the Internet, you may want to select
your analogue modem connection, ISDN, PPTP or PPPoE connection here.
When you
start the VPN connection Windows will then first dial your Internet
connection. (Of course you can also choose "No, create a new
connection" and then
manually start the Internet connection every time you want to use the
VPN connection).
- Select "Use my Internet
connection (VPN)".
- (Strangely enough, I got this window on Vista RC2: "Do you want to set up an
Internet connection before continuing?". It did not make sense
because I already had a working Internet connection at that stage. So I
chose: "I'll
set up an Internet connection later").
- Enter the
(external) IP address or the hostname of your Linux VPN server.
Also enter a name for this new VPN connection.
- Select "Don't connect now". Click "Next". (If you need smartcard
support, read this.)
- Type your (PPP) username
and password. If there is a Windows or
Samba domain server on the
internal network that you would like to log on to, enter the domain as
well. (Note: the domain logon option may not be available on all Vista
versions).
- Complete the
Connection Wizard. Mind you, the connection is NOT yet ready to use.
- Back in the "Network and Sharing Center", select "Manage network
connections".
- The "Network Connections" window appears. Select your newly
created VPN connection.
(You
may notice that Vista defaults to PPTP).
- Use the right mouse button to select the context menu of the VPN
connection. Click "Properties". There are 4 tabs: "General", "Options",
"Security", "Networking" and "Sharing".
- Verify the
settings in the "General"
tab and the "Options" tab.
You entered these in the previous
steps. Normally you should not have to change these.
- Now select the "Security" tab. You
should be able to use "Typical (recommended settings)" if your Linux
VPN server is configured for CHAP or MS-CHAPv2 in the L2TP/PPP
authentication phase.
- If your Linux VPN server is configured for e.g. PAP or EAP in the
L2TP/PPP phase, select "Advanced (custom
settings)" and then select
the authentication protocol(s) that you need (in this screenshot it
is only PAP). Set data encryption to "Required".
Then click "OK".
- Select the "Networking"
tab. Change the type of VPN
to "L2TP IPSec VPN". Click "OK". The "Internet Protocol Version 4
(TCP/IPv4)" is selected by default. If desired, uncheck the ones that
you don't need.
- Click "IPsec Settings".
Enable the checkbox "Use
preshared key for authentication". Enter the PSK for this user.
This is the same PSK as entered in /etc/ipsec.secrets
on the Linux server. Click "OK".
- Optionally select the "Advanced"
tab. Adjust
Vista's firewall if desired. Or enable Internet Connection Sharing if
you need it, but I don't
know if
this
works. Using ICS on a VPN connection may be a bit counter-productive, I
guess. Click "OK".
- Click "OK" again. You return to the "Network Connections" window.
- Select the VPN connection with the left mouse button. Use the
right mouse button to select the context menu of the VPN
connection. Click "Connect".
- You should now get a VPN connection. A window appears, asking what kind of network
you are connecting to. In most cases this would be a "Home" network or
a "Work" network. If you select "Public location", presumably the
firewall settings for this connection will be more strict.
- Close the window "Successfully set
network settings".
- You can now use your VPN connection. Optionally, verify the status of your
connection in the "Network connections" window (screenshot 1, screenshot 2, screenshot 3).
- There is no separate icon for your active VPN connection in the
bottom right corner (unlike Windows 2000/XP). There is only one icon
for all connections. If you want to disconnect, you can click that icon
and select the VPN connection. Alternatively, click "Disconnect" in the context
menu of the VPN connection.
On the Linux server you should successively get an IPsec connection,
L2TP connection and
then a PPP connection. Check /var/log/secure and /var/log/messages
on the Linux server for errors. If everything works fine, you might
want
to consider upgrading to certificates. See below.
Back to Contents
5. Importing
certificates
At this point I assume you have made certificates for your users. If
not, see my other webpage.
In most cases certificates come in the form of PKCS#12 files. These
files contain the user's certificate, the corresponding private key and
one or more CA root certificates. There are two ways of importing
certificates: manual and automated. If you want to do an automated
import, you need to download and install a utility on the client (see
below).
Here is 's how you can do a manual import to
Windows Vista. (For an automated import of the certificate, see below).
- Click
"Start", type "mmc" in the
search box and press enter.
This will start the Microsoft Management Console.
- MMC requires Administrator privileges so you will be prompted for
your password.
- Continue the routine as described for Windows 2000/XP.
Back to Contents
6. Using certificates
6.1 Setting up connections with
certificates
Once you have imported the user certificate, you can configure an
L2TP/IPsec connection which uses this certificate to authenticate
against a Linux VPN server.
The procedure for creating an L2TP/IPsec connection which uses a
certificate is almost the same as the procedure for
PSKs
mentioned above. The difference is this:
You cannot select which
client certificate to use for a particular L2TP/IPsec connection. How
does the
Windows Vista client know what certificate to use
if multiple certificates from different CAs have been imported? Well,
the client requires
the certificates on both sides to be signed by the same Certificate
Authority (CA). The client verifies that the server has a valid
certificate, but you don't actually install the server's certificate on
the client. Instead, the client verifies whether the certificate
presented by the server was issued by a CA that the client trusts. This
certificate is typically included in the PKCS#12 file. This PKCS#12
file contains the user's private key, the
corresponding certificate and one or more CA certificates. The Linux
server's certificate is not included in the PKCS#12 file.
6.2 "Verify Name and
Usage attributes"
Vista will
receive the server's certificate that the the server itself sends once
the
IPsec negotiations start. It then verifies the validity of this
certificate with the CA certificate it has in its certificate store
(i.e. was it signed by the CA or has the certificate expired). Vista
then verifies if the hostname in the server's certificate matches the
hostname that you entered in the VPN connection settings. Note that
Windows 2000 and XP do not perform this hostname check (MacOS X does).
See also this section which
includes instructions on how to generate such server certificates with
OpenSSL.
If you want to restore the original Windows 2000/XP behaviour (i.e. the
subjectAltName in the certificate is not checked) you need to
disable the option "Verify
the Name and Usage attributes of the server's certificate" in the
"IPsec Settings" window. Be warned though that this makes it easier for
adversaries
to impersonate the server if they have compromised a valid (client)
certificate,
e.g. from a stolen laptop.
