xDSL.at

[Oliver Ehrenberg]

<HTML>Habe folgendes Problem.

Will 2 rechner ipcop netz mit roadwarrior verbinden.

Bin da nach folgender anleitung vorgegangen.

How to connect a Win2k or XP box to an IPCop using the built in ipsec of Win2k or XP
NOTE: if your red ip address changes like the weather, you will have to register your ipcop with one of the dynamic dns services such as dyndns.org. Also note that this cannot be done through the Ipcop Web interface, it must be done from a command line, and if you use the connections page of the web interface, it will wipe out all your settings.
Connecting a Win2k/XP box to an IPCop using the built in ipsec of Win2k Pro/XP is accomplished in about ten minutes. While not tested, the same should work for a windows XP box. Note that you will have to edit the ipsec.conf and ipsec.secrets which are both placed in the /var/ipcop/vpn directory on your Ipcop Machine.
In my situation, I have a win2k box behind an Assante Cable/DSL router connected to a cable modem. The ipcop box protects a private network with a subnet of 192.168.1.x and I am running a subnet of 192.168.10.x at my end. You need different subnets at each end otherwise the routing will not behave properly. By this I mean that you could not setup the network behind the Ipcop to be 192.168.1.x and then have your road warrior be 192.168.1.x, it would have to be 192.168.2.x or some other private ip address. In the logging examples, you will see 255.255.255.255 as an ip address, this is a fictional address for this example. My particular machine is 192.168.10.159 and you will see that entered in the conf files, etc. And the Ipcop box is 192.168.1.254, again you will see this in the logs, etc. Note that my win2k machine is a different subnet to the Ipcop machine.
Now on to the good stuff! First, make sure your Win2k box is ready to do the job, Service Pack 2 must be installed or at least the high encryption pack, it installs 3DES which is needed by Ipcop. This is not necessary for XP as it contains 3DES already.
For Windows 2000 get the ipsec policy editor from here : http://www.microsoft.com/windows2000/te ... efault.asp
For Windows XP you will need the Ipseccmd program : You have to install the Win XP Support tools. They reside on your Win XP CD in the directory \SUPPORT\TOOLS. Just start setup.exe in this directory. You have to select a Complete installation to get ipseccmd.
Next download this utility: http://vpn.ebootis.de/package.zip and extract the contents to the same place that the IPSECPOL.EXE for Win2k was installed to(typically c:\Program Files\Resource Kit\) or where Ipseccmd.exe was installed to for Windows XP.
Also to make sure you know what is going on with the Ipcop box, download and install PuTTY or some other Secure Shell. PuTTY is free and can be downloaded from here: http://the.earth.li/~sgtatham/putty/lat ... /putty.exe
Make sure you turn on SSH on your Ipcop box so that Putty or another Secure Shell can access the command line.
Now, you need to setup the ipsec.conf on both IPCop and the Win2k/XP machine. Here's a sample one for IPCop:


conn roadwarrior
compress=no
left=(red address or dynamic dns name)
leftsubnet=192.168.1.0/24 <-- subnet behind IPCop
leftnexthop=%defaultroute
type=tunnel
authby=secret
pfs=yes
right=%any
rightsubnet=192.168.10.159/32 <--if you are behind a firewall or other router put private address here otherwise leave blank
rightnexthop=%defaultroute
auto=add
In the ipsec.secrets on the Ipcop file make sure you have
(red address or dynamic dns) 0.0.0.0 : PSK "PreShared secret here"
(red address or dynamic dns) %any : PSK "PreShared secret here"
Now for the Win2k setup:


conn KDI
left=(red address of ipcop or dynamic dns name of ipcop)
leftsubnet=192.168.1.0/24 <-- Subnet behind IPCop
right=%any
presharedkey=PreShared secret here
network=auto
auto=start
pfs=yes
Now, from a DOS box, change directories to where the IPSECPOL.EXE was installed to (typically c:\Program Files\Resource Kit\) and then type IPSEC.EXE and that will initiate ipsec connection. It took me two attempts to get this working, but it works and works well if all is configured properly. You should see this from from Windows 2K:


