Re: IPsec over a wireless network to a W2K or Windows XP client?

[Mathieu Sauve-Frankel <m.sauve@secureops.com>]

On Tue, May 27, 2003 at 08:09:54PM -0600 Bob Beck hacked thusly:
> 	50 bucks gets you the SafeNET SoftPK Ipsec client for windows,
> which seems to work fine. the Builtin shit for windows doesn't work,
> it's point to point only.

I am assuming that by "point to point" you mean transport mode only.
This misconception has been circulating for a while. I don't know whether
or not this was ever true but it is certainly NOT true from win2k SP2 on.

The win2k and XP native clients do indeed work in tunnel mode. 

The UI however is quite horrid and most of the important options that need 
to be changed for the client to play nice with isakmpd are hidden from plain
sight. But it does work with a little coaxing. I believe almost ALL of the
default settings must be changed in some way to acheive interoperability
with isakmpd. 

I've personally gotten it working with both PSK's and x509 keys and from 
behind a nat gateway ( esp in tunnel mode ).

This document describes how to set it up fairly well.
http://www.cs.umd.edu/~mvanopst/xp2obsd.pdf

There are some caveats to this document. Those interested can mail me 
privately.

Here are some relevant articles about IPsec tunneling under win2k.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;252735
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248983

I do agree with you however that the soft-pk client is _much_ nicer
to work with. :)

-- 
Mathieu Sauve-Frankel	| Quotation, n: The act of repeating erroneously 
Network Administrator	| the words of another.
m.sauve@secureops.com	| Ambrose Bierce