The "Verify Name" option seems to imply that Vista also verifies the "Extended Key Usage" restrictions
that a server certificate may have. The log messages seem to confirm
this but I have not verified it yet.
Vista does not seem to verify the hostname in a server certificate when
an IP address (instead of a hostname) was entered in the client's VPN
connection settings. I have not checked whether an IP address in a
server certificate (i.e. subjectAltName=IP:160.85.22.3 in
OpenSSL) is actually verified by Vista. IP addresses in certificates
are very inflexible so they do not make much sense anyway.
Back to Contents
7. NAT-Traversal
Windows Vista supports
NAT-Traversal out of the box, both the official standard RFC 3947 and draft-02.
More information on NAT-T in general can be found here.
7.1.1 Issue with Windows Vista and
server-side
NAT
Windows Vista has the same issue as Windows XP with ServicePack 2.
This issue was discovered
by George Ou. Vista does not support establishing
IPsec connections to servers
behind NAT. Apparently Microsoft considers
this a security risk because of an
(uncommon) scenario which is described here.
Microsoft even says that a VPN server behind NAT
is "not recommended" (see also KB Q885348),
although the NAT-T RFC describes it as a normal setup that should be
supported. The problem occurs with both Windows Server 2003 and
Openswan, so it is an issue in Vista, not Openswan.
The Windows XP SP2 workaround described in Knowledge
Base article Q885407
does not work because this registry key does not exist under Windows
Vista. The correct registry key for Vista has been obtained by George
Ou through his Microsoft contacts. Since then, it has also been
published in Microsoft KB
article 926179. The key is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule
This key should be created and set to 2 (DWORD) to allow server-side
NAT. I have modified George's original script
for Windows XP SP2. You can download the equivalent script for Windows
Vista here. If you wish to
restore
Windows Vista to its default behaviour, use this script.
After applying either script, remember to reboot your computer or to
restart the "Remote Access Connection Manager" (Rasman, located in
"Settings" -> "Control Panel" -> "Administrative Tools" ->
"Services"), or you
can use this batch script.
7.1.2 PSK and NAT-T in Vista
In most (production) cases you will want to use certificate
authentication instead of a Preshared Key (PSK). Certificates provide
better security and work better when NAT is involved. However, in some
cases you may be forced to use a PSK.
Windows Vista is very similar to the L2TP/IPsec client included with
Windows XP/2003, but there is an additional requirement when a PSK is
used and NAT is involved. You have to add this line to your L2TP-PSK
section:
rightsubnet=vhost:%no,%priv
Windows XP/2003 support PSKs and NAT-T but they are based on
draft-02 of the NAT-T standard ("draft-ietf-ipsec-nat-t-ike-02").
Vista also supports this draft-02 but when connecting to recent
versions of Openswan it prefers RFC 3947 over draft-02. Apparently
these implementations use different identifiers when NAT is involved:
when a Windows XP/2003 client connects, Openswan reports the following:
Main mode peer ID is ID_FQDN: '@blabla.example.com'
But when a Vista client connects (or probably any other RFC 3947
compliant client), the following is reported:
Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
(Where x.x.x.x is the IP address that the client has on
the NATed network).
7.1.3 Server-side NAT with pure IPsec or AuthIP
If you only wish to use L2TP/IPsec with Vista you can skip this section.
It appears that Windows Vista can not only use L2TP/IPsec but also IPsec
without L2TP. This has the same server-side NAT issue as in the
L2TP/IPsec
scenario mentioned above. According to information obtained by George
Ou from his
Microsoft contacts, the registry key for the IPsec-without-L2TP
scenario is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule
However, I noticed that the \IPsec key does not exist so I am not
quite sure if this will work. I have not investigated it.
A third
scenario where Vista can be used as a client to connect to a
server behind NAT is AuthIP (see below). The
following
command
should enable the server-behind-NAT scenario with AuthIP:
netsh advfirewall set global ipsec ipsecthroughnat
serverandclientbehindnat
This sets the following equivalent registry key to 2 (DWORD):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
Back to Contents
8. IPv6
In Windows Vista, IPv6
is installed and
enabled by
default. It is included as the "Internet Protocol Version 6
(TCP/IPv6)"
protocol component in the properties page of network connections (in
the Connections and
Adapters folder).
Many applications in Vista now support IPv6, including the
L2TP/IPsec VPN client. This would allow you to get a secure
IPv6 connection, wherever you are, as long as you have a working (IPv4)
Internet connection and your VPN server is able to provide access to an
IPv6 network.
First of all, your Linux kernel and your PPP daemon must support
IPv6. Most
recent ones do (check 'man pppd'). You probably do not need
IPv6 support in your L2TP daemon, assuming your Internet connection is
IPv4. Exceptions may be l2tpd
and xl2tpd
because these maintain their own IPv4 address pools for remote clients
so you won't be able to hand out IPv6 addresses with (x)l2tpd. However,
like the other L2TP daemons, you should be able to use RADIUS through a
plug-in and hand out IPv6 addresses to remote clients. Alternatively,
you can configure (x)l2tpd manually to assign one IPv6 address in /etc/ppp/options.l2tpd:
ipcp-accept-local
ipcp-accept-remote
ipv6 ::dead:beef,::dead:beee
noccp
auth
(etc.)
This should come in handy for testing purposes or if you want to
support only one client.
As far as I know, l2tpns
is the only Open Source implementation with built-in IPv6 support.
Back to Contents
9. Advanced IPsec features
9.1 Weak crypto
If you connect to an Openswan error and you receive the following error:
"Error 741: The local computer does not support the
required data encryption type."
then the Openswan server uses weak cryptographic algorithms. This
is not the default configuration for Openswan so the best solution is
to configure Openswan to use the standard (strong) algorithms. However,
if you still want to use weak cryptography (not recommended!) you can
change a registry setting in Vista ("AllowL2TPWeakCrypto").
This is described in KB
article 929856.
9.2 Stronger crypto: AES, SHA-1, CRL
By default Windows Vista proposes ISAKMP SAs with 3DES encryption,
HMAC
authentication based on SHA-1 hashes and Diffie-Hellman group 14
(MODP2048). These
are reasonable defaults and Openswan will accept them. Vista also
supports ISAKMP SAs with AES
but only in combination with ECC
Diffie-Hellman groups, which Openswan
does not support. (Note: you get more control over crypto algorithms if
you use pure IPsec instead of
L2TP/IPsec. See
below).
