Howto IPSec without L2TP on Vista - Network

This is a discussion on Howto IPSec without L2TP on Vista - Network ; Hello guys. I've been struggling with Vista's IPSec behaviour and I really need help. The setup: Vista Computer ---- VPN Device ---- Target Local Network The VPN device support IPSec without L2TP, and the configuration is as simple as: Phase1 ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Howto IPSec without L2TP on Vista

  1. Howto IPSec without L2TP on Vista

    Hello guys. I've been struggling with Vista's IPSec behaviour and I really
    need help.

    The setup:
    Vista Computer ---- VPN Device ---- Target Local Network

    The VPN device support IPSec without L2TP, and the configuration is as
    simple as:
    Phase1 : 3DES - SHA1 - 2
    Phase2 : ESP - 3DES - SHA1
    PSK : bekir

    I tried so many ways I saw on the internet but everytime I got frustrated.
    Common way is to write a netsh->advfirewall rule and try pinging the one of
    the target hosts from Vista and Vista will negotiate for security. However,
    what happens is when I try pinging I see the message "Negotiating for IP
    Security" all the time, moreover, the VPN device is an OpenBSD based device
    so I can use tcpdump and listen the interface which the Vista computer is
    plugged into and NO packets come out of the Vista computer and NO logs
    (oakley or security or what-so-ever, nothing). I'm really stuck.

    Guys, what would be your way to follow to get the IPSec communication started.

    The operating system is a Vista Home Basic.

    I'd appreciate any help.
    Thank you!

  2. RE: Howto IPSec without L2TP on Vista

    Hi Bekir, there is a problem with IPsec tunnel mode that seems to be fixed in
    the latest RC0 build of SP1 for Vista. You would need to get through
    participation in the technical beta of Vista on http://connect.microsoft.com.
    I don't think there is any problem with it being the Basic version. Should be
    the same IPsec in all flavors, just that group policy isn't available for
    Basic & Home versions because they can't be a member of a domain.

    I would confirm the workings of IPsec tunnel mode first end-to-end between
    two Vista SP1 machines using the old-style policy before trying to do the
    same thing in netsh advfirewall context. KB 252735 has the correct
    configuration instructions for the old style policy, although it covers a
    subnet to subnet case, not a host IP to a subnet selector set. It should work
    from a Vista SP1 client to a gateway with a dynamic IP on the client as long
    as the IP doesn't change. Since the policy configuration requires two IPs to
    be specified as tunnel end-points, dynamic IPs don't appear to be supported
    across address change.

    Windows IKEv1 supports negotiation of RFC 2409 options, which don't include
    things required for remote access typically, like user auth with a password
    or address assignment, so not too useful for remote access unless your client
    IP address happens to be routeable on the destination network behind the BSD
    machine. You get all of the functionality needed for remote access by
    combining RFC IKEv1 transport mode to protect the UDP 1701 traffic of VPN
    tunneling protocol L2TP.


    "Bekir" wrote:

    > Hello guys. I've been struggling with Vista's IPSec behaviour and I really
    > need help.
    >
    > The setup:
    > Vista Computer ---- VPN Device ---- Target Local Network
    >
    > The VPN device support IPSec without L2TP, and the configuration is as
    > simple as:
    > Phase1 : 3DES - SHA1 - 2
    > Phase2 : ESP - 3DES - SHA1
    > PSK : bekir
    >
    > I tried so many ways I saw on the internet but everytime I got frustrated.
    > Common way is to write a netsh->advfirewall rule and try pinging the one of
    > the target hosts from Vista and Vista will negotiate for security. However,
    > what happens is when I try pinging I see the message "Negotiating for IP
    > Security" all the time, moreover, the VPN device is an OpenBSD based device
    > so I can use tcpdump and listen the interface which the Vista computer is
    > plugged into and NO packets come out of the Vista computer and NO logs
    > (oakley or security or what-so-ever, nothing). I'm really stuck.
    >
    > Guys, what would be your way to follow to get the IPSec communication started.
    >
    > The operating system is a Vista Home Basic.
    >
    > I'd appreciate any help.
    > Thank you!


  3. RE: Howto IPSec without L2TP on Vista

    Thank you Bill. I have a point and idea about it now, thanks. I should have
    used the term "Client VPN" which is what I'm trying to do. My vista is
    Turkish and I cannot get the SP1 yet but I'm trying to get the English
    version, if that version works with my original vista key, then I will try
    getting SP1. So, below, I tried translating to English what I see on my
    screen, I hope I won't mislead.

    Here is the latest situation. I've reinstalled vista. When I don't do the
    upgrades I cannot use netsh command stack to configure firewall or policies.
    Thus, I gathered advanced firewall and security policies sections in an mmc
    console and tried configuring. First, I set the global settings of the
    advanced firewall as such it will correspond the setup I'm trying to get
    working and I added a secure connection rule in the advanced firewall which
    defines communication end points, psk and the tunnel end points (client to
    VPN gateway). Second, I added a security policy which defines :
    1) a filter list (communication end points: from PC to target network),
    2) a filter action (encryption methods and action to take: ESP-3DES-SHA1 and
    "set the security in advance" option is selected)
    3) a PSK is defined again which is the same as defined in the firewall rule
    4) in the tunnel configuration I selected "this rule doesn't define an IPsec
    tunnel"

    Having this configuration, I started a ping traffic to the target network
    while watching the packets on the interface on which the vista pc is
    connected. I saw the port 4500 and port 500 traffic and they negotiated. I
    checked the VPN gateway and the tunnel was up and mirrored for both
    directions. However, the ping never succeded as it started timing out. I
    realised that esp packets are sent to the VPN gateway instead of ping packets
    while trying to ping. There was no aswer from the VPN gateway, so I debugged
    the VPN connection, what I could understand was that there is a problem with
    the phase2, thus they cannot actually negotiate. I totally trust the VPN
    gateway because I can build the connection from a windows XP using
    ipseccmd.exe

    On the other hand, I tried pinging from target network towards Vista and I
    saw the encrypted packets going inside the tunnel but no response comes from
    Vista. I tried altering the firewall rule and security policy.

    What would you say now? Is it still a SP1 issue?

    Thank you again, I appreciate it.

  4. RE: Howto IPSec without L2TP on Vista

    I resolved the issue. It was a timeout preference mismatch. Thanks, anyways.

    "Bekir" wrote:

    > Hello guys. I've been struggling with Vista's IPSec behaviour and I really
    > need help.
    >
    > The setup:
    > Vista Computer ---- VPN Device ---- Target Local Network
    >
    > The VPN device support IPSec without L2TP, and the configuration is as
    > simple as:
    > Phase1 : 3DES - SHA1 - 2
    > Phase2 : ESP - 3DES - SHA1
    > PSK : bekir
    >
    > I tried so many ways I saw on the internet but everytime I got frustrated.
    > Common way is to write a netsh->advfirewall rule and try pinging the one of
    > the target hosts from Vista and Vista will negotiate for security. However,
    > what happens is when I try pinging I see the message "Negotiating for IP
    > Security" all the time, moreover, the VPN device is an OpenBSD based device
    > so I can use tcpdump and listen the interface which the Vista computer is
    > plugged into and NO packets come out of the Vista computer and NO logs
    > (oakley or security or what-so-ever, nothing). I'm really stuck.
    >
    > Guys, what would be your way to follow to get the IPSec communication started.
    >
    > The operating system is a Vista Home Basic.
    >
    > I'd appreciate any help.
    > Thank you!


+ Reply to Thread