Connecting to Microsoft VPN with Linux?
Lamar Owen
lowen at pari.edu
Tue May 4 21:02:33 UTC 2004
On Sunday 02 May 2004 20:43, Michael Mansour wrote:
> In one state (the other state from here), this
> particular company is supported by a mob who don't
> know anything about Linux, so they wish to convert the
> company to Microsoft VPN and have asked me what is
> required on my end to make Linux support their
> Microsoft VPN solution their end.
> * can Linux VPN support Microsoft VPN?
Microsoft's current VPN is a hybrid three-layer beast. It's PPP over L2TP
over IPsec. All of these are supportable under Linux. The configuration is
not easy. There is a commercial Linux-based solution for a Linux VPN
_server_ that works with Microsoft's VPN clients, including a nice
Certification Authority and a Windows certificate installation Wizard that
makes it very easy to connect Microsoft clients to the Linux VPN firewall.
The product is SmoothWall's Corporate Server 3.0 + SmoothTunnel 3.1. The VPN
portion (SmoothTunnel) is licensed based on the number of configured tunnels.
Each L2TP client gets a separate tunnel. A reseller local to me is Joyner
Network Solutions. E-mail ben at caresweb.com for more information.
The Microsoft VPN, for the Road Warrior case (that is, a dynamically assigned
IP address 'dialing' in to a fixed gateway) is very simple to configure on
the client side (once you get your certificates in the right place) and is
very easy in concept, being that it is Just Another Dialup Networking
Connection.
Don't use PPTP as it has known security issues.
Win95/98/ME L2TP VPN DUN client software is available free from Microsoft.
I am using the SmoothTunnel product here and was extremely impressed by the
polish of the web GUI tools for configuration. To say it was simple is an
extreme understatement: Generate CA; Generate Host Cert; Generate Client
Cert; Create L2TP RoadWarrior Tunnel (the only hard part here is 'Client IP'
which is the IP address _on_the_inside_ network for the tunnelled host to
use); download certs (CA in PEM, Client in PKCS12) (simple web form based
download); install certs using provided GUI Wizard; configure the DUN VPN
properly (a couple of configuration points are not default). The Win2k3
setup of the same thing is of about the same complexity.
I tried doing this all by hand using l2tpd and hand-generating the CA, host,
and user certs and hand importing everything into Windows. While it DID
work, it took a very long time to get right, and the SmoothTunnel stuff Just
Works. But all the pieces you need are available free: OpenSWAN for the
IPsec, the stock PPP package, and L2TPD (see Nate Carlson's page at
http://www.natecarlson.com/linux/ipsec-x509.php for more info, as well as
Jacco's page at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html). But
beware; configuration is not at all easy. But Jacco's website in particular
has everything you need to know.
Also available is the Astaro Security Linux and the Astaro IPsec Client at
www.astaro.com.
> * are there any ADSL modem/routers which support
> Microsoft's VPN?
IPsec needs to be put into 'NAT Traversal' mode for the typical
VPN-passthrough solution to work. The Windows side also needs the 818043
update applied. NAT-traversal just causes IPsec to tunnel over UDP port 500
instead of using the default IP protocol 50. Look for the keyword 'VPN
passthrough' and you would want the 'many clients' type.
--
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC 28772
(828)862-5554
www.pari.edu
More information about the fedora-list
mailing list