Vista also proposes IPsec SAs with either 128-bit AES or 168-bit
3DES encryption and HMAC authentication based on SHA-1.
Recent versions of Openswan default to AES, so in most cases AES will
be used for the bulk encryption. AES is much faster than 3DES so this
is good for the throughput of
the L2TP/IPsec connection.
If you want 256-bit
AES encryption instead of 128-bit AES encryption you need to modify the
properties of the L2TP/IPsec connection on the Vista client.
Older versions of Openswan by default use
3DES and SHA-1 for IPsec SAs. These are good defaults for
Windows
2000/XP clients that use the built-in IPsec stack. AES is much faster
than 3DES
and Vista supports AES, so you might want to explicitly enable AES
support if you are using an older version of Openswan. You
could for instance add the
following
lines to the connection section(s) in your ipsec.conf:
ike=aes-sha,3des-sha
esp=aes-sha1,3des-sha1
9.3 Perfect Forward
Secrecy
I don't know how to enable PFS with L2TP/IPsec. That is, when the
"New Connection Wizard" is used to create an L2TP/IPsec connection.
There is still no "PFS" setting in the "New Connection Wizard". Perhaps
the default
security policy of the Wizard can be
hacked so that PFS is enabled, but I haven't tried that.
There are valid reasons for
using PFS. If you need it, you will have to use IPsec
without L2TP. Vista supports PFS when pure IPsec is used (i.e.
without L2TP), but only when the
command-line is used to configure the connection, and when PSK
authentication is used. PFS currently does not work with certificate
authentication on Vista.
9.4 Strong CRL checking
The following command seems to indicate that Windows Vista can
verify
the revocation status of a certificate that is presented by a server:
netsh advfirewall set global ?
This results in:
strongcrlcheck -
Configures how CRL checking is enforced.
0: Disable CRL checking
1: Fail if cert is revoked (default)
2: Fail on any error
notconfigured: Returns the value to its not
configured state.
But according to "netsh advfirewall show global", it appears
that 0 is the default, not 1! You can change this with:
netsh advfirewall set global ipsec strongcrlcheck 1
I have not verified if this actually works.
9.5 IPCOMP and DPD
IPsec
compression
(IPCOMP) and Dead Peer Detection
(DPD) are still not supported by Windows
Vista.
Back to Contents
10. IPsec
without L2TP
10.1 Discussion
10.1.1 Vista's built-in configuration utilities
Windows versions before Vista were very difficult to configure for IPsec without L2TP.
Microsoft
boasts that they have reduced the
complexity: they say that in Windows 2000/XP it required more than 100
mouseclicks to set up an IPsec VPN connection, and in Vista it requires
"only"
15 mouseclicks. There is also slightly more help info in Vista
compared to XP, such as "What is a VPN?" but this is
generally very basic info. The help info does say that IPsec without
L2TP is not to be used for Road
Warrior-style VPNs. They advise to use L2TP/IPsec or PPTP for that.
There are two new configuration utilities in Windows Vista that
attempt
to make IPsec without L2TP easier:
- an MMC snap-in called "Windows Firewall with
Advanced Security" (WFwAS),
located in Control Panel ->
Administrative Tools). Discussed in the section below.
- the "netsh advfirewall"
command-line tool. Discussed in another section
below.
Unfortunately,
both these configuration
utilities experience a couple of problems.
The first problem is that there is almost no documentation about
either "netsh
advfirewall" or the IPsec client in WFwAS. Problem #2 is that
there is a bug in Vista: when
certificate-based authentication is involved Vista currently cannot
process packets that it receives from the Openswan server. This problem
is reported to be fixed in Vista SP1. The third
problem is that things don't work at all if NAT is involved. A fourth
problem is
that you can only specify server IP addresses in the new Vista
configuration
utilities. You cannot specify the hostname of the server, so if the IP
address of the IPsec server changes, all clients will have to be
informed of this new IP address (this also rules out
servers that addressed by DynDNS or something similar).
10.1.2 Third-party clients for Vista
An annoyance is that you need to know the actual IP address of the
Vista client when you configure WFwAS or use netsh advfirewall.
For example, check the Network Connection details of your Vista
client's network adapter to see what IP address was received from the
DHCP server. Another option is to find this IP address by running "ipconfig
/all" on the command prompt.
An alternative is to use a 'wrapper' around Vista's IPsec
configuration framework called Windows Filtering Platform (WFP).
Here is a list of such
clients for Windows 2000/XP. I don't know whether these will work on
Vista as well. But IPsec configuration
management has changed significantly in Vista and I suspect that these
tools
won't work. Work is under way to extend TauVPN /
iVPN
(by Nejc Skoberne and Stefan Markowitz) with Vista support. QuickVPNplus
is reported to work with Vista.
Another alternative is to buy a third-party IPsec client. Microsoft
maintains a list of third-party VPN
software that is compatible with Vista. A complication is that VPN
clients may require
access to the Vista kernel. Some
anti-virus vendors are in trouble because Microsoft
does not give them access to the Vista kernel, so I would not be
surprised if VPN client vendors are in the same boat.
Note that if you use IPsec without L2TP, remote clients will
not be able to obtain virtual IP
addresses from the internal (i.e. protected) subnet. I.e. to other
computers the remote client will not appear to be located on
the internal network.
10.2
WFwAS
10.2.1
WFwAS with PSK authentication
As mentioned in the previous section, Vista's WFwAS does not work
when used with certificates, but it does work with Preshared Key (PSK)
authentication. Of course in most
real-world setups you
do not want to use a PSK for authentication, because it is less
secure and does not scale well. But for relatively simple setups this
can be an option. The configuration is described in the following
sections.
10.2.2 WFwAS with PSK: server
side configuration
Here is a sample Openswan configuration for use with Vista's
WFwAS client. As you can see it is a relatively simple configuration
file. There is no L2TP involved.
# Configuration supporting multiple users with any type of
# IPsec client. This includes the built-in client (WFwAS)
# in Windows Vista.
#
# Authenticates through a Pre-Shared Key. Supports clients that
# are behind NAT or not.
conn IPSEC-PSK
#
authby=secret
pfs=no
rekey=no
keyingtries=3
#
#
----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on this IP
address.
