PPTP VPN Connection Windows XP client - Linux Server
Good morning everyone! I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway. regards, Stefan
try http://www.freeswan.org On Wed, 2004-02-18 at 09:40, Stefan Gofferje wrote:
Good morning everyone!
I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway.
regards, Stefan
Usage of PPTP is mandatory. Not all clients are capable of IPSEC. And the solution must be "(Windows-)enduser-compatible"... However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway. Regards, Stefan aan agustiono wrote:
On Wed, 2004-02-18 at 09:40, Stefan Gofferje wrote:
Good morning everyone!
I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway.
Usage of PPTP is mandatory. Not all clients are capable of IPSEC. And the solution must be "(Windows-)enduser-compatible"... However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway. This is _not_ a good idea. All professional VPN software I know prohibits access to the internet while connected to the VPN. Even the cisco VPN client for linux does that! Most VPN clients also contain a small personal firewall that rejects all connections. If people need internet while using the VPN, tell them to use the proxy in your company.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Markus Gaugusch wrote:
This is _not_ a good idea. All professional VPN software I know prohibits access to the internet while connected to the VPN. Even the cisco VPN client for linux does that! Most VPN clients also contain a small personal firewall that rejects all connections. If people need internet while using the VPN, tell them to use the proxy in your company.
Well, I don't think, this might cause any problems. First, the clients are behind a router and second, Windows does no forwarding by default. When talking about the classical roadwarrior scenario, where a single remote client dials into the internet and then starts the VPN, I would agree that this might include some potential danger. We are talking about a rather complex scenario where different clients at different locations behind (almost NAT-) routers with ADSL connections need a permanent VPN link to a central system mainly for voice over IP purposes. If the complete internet traffic of the remote clients would be routed through the ADSL connection, the bandwidth for VoIP would not be satisfactory. Besides the additional traffic cost... I myself would prefer to just replace the consumer style routers by professional VPN routers, put a static route to the remote LAN and a don't-forward-rule on and there we go. But the customer is not willing to pay e.g. a bulk of PIX 501 for the employees' home offices... So I have the fun to construct a working, secure (kinda) and Windows-enduser-compatible solution... Regards, Stefan
On Wed, 18 Feb 2004 17:18, Stefan Gofferje wrote:
Usage of PPTP is mandatory. Not all clients are capable of IPSEC. And the solution must be "(Windows-)enduser-compatible"... However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway.
Have a look at openVPN. http://openvpn.sourceforge.net/ -- Regards, Graham Smith ---------------------------------------------------------
Looks promising, thx! Regards, Stefan Graham Smith wrote:
On Wed, 18 Feb 2004 17:18, Stefan Gofferje wrote:
Usage of PPTP is mandatory. Not all clients are capable of IPSEC. And the solution must be "(Windows-)enduser-compatible"... However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway.
Have a look at openVPN. http://openvpn.sourceforge.net/
Stefan Gofferje wrote:
Usage of PPTP is mandatory. Not all clients are capable of IPSEC. And the solution must be "(Windows-)enduser-compatible"... However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway.
How do you plan to protect the vpn from the internet connection? Why bother with a vpn at all. -- Until later, Geoffrey Registered Linux User #108567 Building secure systems inspite of Microsoft
Hi Stefan! On Wed, 18 Feb 2004, Stefan Gofferje wrote:
Usage of PPTP is mandatory. Not all clients are capable of IPSEC.
I am a little confused. You said all clients are Win-XP, yet afaik ipsec is built-in.
And the solution must be "(Windows-)enduser-compatible"...
Need to script it :-( At least vbs and jscript are workable scripting languages.
However, using IPSEC would cause the same problem - how to get a Windows box to establish the VPN at startup and use a static route to the remote LAN while leaving the default route pointing at the local internet gateway.
