Connecting to Microsoft VPN with Linux?

Lamar Owen lowen at pari.edu
Tue May 4 21:02:33 UTC 2004 

On Sunday 02 May 2004 20:43, Michael Mansour wrote:
> In one state (the other state from here), this
> particular company is supported by a mob who don't
> know anything about Linux, so they wish to convert the
> company to Microsoft VPN and have asked me what is
> required on my end to make Linux support their
> Microsoft VPN solution their end.

> * can Linux VPN support Microsoft VPN?

Microsoft's current VPN is a hybrid three-layer beast.  It's PPP over L2TP 
over IPsec.  All of these are supportable under Linux.  The configuration is 
not easy.  There is a commercial Linux-based solution for a Linux VPN 
_server_ that works with Microsoft's VPN clients, including a nice 
Certification Authority and a Windows certificate installation Wizard that 
makes it very easy to connect Microsoft clients to the Linux VPN firewall.  
The product is SmoothWall's Corporate Server 3.0 + SmoothTunnel 3.1.  The VPN 
portion (SmoothTunnel) is licensed based on the number of configured tunnels.  
Each L2TP client gets a separate tunnel.  A reseller local to me is Joyner 
Network Solutions.  E-mail ben at caresweb.com for more information.

The Microsoft VPN, for the Road Warrior case (that is, a dynamically assigned 
IP address 'dialing' in to a fixed gateway) is very simple to configure on 
the client side (once you get your certificates in the right place) and is 
very easy in concept, being that it is Just Another Dialup Networking 
Connection.

Don't use PPTP as it has known security issues.

Win95/98/ME L2TP VPN DUN client software is available free from Microsoft.

I am using the SmoothTunnel product here and was extremely impressed by the 
polish of the web GUI tools for configuration.  To say it was simple is an 
extreme understatement: Generate CA; Generate Host Cert; Generate Client 
Cert; Create L2TP RoadWarrior Tunnel (the only hard part here is 'Client IP' 
which is the IP address _on_the_inside_ network for the tunnelled host to 
use); download certs (CA in PEM, Client in PKCS12) (simple web form based 
download); install certs using provided GUI Wizard; configure the DUN VPN 
properly (a couple of configuration points are not default).  The Win2k3 
setup of the same thing is of about the same complexity.

I tried doing this all by hand using l2tpd and hand-generating the CA, host, 
and user certs and hand importing everything into Windows.  While it DID 
work, it took a very long time to get right, and the SmoothTunnel stuff Just 
Works.  But all the pieces you need are available free: OpenSWAN for the 
IPsec, the stock PPP package, and L2TPD (see Nate Carlson's page at 
http://www.natecarlson.com/linux/ipsec-x509.php for more info, as well as 
Jacco's page at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html).  But 
beware; configuration is not at all easy.  But Jacco's website in particular 
has everything you need to know.

Also available is the Astaro Security Linux and the Astaro IPsec Client at 
www.astaro.com.

> * are there any ADSL modem/routers which support
> Microsoft's VPN?

IPsec needs to be put into 'NAT Traversal' mode for the typical 
VPN-passthrough solution to work.  The Windows side also needs the 818043 
update applied.  NAT-traversal just causes IPsec to tunnel over UDP port 500 
instead of using the default IP protocol 50.  Look for the keyword 'VPN 
passthrough' and you would want the 'many clients' type.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

More information about the fedora-list mailing list