#
left=123.123.123.123
#
# Our internal (protected) network
leftsubnet=192.168.1.0/24
#
#
----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections from any IP
address.
right=%any
rightsubnet=vhost:%no,%priv
#
#
----------------------------------------------------------
# Change 'ignore' to 'add' to enable this
configuration.
#
auto=ignore
|
Note: by default my example configuration file is not activated by
default (for security reasons). Change auto=ignore
to auto=add to enable the connection.
Also, if you use different IP addresses and subnets in your network,
change these accordingly in the example above. Then, enter
your
PSK in the ipsec.secrets
file:
123.123.123.123: PSK
"keysharedbyallclients"
|
Restart or reload Openswan to enable the new configuration.
10.2.3 WFwAS with PSK: client
side configuration
After you have configured your Openswan server, you create an IPsec
connection rule on your Windows Vista client. Here is the procedure for
configuring a Preshared Key based IPsec connection on Windows Vista:
- Click "Start",
and then "Control panel". Click "Network and Internet" (or switch to "Classic View").
- Click "Administrative
Tools".
- Click "Windows Firewall
with
Advanced Security".
- In the left-hand side window, select "Connection Security Rules".
- Right-click and select "New
Rule..." from the context menu. This
launches the New Connection Security Rule Wizard.
- Select "Tunnel"
and click "Next".
- You now need to specify
the IP addresses of your IPsec tunnel. "Endpoint 1" is your Vista
client and "Endpoint 2" is the remote
Linux VPN server. Use the top "Add" button to enter your client's IP
address at "Which computers are at Endpoint 1?". (If the Vista client
is behind NAT, enter the client's internal IP address, not the external
IP address of the NAT-router. In
this example it is
192.168.0.2).
- Enter the same IP address again at "What is the local tunnel
computer (closest to Endpoint 1)?".
- Enter the Linux VPN server's IP address at "What is the remote
tunnel computer (closest to Endpoint 2)?".
- Use the bottom "Add" button to enter the remote subnet. In
the screenshot, it is 192.168.1.0/24.
- Click "Next".
- Select "Preshared Key"
and enter your PSK. (Microsoft warns
against using a PSK, but it's they who are to blame for certificates
not working at the moment).
- Click "Next".
- "When does this
rule apply?" (Domain/Private/Public). Probably
best to leave these profiles selected.
- Click "Next".
- Enter a name and
optionally a description for this new connection.
- Click "Finish".
The new IPsec connection rule shows up in "Connection Security Rules".
Later on, should you want to modify the settings of this connection
rule, select the rule and right-click "Properties".
The IPsec connection rule is immediately active. But IPsec connections
are not. An IPsec connection will be automatically set up when you
try to reach an IP address in the remote subnet. In the example, the
subnet is 192.168.1.0/24,
so if you "ping 192.168.1.1"
the connection will be set up. You do not have to click "Connect"
anywhere. The Vista client will contact the Linux server and you
should see an incoming IPsec connection in the logfiles. Check /var/log/secure
and /var/log/messages
on the Linux server for messages.
IPsec connections are automatically disconnected after a while. If you
want to disconnect immediately (or [temporarily] disable the IPsec
connection rule), right-click the rule and select "Disable Rule" from
the context menu.
10.2.4 Stronger crypto with
WFwAS: AES,
SHA-1
Unlike L2TP/IPsec, you can modify the
IPsec settings of the WFwAS client and make it use stronger
cryptographic settings.
In WFwAS, select the top option, also called "WFwAS". Select "Action" from the menu and
then "Properties". Go
to the "IPsec Settings"
tab and
then click "Customize".
In the "Customize IPSec
Settings" window, select the option "Advanced" for both "Key
exchange (Main Mode)" and "Data protection (Quick Mode)". Click the top
"Customize" button. The "Customize Advanced Key Exchange Settings"
window appears. Select
Diffie-Hellman group 14 and click "Add" to add AES-256-SHA1 to the
IKE proposals. Select the new AES-256-SHA1 entry and use the arrow
buttons to move AES-256-SHA1 to the top of the list. This will make
sure that they are tried first. Click "OK".
Click the bottom "Customize" button. The "Customize Data Protection
Settings" window appears. Click "Add" and add AES-256-SHA1 to
the
IPsec proposals. Move these too to the top by selecting them and
clicking
the "Up" arrow. In the "Data Protection
(Quick Mode)" settings you may also want to enable "Require encryption
for
all connection security rules that use these settings". If not, Vista
will also propose "ESP Null" and AH, i.e. no encryption at all.
Openswan will not accept proposals without encryption (thankfully!) but
it will log these
messages: "kernel algorithm does
not like: no alg"
and "unsupported ESP Transform
ESP_NULL from x.x.x.x".
Click "OK" after you added AES-256-SHA1. You're back at
the "Customize IPSec settings" window. The
"Authentication method" does not have to be changed. Apparently it is
not used for IPsec Connection Security rules.
10.3 netsh
advfirewall
10.3.1 netsh
advfirewall with PSK authentication
Read this section if you prefer to use the command line instead of a
GUI to set up the IPsec connection (for example, because you want to
run it from a script).
Of course the setup on the server side
is the same as with WFwAS, only the client side is different. You don't
run the WFwAS GUI but instead use the command prompt to run these two
commands
(requires Administrator
privileges):
netsh advfirewall set global mainmode mmsecmethods
dhgroup14:aes256-sha1,aes128-sha1,3des-sha1
netsh advfirewall consec add rule name="LinuxVPNrule"
enable=yes mode=tunnel localtunnelendpoint=192.168.0.2
remotetunnelendpoint=123.123.123.123 endpoint1=192.168.0.2
endpoint2=192.168.1.0/24 action=requireinrequireout
auth1=computerpsk auth1psk="keysharedbyallclients"
qmsecmethods=esp:sha1-aes256,esp:sha1-aes128,esp:sha1-3des qmpfs=none
|
You probably use different IP addresses and subnets in your setup, so
change the IP addresses that are displayed in bold according to
the
ones you are using. Also use your own PSK instead of my example "keysharedbyallclients".
If you want to use Perfect Forward Secrecy (you
probably do, if you are connecting to a Linux VPN server), see below.
After you have run these commands the IPsec connection rule is
immediately active. But IPsec connections
are not. An IPsec connection will be automatically set up when you
try to reach an IP address in the remote subnet. In the example, the
subnet is 192.168.1.0/24,
so if you "ping 192.168.1.1"
the connection will be set up.
