VPN connection problems with Windows 200 Pro to Suse Firewall
I am trying to setup a VPN server for our Windows 2000 network. I purchased the Suse Firewall/VPN for the road warrior capability. I seem to have problems setting up the tunnel with IPSEC. The clients computers are running Windows 2000 professional. Whenever I try and connect using the X.509 certificate It comes up with connection errors. The certificate I am using is generated by the FAS module in the ADMIN cd. Also, with the firewall configuration I didn't set up any filtering rules with IPchains or IPtables. I am not sure if I configured the server or the client properly, also am not sure if I exported the certificate properly. Does anyone have any ideas or better yet any documentation on getting this setup?. The help files and instructions are pretty vague. Thanks
Hi,
I am trying to setup a VPN server for our Windows 2000 network. I purchased the Suse Firewall/VPN for the road warrior capability. I seem to have problems setting up the tunnel with IPSEC.
Do your Windoze machines have real IP adresses? VPN over NATted networks are problematic. The firewalls/routers between the machines should not block out the udp port 500 and should allow ip protocols 50 and 51.
The clients computers are running Windows 2000 professional. Whenever I try and connect using the X.509 certificate It comes up with connection errors.
if you want to experiment with the possible errors, you may want to download the evaluation version of ssh sentinel (www.ssh.com) which has quite good logging capabilities. On your linux box, you can turn on verbose logging if you set plutodebug=all on the firewall (allow ssh connects to it, change the config and do a rcipsec restart, as the GUI interface does not allow you to set debugging options). Finally you watch the syslog about what happens (you are logging to your harddrive or a syslog host, aren't you).
The certificate I am using is generated by the FAS module in the ADMIN cd. Also, with the firewall configuration I didn't set up any filtering rules with IPchains or IPtables.
After you generated your certificates and put them onto a disk, just rename the .pem files to .cer. This allows you to doubleclick them on any windows and view them. If a certificate is broken, you can't open it (nor import it). Look out for the date of certification and expiry. I encountered a bug in the fas after installing the reaL FWonCD over the demo. My certificates all had an expiry of 30 days. This is fixed after an online update.
The help files and instructions are pretty vague.
Again, let me refer you to ssh sentinel. ssh.com provides a 50 page pdf with detailed instructions about interoperation of their product with FreeSwan (which is the software you use). There is a lot of useful stuff in there. I encountered a similar problem with a key which could not be read when it was in .pem/.cer format. After converting it to .der/.crt, windows accepted it. HTH Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/
participants (2)
-
Jörn Ott -
Paulson Josh