C:\Program Files\Resource Kit>ipsec.exe
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Host name is: darrenc
No RAS connections found.
LAN IP address: 192.168.10.159
Setting up IPSec ...
Deactivating old policy...
Removing old policy...
Connection KDI:
MyTunnel : 192.168.10.159
MyNet : 192.168.10.159/255.255.255.255
PartnerTunnel: (Red IPCOP address or Dyn DNS Name)
PartnerNet : 192.168.1.0/255.255.255.0
CA (ID) : Preshared Key ******************
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...
C:\Program Files\Resource Kit>
Next from the win2k box ping the Green Ip Address of the Ipcop box, after a couple of pings, it should get a reply. (Takes two tries with my setup, I have heard of it taking four or five) To ping type the following:

ping (green address of ipcop)
That should give you something like this:


C:\>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time=51ms TTL=255
Reply from 192.168.1.254: bytes=32 time=60ms TTL=255
Reply from 192.168.1.254: bytes=32 time=50ms TTL=255
Reply from 192.168.1.254: bytes=32 time=50ms TTL=255
Ping statistics for 192.168.1.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 60ms, Average = 52ms
Ideally to make sure things are going as planned, have a putty (SSH - Secure Shell) session running to your IPCop box so you can examine /var/log/secure. For more information on SSH and how to set it up, look in the IPCopFAQ for How do I turn on SSH.
As for the IPCop log it should show something like the following:


cat /var/log/secure
Dec 31 17:30:42 Ipcop0002 pluto[7932]: "roadwarrior"[1] 255.255.255.255 #5: responding to Main Mode from unknown peer 255.255.255.255
Dec 31 17:30:43 Ipcop0002 pluto[7932]: "roadwarrior"[1] 255.255.255.255 #3: Peer ID is ID_IPV4_ADDR: '192.168.10.159'
Dec 31 17:30:43 Ipcop0002 pluto[7932]: "roadwarrior"[2] 255.255.255.255 #3: sent MR3, ISAKMP SA established
Dec 31 17:30:43 Ipcop0002 pluto[7932]: "roadwarrior"[2] 255.255.255.255 #6: responding to Quick Mode
Dec 31 17:30:43 Ipcop0002 pluto[7932]: "roadwarrior"[2] 255.255.255.255 #6: IPsec SA established
The above log can also show you what went wrong, or at least the vital information to post to the list to show us what went wrong so we can help you correct it.
If you fail to connect on the first attempt or try to reconnect after the connection goes idle, I have found that I have to restart the vpn on both ends, on the win2k box type

ipsec -off
Then on the Ipcop, use the web interface to restart the vpn. Now start the win2k ipsec again. Now you know how to connect a win2k box to an IPCop using the built in ipsec of Win2k, thanks to Darren Critchley.



das ip cop netz ist bei mir über dsl im Internet.

Der Roadwarrior (WinXP) über dfü modem.

Der Tunnel wird dann hergestellt.

IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Host name is: darrenc
No RAS connections found.
LAN IP address: 192.168.10.159
Setting up IPSec ...
Deactivating old policy...
Removing old policy...
Connection KDI:
MyTunnel : 192.168.10.159
MyNet : 192.168.10.159/255.255.255.255
PartnerTunnel: (Red IPCOP address or Dyn DNS Name)
PartnerNet : 192.168.1.0/255.255.255.0
CA (ID) : Preshared Key ******************
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...

Will ich dann den Roadwarrior anpingen bekomme ich immer die Meldung.

"IP-Sicherheit wird verhandelt"

ich kann auch die Ordner in der Netzwerkumgebung sehen, aber nicht auf sie Zugreifen.

Also, woran kann das liegen - hoffe auf antwort...

falls noch infos zur konfiguration benötigt werden bitte in antwort schreiben

danke schon mal im voraus -bis denne</HTML>