Other commands that may be useful:
# Show all IPsec rules:
netsh advfirewall consec show rule name=all
# Delete all IPsec rules (be careful):
netsh advfirewall consec delete rule name=all
# List all available parameters when adding a rule:
netsh advfirewall consec add rule /?
# Dump all rules to a script (does nothing; does not
work?):
netsh advfirewall consec dump
|
10.3.2 netsh advfirewall
with PSK and PFS
Perfect Forward Secrecy (PFS)
is a feature that can only be enabled on the command line, not with
WFwAS. You enable PFS with the parameter qmpfs=. If it is not
present when you add a rule, it defaults
to qmpfs=none which means that PFS is disabled. To enable PFS
you would use qmpfs=dhgroup14 or qmpfs=dhgroup2
(the other values for the ECC DH groups are not supported by Openswan
and DH group 1 is too weak). Probably the best
option is to use qmpfs=mainmode. This tells Vista to use the
same PFS group as configured for Main Mode (the "mmsecmethods"
command). Then use the following commands instead of the commands
mentioned previously:
netsh advfirewall set global mainmode mmsecmethods
dhgroup14:aes256-sha1,aes128-sha1,3des-sha1
netsh advfirewall consec add rule name="LinuxVPNrule"
enable=yes mode=tunnel localtunnelendpoint=192.168.0.2 remotetunnelendpoint=123.123.123.123
endpoint1=192.168.0.2 endpoint2=192.168.1.0/24
action=requireinrequireout auth1=computerpsk
auth1psk="keysharedbyallclients"
qmsecmethods=esp:sha1-aes256,esp:sha1-aes128,esp:sha1-3des qmpfs=mainmode
|
The parameter that was changed for PFS is displayed in bold.
10.4 Certificate authentication
10.4.1 WFwAS with certificate authentication: server
side configuration
Here is a sample Openswan configuration for use with Vista's and
certificate authentication. It is slightly more complex than PSK
authentication.
# Configuration supporting multiple users with any type of
# IPsec client. This includes the built-in client (WFwAS)
# in Windows Vista.
#
# Authenticates through certificates. Supports clients that
# are behind NAT or not.
conn IPSEC-CERT
#
authby=rsasig
pfs=no
rekey=no
keyingtries=3
#
#
----------------------------------------------------------
# The VPN server.
#
# Allow incoming connections on this IP
address.
#
left=123.123.123.123
#
# Our internal (protected)
network
leftsubnet=192.168.1.0/24
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/localCERT.pem
#
#
----------------------------------------------------------
# The remote user(s).
#
# Allow incoming connections from any IP
address.
right=%any
rightsubnet=vhost:%no,%priv
rightca=%same
rightrsasigkey=%cert
#
#
----------------------------------------------------------
# Change 'ignore' to 'add' to enable this
configuration.
#
auto=ignore
|
This example configuration file is also not activated by
default. Change auto=ignore
to auto=add if to enable the connection. Restart
or reload Openswan to enable the new configuration.
Note that this is just one example. Certificate authentication can be
implemented in several ways. See also the "Certificates" section on my
other page.
10.4.2 WFwAS with certificate authentication: client
side configuration
There is currently a bug in Vista if you use the WFwAS
client with certificate authentication. The connection is set up and
packets are exchanged between the Vista client and the Openswan server,
but for some reason Vista does not process incoming packets. I have
been informed that this bug has been fixed in Beta 6001.17036 v.652 of ServicePack
1.
To use certificate authentication with WFwAS, install a client certificate, then
follow the same procedure
as for PSKs, until you get to the "Authentication method" window. Select "Computer
certificate". Click "Browse" and select the root certificate
of the CA that issued the client
certificate. Or, alternatively, manually enter the subject name of the
root certificate at "CA name". Then continue the procedure for PSKs.
WARNING: Vista's IPsec client does not seem to verify the
subjectAltname in the server's certificate (unlike Vista's L2TP/IPsec
client). And on the IPsec client you cannot specify a subject of
the server certificate either (unlike
Linux clients where you can specify rightid="CN=vpnserver.example.com",
for example). This means that a stolen client certificate can
impersonate a server to Vista clients. There is a "Certificate mapping"
option in the Vista IPsec client but I don't know if it can be used to
thwart this attack, and besides, this Certificate mapping option seems
to require ActiveDirectory which is not supported on Linux.
10.4.3 netsh
advfirewall with certificate authentication
The following procedure can be used if you want to use the command
line and authenticate to the server with a client certificate. Again,
the setup on the server
side
is the same as with WFwAS, only the client side is different. Run these
two
commands
(requires Administrator
privileges):
netsh advfirewall set global mainmode mmsecmethods
dhgroup14:aes256-sha1,aes128-sha1,3des-sha1
netsh advfirewall consec add rule name="LinuxVPNrule" enable=yes
mode=tunnel localtunnelendpoint=192.168.0.2 remotetunnelendpoint=123.123.123.123
endpoint1=192.168.0.2 endpoint2=192.168.1.0/24
action=requireinrequireout auth1=computercert auth1ca="C=NL, S=ST,
L=L, O=TESTORG, CN=TESTCA certmapping:no excludecaname:no"
auth1healthcert=no
qmsecmethods=esp:sha1-aes256,esp:sha1-aes128,esp:sha1-3des qmpfs=none
|
You probably use different IP addresses and subnets in your setup, so
change the IP addresses that are displayed in bold according to
the
ones you are using. Also change the parameter auth1ca
and enter your CA's subject name (if the name contains spaces, you may
need to escape these or put the name between quotes. Or perhaps you
don't have to do anything. I have not looked into this yet).
If you want to use PFS (you
probably do, if you are connecting to a Linux VPN server), see above.
10.5. NAT with WFwAS or netsh
advfirewall
Unfortunately the procedures described above do not work when NAT is
involved. Openswan responds with a QuickMode proposal to the Vista
client but for some reason Vista does not like a parameter: "IkeIsSaValidForTunnel
failed with Windows error 87(ERROR_INVALID_PARAMETER)". Vista then
sends an "IKE Informational Mode" message to the server and disconnects:
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: ignoring informational
payload, type INVALID_PAYLOAD_TYPE
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received and ignored
informational message
pluto[5863]: "IPSEC-PSK"[1] 192.168.15.1 #3: received Delete SA
payload: deleting ISAKMP State #3
But from the IKE log I cannot deduce which parameter exactly is
unacceptable to Vista.
