Damir Dezeljin wrote:
> I read lot of docs on setting IPSec Roadworriro setup for Win2k/XP
> clients. I found especialy usefull the following documents:
> -
http://www.natecarlson.com/linux/ipsec-x509.php > -
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html > After setting all the things up I found that I haven't the ipseccmd.exe on
> my WinXP box. So I searched the internet again and after some time I found
> that I have to install it from WinXP CD. While this is very anoying for my
> users (I have to set up the VPN connection for other users of my system) I
> want to enable them to use Win2k/XP native client (that client that can be
> invoked from 'Network Connections' by clicing 'New Connection' and
> following the instructions for 'Connect to Network at My Workplace'.
> So I have some questions ... please if anyone can give me any hint, let do
> it ;) :
> - I couldn't found out if the Freeswan and kernel-pathc-freeswan that
> comes with Debian Woody is enough for my setup (freeswan 1.96-1.4 and
> kernel-patch-feeswan 1.96-1.4)? I also couldn't found out if the kernel
> patch also contains L2TP patch? Are those two tools ok or I have to
> compile them manualy? Is there an already compiled .deb package?
If you are using freeswan-1.96 then X.509 patch version 0.9.9 would be
applied to it. Verify if you see the string
Starting Pluto (FreeS/WAN Version 1.96)
including X.509 patch (Version 0.9.9)
in the logfile during the startup of Pluto. Or even easier try if the
command
ipsec auto --listall
works and would show you a list of public keys and certificates. The
CHANGES file
http://www.strongsec.com/freeswan/CHANGES.txt
will show you which features you are missing with 0.9.9.
> - I want to use keys for authentication (X.509) because I want to support
> more clients and I don't want to share the same secret between all
> clients. Is it posible to set-up Win2k/XP to use such a certificate with
> native IPSec client (is there any doc showing how to do this or any
> hint?)?
http://www.natecarlson.com/linux/ipsec-x509.php > - In the first above mentioned doc (first URL) there is a sample
> configuration for ipsec.conf. There is a section 'conn roadwarrior'.
> What I have to enter inest of 'right=%any' to uniquly identify the
> client on the other part of the connection (I want to use the same CA
> certificate to sign all the certificates I will issue for varous servers
> in my company, however I don't want that a user from one server can use
> the VPN connection of the other server - for this reason I have to allow
> only clients with certain certificates to connect to my FreeS/Wan server
> do I have to put the public key that I provide to the client there?)?
X.509 patch version 0.9.27 for freeswan-1.99 and version 1.3.0 for
freeswan-2.00 introduced the rightca= parameter which can be used to
restrict access to a specific host or subnet to a certain CA, only.
For details see my howto at
http://www.strongsec.com/freeswan/install.htm#section_4.7
If you want to use this advanced feature you must upgrade either to
freeswan-1.99 or freeswan-2.01. X.509-patched versions are available
from
http://www.freeswan.ca/download.php
Regards
Andreas
=======================================================================
Andreas Steffen e-mail: andreas.stef...@strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