The IPSEC client I have (Symantec Enterprise VPN Client*) seems to leave default route untouched without special effort. I attach before and after routing tables. This in W2K. Hope that XP is similar :-) Put client shortcut in desktop startup folder and will probably be ok. Regards, dproc (describing my vpn is a good place not to use my real name - sorry) (*SEVPNC was proprietary around USD 30 per seat or bundled with some appliances last time I looked. As OP said it comes with a simple personal firewall and does not seem to route between networks. Win box probably needs to be backdoor'd/trojan'd to allow attacker to attack corporate network) ************ ** BEFORE ** ************ $ route PRINT =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 20 e0 70 c2 c4 ...... Intel 8255x-based Integrated Fast Ethernet =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.201 192.168.2.33 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.2.0 255.255.255.0 192.168.2.33 192.168.2.33 1 192.168.2.33 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.2.255 255.255.255.255 192.168.2.33 192.168.2.33 1 224.0.0.0 224.0.0.0 192.168.2.33 192.168.2.33 1 255.255.255.255 255.255.255.255 192.168.2.33 192.168.2.33 1 Default Gateway: 192.168.2.201 =========================================================================== Persistent Routes: None *********** ** AFTER ** *********** $ route PRINT =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 20 e0 70 c2 c4 ...... Intel 8255x-based Integrated Fast Ethernet =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.201 192.168.2.33 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.2.201 192.168.2.33 1 192.168.2.0 255.255.255.0 192.168.2.33 192.168.2.33 1 192.168.2.33 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.2.255 255.255.255.255 192.168.2.33 192.168.2.33 1 224.0.0.0 224.0.0.0 192.168.2.33 192.168.2.33 1 255.255.255.255 255.255.255.255 192.168.2.33 192.168.2.33 1 Default Gateway: 192.168.2.201 =========================================================================== Persistent Routes: None
Hello, Stefan Gofferje wrote:
Usage of PPTP is mandatory.
PPTP in connection with MS-CHAPv2 is still broken, see http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ I posted that link about *two years ago* to this list. MS still hasn't fixed that. That's what they call "Trustworthy Computing"... GTi
On Wed, Feb 18, 2004 at 03:40:42AM +0100, Stefan Gofferje wrote:
I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway.
I think the variety of answers has shown, that this was the wrong group to
ask this question because the hard part of that question is a windows question.
How to set up pptpd on linux isn't too hard, but how to do that on win...
So if you have questions regarding pptp on linux, come back here and make
sure it's about the linux setup :)
Ciao
Jörg
--
Joerg Mayer
Joerg Mayer wrote:
I think the variety of answers has shown, that this was the wrong group to ask this question because the hard part of that question is a windows question. How to set up pptpd on linux isn't too hard, but how to do that on win... So if you have questions regarding pptp on linux, come back here and make sure it's about the linux setup :)
Well, finally, I got at least two useful hints while posting this question to a M$ related group brought me a variety of "use this and that M$ server management tool" or "I don't believe, a Windows system can connect to a Linux server" or just "Linux is not supported here". That leads me to two major conclusions: 1.) There are Linux experts with Windows-knowledge but not vice versa 2.) Linux users are more open-minded (what a surprise...) So... from my point of view, it definitely was not the wrong group. Or do you feel disturbed by me asking a not 100% pure Linux question? ;) Regards, Stefan
Hi,
I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway.
When the windoze are in a LAN with a linux router, you simply use DNS and ipsec. ipsec can be used to connect a roadwarrior to a lan or do a lan-lan thing. All you need is publish the local dns-names to your users, when they try to connect the router uses the correct interface. We use such a setup to connect two remote LANs via Internet, one linux router with ipsec/X509 in each LAN, the rest windoze. For roadwarrior type, you may use the ipsec-package for Windows, which runs under 2k and XP, using X509 certificates and built-in ipsec support. This package gives you a better frontend :-). Automatic dialup you may do with a link to a folder etc., XP gives you options to choose the dialup for each remote ressource. Autostart may be a bad idea. Ciao Dieter --------------------------------------------------------------- Dieter Kirchner Systemadministration BUPNET +49 551 54707 62 D-Goettingen http://www.bupnet.de ---------------------------------------------------------------
Stefan Gofferje wrote:
Good morning everyone!
I need to integrate some WinXP clients into a Linux-dominated VPN-network. Can anyone give me a hint, how I could tell WinXP to connect to a VPN-server on startup and set a static route to a remote LAN through the VPN server while leaving the default route set to the local Internet gateway.
And thus created a connection between your 'no longer secure' vpn and the internet via the insecure XP??? Why bother with the vpn? -- Until later, Geoffrey Registered Linux User #108567 Building secure systems inspite of Microsoft
participants (9)
-
aan agustiono
-
Dieter Kirchner
-
dproc
-
Geoffrey
-
Graham Smith
-
Joerg Mayer
-
Markus Gaugusch
-
Martin Peikert
-
Stefan Gofferje