The same problem also occurs when ipsec-tools (racoon) is used instead
of Openswan. Therefore I suspect that this is a problem in Vista. The
problem has not been resolved in Vista SP1. According to Knowledge Base
article Q944335,
it's not a bug, it's a feature! Microsoft writes: "Behind an NAT
device, if more than one computer shares the same source port, a
conflict may occur." But that's why the IETF invented NAT-Traversal! It looks like
Microsoft is not compliant with the NAT-T RFC, and they prefer their
new proprietary VPN protocol SSTP which they advertise as the VPN
solution for
nasty NAT problems...
Back
to Contents
11.
Troubleshooting
11.1 Dial-Up Networking error messages
The error messages generated by Windows 2000/XP are not
terribly
clear. Microsoft claims to have improved and clarified the error
messages and help info in Windows Vista. There is a list of Dial-Up
Networking (DUNS) error messages for Vista in KB article 923944.
To some extend, Vista uses the
same Dial-Up
Networking (DUNS)
error messages as Windows 2000/XP. But I noticed that some errors
that were reported in Windows 2000/XP are
not displayed in Vista at all, fooling the user into thinking that the
connection
is still up. If you get an error message not listed here or if you just
want more information on why a particular connection fails, enable the Oakley log and/or the PPP log on Windows
Vista.
Vista also has a new "network diagnostics framework" but so far I have
found it utterly useless for troubleshooting VPN problems (with advice
such as "Reset the network adapter" etc.).
11.1.1 "Error 732: Your computer and the remote computer could not
agree on PPP control protocols."
See this page.
11.1.2 "Error 741: The local computer does not support the required
data encryption type" or
"Error 742: The remote server does not support encryption".
See this section.
11.1.2 "Error 766: a certificate could not be found"
This appears to be a new error message that was not present in
Windows 2000/XP (those already have error 781/786). You get the
following error message:
"Error 766: A certificate could not be found.
Connections that use the L2TP protocol over IPSec require the
installation of a machine certificate, also known as a computer
certificate."
See the remarks under Error
781. I don't know
exactly the difference between these two.
11.1.3 "Error 787: could not authenticate"
You get the
following error message:
"Error 766: The L2TP connection attempt failed
because
the security layer could not authenticate the remote computer."
This appears to be similar to Error 835, except you have probably
disabled the option "Verify
the Name and Usage attributes" and the server certificate is still not
acceptable to the client. This could mean that the server does not have
a valid certificate, the client does not have a root certificate of the
CA that issued the server's certificate or perhaps there is a
man-in-the-middle or some other security problem. You may have to look
at the Oakley log for more detailed information (see
below).
11.1.4 "Error 809: server not responding"
You get the
following error message:
"Error 809: The network connection between your
computer and the VPN server could
not be established because the remote server is not responding. This
could be because one of the network devices (e.g., firewalls, NAT,
routers, etc.) between your computer and the remote server is not
configured to allow VPN connections. Please contact your Administrator
or your service provider to determine which device may be causing the
problem. "
You may get this error when the server is behind NAT but you have not
applied the Vista registry patch as described here. The IPsec phase
seems to be working but the L2TP/PPP packets do not get through. There
may be other causes for this error. Check the firewall settings, i.e.
allow IKE (UDP 500), NAT-T (UDP 4500) and ESP (IP 50).
11.1.4 "Error 835: could not authenticate"
This too appears to be a new error message that was not present
in
Windows 2000/XP. You get the
following error message:
"Error 835: The L2TP connection attempt failed
because
the security layer could not authenticate the remote computer. This
could be because one or more fields of the certificate presented by the
remote server could not be validated as belonging to the target
destination."
This error occurs under the following condition: 1) you are
using
certificates 2) the
server certificate contains a hostname and 3) this hostname does not
match the hostname configured in the VPN connection
properties. Disabling "Verify
the Name and Usage attributes of the server's certificate" in the
"IPsec Settings" window is a quick workaround for the problem, but this
is probably a bad idea because it reduces security. A better solution
is to make sure that the hostname in your VPN settings matches the
hostname in the server certificate. For more
details, see this
section.
11.2 "OAKLEY_GROUPs
supported"
You may get the following warning:
"only OAKLEY_GROUP_MODP1024 and
OAKLEY_GROUP_MODP1536
supported. Attribute OAKLEY_GROUP_DESCRIPTION"
This is just a harmless message and not an error. By default one of the
IKE proposals by Windows Vista is a Diffie-Hellman MODP2048
(group 14) key exchange which is not supported by your version of
Openswan. Both
sides
will agree upon one of the other IKE proposals with either MODP1024
(group 2) or MODP1536 (group 5).
Nothing to worry about. If you upgrade to a more recent version of
Openswan you will get MODP2048 support.
You may get the following warning:
"Diffie-Hellman group 20 is not a supported modp
group. Attribute OAKLEY_GROUP_DESCRIPTION"
"Diffie-Hellman group 19 is not a supported modp group.
Attribute OAKLEY_GROUP_DESCRIPTION"
Vista also supports DH group 19, which is an elliptic
curve algorithm using a 256-bit random curve group (NIST identifier
P-256), and DH group 20, which is an elliptic curve algorithm using a
384-bit random curve group (NIST identifier P-384). Openswan does not
support these, possibly due to software patent issues.
11.3 Windows Vista
picks the wrong certificate
I have not seen this problem on Vista yet, because I always use rightca=%same
anyway :-). For more information, see my Windows 2000/XP page.
Back to Contents
12. Troubleshooting: examining the
Windows logs
It may not not be very obvious in the Windows Vista L2TP/IPsec client
but
there are two phases: the IPsec phase and the L2TP/PPP phase. Each
phase has its own logs.
Information about troubleshooting on the Linux side can be found on my main L2TP/IPsec page.
12.1 Oakley logs
If there is a problem with your L2TP/IPsec VPN connection, you may need
to look at the IPsec logs on your Windows workstation. Examples are
troublesome firewalls, broken NAT devices or IPsec authentication
problems. These cannot be resolved by looking up the DUNS error code or
by examining the PPP (RAS) logs.
