1. Home
  2. Networking Firewalls
  3. Windows XP VPN to Netscreen using native client and L2TP over IPSEC

Windows XP VPN to Netscreen using native client and L2TP over IPSEC

I'm attempting to configure a dial-up VPN to Netscreen ScreenOS 5.1 using the Windows XP native VPN client. It's painful :-(

Preshared secrets won't work because XP insists on using it's (dynamic) IP address for IKE Phase 1 ID, so certificates will be required.

Netscreen documentation generally assumes use of their VPN client. There is a white paper describing how to do this on Windows 2000, but it is written for ScreenOS 4.0 and assumes the client has access to a Microsoft CA - close but...

ScreenOS 5.1 can generate self-signed certificates, but if there's a way to export them so they can be loaded on the client, it eludes me - so I'm attempting to use an OpenSSL CA on Linux to sign the certificate requests. XP and the Netscreen both loaded these certificates successfully, but when I gave up for today XP was claiming it couldn't find a certificate to use with the authentication protocol.

Does anyone have this working? If so, please post the recipe. Otherwise, I'll figure it out eventually and post it myself...

Sunny

Reply to
Sunny
Loading thread data ...

Got it working, using OpenSSL certificates:-)

Now I need to translate my scrawled notes into a properly documented recipe...

Sunny

Reply to
Sunny

Some clients actually use Windows IPSec, and others disable it and use there own, simply because of 42+ steps of configuring the native VPN client. You ought to just stop being cheap and get the NetScreen Remote client. It's better anyway and you can force the use of a virtual adapter using XAuth and be able to do name resolution across IPSec.

Reply to
Munpe Q

Why would I spend $100 on 10 NS Remote licenses when all I want is a VPN to my home network from my laptop when I'm on the road?

The native client works, and I learned a lot in the process of setting it up - including how to run a private CA. I already have two third-party VPN clients on my laptop (Nortel and Checkpoint) for access to work - they were even more painful to set up because Checkpoint has to run through the Nortel tunnel. The last thing I need is yet another VPN client!

Sunny

Reply to
Sunny

Whatever. It's your pain not mine.

Reply to
Munpe Q

Hello Sunny,

can you post a docu how you had made it.

I am trying to do it also with openssl but it doesnt work.

Can you help me please.

whit best regards

Reply to
Morty

It's a red herring. Buy, borrow, or steal a real VPN client. Preferably the safenet client from NetScreen which is intended to go with it. It's less expensive than the time you're gonna blow trying to get XP to work. Like $30 quantity 1, less in bulk.

-Russ.

Reply to
Somebody.

Hi Sunny,

You've done a good work. Try to do the same and got problem. So if you have time to do the recipe, it would be very useful. So let us now if you can do it or just give us some tips to get it working.

Thanks in advance,

aga

Somebody. schrieb:

Reply to
agauthier

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.