High level logging is enabled by setting the DisableIKEAudits registry
key. For more details, see Basic
Troubleshooting for IPsec based VPN’s by Stefaan Pouseele.
For more detailed logs you need to enable IPsec (IKE) logging. On Windows 2000 and XP
you enable this by setting a
registry key.
This procedure does not work on Windows Vista. I have been in contact
with
Microsoft Support and they provided the following procedure:
- With Administrator privileges, start the registry editor and
locate the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ikeext\Parameters\EnableLogging
- Set the DWORD value of EnableLogging to 1.
- Click "Start",
and then "Control panel". Click "System and Maintainance" (or switch to
"Classic View",
which I prefer anyway).
Click
"Administrative Tools".
- Click "Services". Select the "IKE and AuthIP Ipsec Keying
Modules"
(IKEEXT) service. Stop and then start this service. Do not use
"restart" because that does not have the same effect. (Alternatively,
run "NET STOP IKEEXT" and "NET START IKEEXT" on a DOS
prompt as Administrator).
- Initiate the L2TP/IPsec VPN connection that you
wish to troubleshoot.
- Disconnect the VPN connection (if it hasn't terminated
already).
- Stop the IKEEXT service.
- Vista will create an "Event Trace Log" file in: %SystemRoot%\System32\Ikeext.etl
This ETL file is a binary file. You will have to
convert it to human readable output with tracefmt.exe, a tool
that is included in the Windows XP Support Tools pack.
- Download the Windows
XP Support Tools pack.
- Install the executable. Vista will report a
compatibility problem. Ignore the warning. Some of the programs in the
Windows XP Support Tools pack are probably not compatible. Just make
sure that you don't run any other tool than tracefmt.exe.
Alternatively, if you want to play it safe, install the Support
Tools pack on a Windows XP SP2 machine and then copy over the files tracefmt.exe
and traceprt.dll to a directory on your Vista machine.
- With Administrator privileges,
run the following command: tracefmt.exe
%SystemRoot%\System32\Ikeext.etl -tmf %SystemRoot%\System32\wfp.tmf -o
%TEMP%\wfpdiag.txt
- The file wfpdiag.txt will be created. It is very
similar to the
file oakley.log on Windows 2000/XP. You can view it for
example with: write.exe %TEMP%\wfpdiag.txt
- Start the IKEEXT service again.
Note
that the files %SystemRoot%\System32\Ikeext.etl and %TEMP%\wfpdiag.txt
contain the Preshared Key (PSK) if your VPN connection uses a PSK.
Change your PSK if you send these files to a third party for analysis.
You
may also want to delete these files after you have examined them.
I don't know if this same routine can be used on Windows Server 2008 as
well.
12.2 PPP logs
On Windows 2000/XP,
"netsh ras set tracing * enabled" command enables PPP logging.
Although
this command still works on Vista, Microsoft recommends using "netsh
ras diagnostics" instead. This
entry on the Microsoft Routing and Remote Access Blog provides the
following procedure:
- Run the command "netsh ras diagnostics set rastracing *
enabled"
- Now run the scenario that is failing (e.g., establish the VPN
connection that was failing earlier)
- Flush the RAS logs by executing the command "netsh ras
diagnostics set rastracing * disabled"
- The trace logs are created and available at %windir%\tracing
folder.
- Some of the trace log files that would help in diagnosing the
problem are:
- PPP.log
- RASMAN.log
- IASHLPR.log
- RASIPCP.log
- RASIPV6CP.log
- You can also check the "Event Viewer"
under "Windows Logs"->System and look for events with Source as
"RemoteAccess" or "Rasman" that could help in troubleshooting the issue.
- RAS Error codes are listed at http://support.microsoft.com/kb/q163111/
Back to Contents
13. Advanced
13.1 Automated certificate installation
A number of tools have been described on my other webpage. I
have tried certimport
by Xelerance and it works fine
on Windows Vista. CertImport
by Kiko Vives Aragonés fails to run because of a missing file
MFC42D.DLL. I suspect that recompiling the source code with Visual
Studio 2005 (Express Edition) may resolve this. Note
that all tools used to import a machine certificate require Administrator privileges.
13.2 Automated L2TP/IPsec configuration on Windows Vista
I don't know if the Connection
Manager Administration Kit (CMAK) can be used with Windows Vista.
Again, it does not matter because it
probably does not make (financial) sense to use CMAK with Openswan. See
also my
other webpage.
There is some documentation on the Microsoft website about the Windows
Filtering Platform (WFP), which is the underlying platform for Windows Firewall with Advanced Security (WFwAS).
Possibly this WFP API can be used to create IPsec connections
automatically.
13.3 Joining a domain
Matt Berther has written about joining a domain with
Vista. I have not verified this.
13.4 MS-CHAPv1 not supported
As you can see from this
screenshot, the first version of MS-CHAP is not supported by Vista.
It supports MS-CHAPv2 only. This is discussed in Microsoft Knowledge Base article
Q926170. Windows 2000/XP do support
MS-CHAPv1. In my
opinion it is a bit silly to drop support for MS-CHAPv1 because the
security of an L2TP/IPsec connection does not depend on MS-CHAPv1
(unless you are using a group shared key that is public knowledge,
which you should not do anyway). Besides, PAP and CHAP are still
supported in Vista and these are even less secure than MS-CHAP. The
only reason I can think of is that it is a server-side issue. Microsoft
wants an authentication scheme for NTLM which uses irreversible
passwords and MS-CHAPv1 was not strong enough. I think you cannot
disable MS-CHAPv1 on Windows Server 2000/2003.
Back to Contents
14 AuthIP
14.1 AuthIP discussion
Microsoft has implemented "AuthIP",
a proprietary extension (see also: "embrace and
extend") to IKE, an important part of the
IPsec standard. There is no in depth information about AuthIP. There is
mainly high level product overview blurb on the Microsoft website (such
as this,
this,
this and two Cable
Guy colums).
Of course this Microsoft
proprietary extension is not supported by any Open
Source
implementation. It is
undocumented and no doubt heavily patented. AuthIP is only supported by
Windows Vista and Windows Server 2008. Microsoft seems
to prefer AuthIP over IPsec, according to this presentation.
In AuthIP there is a "second
authentication" and the first authentication (the one defined by
the official IKE standards) is optional, or "anonymous". (Why didn't
Microsoft adopt IKEv2
instead if they needed 'legacy' authentication methods?). AuthIP adds
an optional second authentication phase based on
NTLMv2, user certificates or Kerberos. AuthIP is never used
with L2TP/IPsec, only with 'pure' IPsec.
When you connect, Vista logs the following
Vendor IDs:
packet from x.x.x.x:500: ignoring Vendor ID payload
[MS-MamieExists]
packet from x.x.x.x:500: ignoring Vendor ID payload
[MS NT5 ISAKMPOAKLEY 00000005]
packet from x.x.x.x:500: received Vendor ID payload [RFC
3947] method set to=110
packet from x.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
packet from x.x.x.x:500: ignoring Vendor ID payload
[FRAGMENTATION]
packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
packet from x.x.x.x:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
packet from x.x.x.x:500: ignoring Vendor ID payload
[IKE CGA version 1]
The Vendor IDs "MS-Negotiation Discovery Capable" (MD5 hash: fb1de3cdf341b7ea16b7e5be0855f120),
"IKE CGA version 1" (MD5 hash: e3a5966a76379fe707228231e5ce8652)
and "MS-MamieExists" (MD5 hash: 214ca4faffa7f32d6748e5303395ae83) probably
announce AuthIP support.
14.2 AuthIP bug in Vista (pre-ServicePack)
Due to a bug in Vista, the WFwAS client and netsh advfirewall
insist on doing a
second
authentication, even if you have not asked for it. Vista sends
IKE packets containing 'Next Payload type' 133 with 'Exchange type' 243
(Microsoft's proprietary version of Main Mode) and Exchange type 246
(the
AuthIP version of Informational Message reporting a disconnect).
These types are unknown to Openswan because they are non-standard
numbers reserved for private (i.e. in-house) use. Normally an IPsec
implementation should negotiate proprietary extensions by sending and
receiving Vendor IDs. But Microsoft ignores this and sends these
non-standard packets right away. So Openswan has no choice but to
reject these packets:
packet from x.x.x.x:500: next payload type of ISAKMP
Message has an
unknown value: 133
Although the first authentication succeeds, the second authentication
fails because Openswan does not support Microsoft's proprietary AuthIP
scheme. So Vista will fail to connect.
This bug has been fixed in Vista
SP1.
Back to Contents
15.1 PPTP authentication:
PEAP-EAP-MSCHAPv2
and PEAP-EAP-TLS
A new feature in Windows Vista is support for stronger user
authentication
in PPTP and L2TP/IPsec VPNs. Previous versions of Windows only
supported passwords and
the encryption keys were derived from these passwords which is not good
practice. Vista now also supports PEAP in PPTP VPNs.
Windows 2000/XP supports PEAP only for 802.1x wireless networks. The
authentication mechanisms supported in Vista's PEAP are EAP-MSCHAPv2
(passwords) and EAP-TLS (smartcards and local certificates), which are
considerable stronger than the MSCHAPv2 passwords that were the only
option in previous versions of Windows.
PPTP with PEAP will initially not ask for a username and
password but only show a "Connect"
button. When the client connects, it will try to validate the root certificate name
and the server
certificate, respectively. Only then the client will request the
user for his username
and password (in the case of EAP-MSCHAPv2).
This could be an alternative for L2TP/IPsec. Advantages that I can
think of:
- Stronger authentication than PPTP-MSCHAPv2.
- On the clients probably easier to configure than L2TP/IPsec
(but
not easier than PPTP-MSCHAPv2).
Disadvantages:
- PPTP is still just a "Microsoft standard", not an official
IETF
standard.
- Server-side: currently only supported by Windows Server 2003
/
Windows Server 2008. (Although theoretically a Linux server should
be able to support it because implementations for all protocols are
available.)
- Client-side: currently only supported by Windows Vista. (And
theoretically Linux clients, see above).
- The status window says that "MPPE 128" is used,
which probably
refers to RC4 with 128 bits keys because Windows Server 2003 does not
support AES-128 (dunno about Windows Server 2008, it is not yet
available at the time of this writing). IPsec supports the much
stronger encryption algorithms 3DES
and AES.
15.2 L2TP/IPsec with PEAP
Windows Vista also supports the use of PEAP with L2TP/IPsec. I have not
investigated this. I don't think it adds much security or features,
because L2TP/IPsec already has strong authentication for both client
and
server. Smartcards are already supported through L2TP/IPsec with
EAP-TLS, and passwords through L2TP/IPsec with PAP/CHAP/MSCHAP. No need
to add an extra PEAP layer.
Back to Contents
16. Split tunnelling
If you don't want to send regular Internet traffic through the VPN
tunnel you may want to enable split tunnelling. See this section
for more details about split tunnelling and its advantages and
disadvantages.
On Windows Vista, you enable or disable
split
tunnelling by modifying the
'Advanced' TCP/IP
settings of the VPN connection you created. You have to
uncheck
the
box called "Use default gateway on remote network" to enable split
tunnelling.
Back to Contents
17. Acknowledgements
Thanks to George Ou
of TechRepublic for helping
resolve the NAT-T problem in Vista. Thanks also
go to his Microsoft contacts for releasing this information.
Thanks to Okan C. of Microsoft Support for the info on obtaining an
Oakley.log equivalent on Vista.
Back to Contents
18. Related links
Microsoft has done some interoperability
testing between a beta version of Vista and racoon. They don't have
nice things to say about racoon, and strangely enough there is no
information on how to set up a Vista client.
Back to Contents
19. Revision history
Jun 8, 2008: Vista actually does support AES-256 for IPsec
SAs.
Feb 18, 2008: Pure IPsec bug
not fixed in SP1. Microsoft says it's not a bug, it's a feature...
Dec 25, 2007: Possibly another bug in Vista when pure IPsec
is used with NAT.
Nov 12, 2007: Confirmed: bug in Vista when certificate
authentication is used with pure IPsec. (Fixed in SP1).
Sep 18, 2007: Added info on pure IPsec client in Vista.
Mar 9, 2007: Added info on getting an Oakley.log
equivalent.
Nov 21, 2006: MS-CHAPv1 not supported.
Nov 9, 2006: NATed server problem resolved.
Nov 5, 2006: Page created. Based on the Windows
2000/XP page.
Jacco de
Leeuw