VPN tunnel with Windows XP IPSEC and FreeS/WAN

 By Samuli Kaski <E-mail address>
Created Thu Jan 6 00:04:18 EET 2005
Last edited

Introduction

Debian Woody and kernel 2.4.27 was used while writing this article. Depending on your Linux distribution the steps needed to setup a VPN tunnel with Windows XP IPSEC and FreeS/WAN might be a bit different.

Restrictions

The following setup was implemented on a Windows XP workstation with a PPoE connection that has to be opened through Windows XP's Network Connections. Windows XP's integrated firewall can be used if desired. Other network setups might be possible however the configuration might differ from the one described in this document.

Windows XP requirements

You have to update your IPSEC client by installing the latest patch provided by Microsoft. You can download the patch here. You will have to reboot your computer after installing the patch.

FreeS/WAN configuration

You will need to restart your computer after installing the correction. Start by configuring FreeS/WAN on your Linux server. Configure /etc/ipsec.conf 
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        klipsdebug=none
        plutodebug=none
        overridemtu=1410

conn %default
        keyingtries=1

conn sample
        right=%any
        left=%defaultroute
        authby=secret
        auto=add
        keylife=24.0h
        rekey=no
        keyingtries=0
        pfs=no

conn packetdefault
        auto=ignore

conn private-or-clear
        auto=ignore
The overridemtu setting was required at least in my case. Without that setting connections sometimes froze and I was unable to transfer large files. Set the preshared passkey in /etc/ipsec.secrets 
: PSK "mysecret"

Windows XP configuration

Now launch MMC on Windows XP and add the IP Security Policy Management Snap-in. Configure the Snap-in for Local computer.

IPSEC configuration screenshot #1

IPSEC configuration screenshot #2

Edit...

IPSEC configuration screenshot #3

Edit...

IPSEC configuration screenshot #4

Edit...

IPSEC configuration screenshot #5

OK

IPSEC configuration screenshot #6

Edit...

IPSEC configuration screenshot #7

IPSEC configuration screenshot #8

Edit...

IPSEC configuration screenshot #9

Settings...

IPSEC configuration screenshot #10

IPSEC configuration screenshot #11

IPSEC configuration screenshot #12

IPSEC configuration screenshot #13

Edit...

IPSEC configuration screenshot #14

Now the other direction...

IPSEC configuration screenshot #15

Edit...

IPSEC configuration screenshot #16

Edit...

IPSEC configuration screenshot #18

Edit...

IPSEC configuration screenshot #19

IPSEC configuration screenshot #20

There is no need to edit the My Filter Action, it is valid for this direction also.

IPSEC configuration screenshot #21

IPSEC configuration screenshot #22

IPSEC configuration screenshot #23

IPSEC configuration screenshot #24

IPSEC configuration screenshot #25

Adjust the policy change and press Advanced.

IPSEC configuration screenshot #26

Adjust the settings to reflect the FreeS/WAN settings on your Linux server. Press Methods.

IPSEC configuration screenshot #27

Set the preference order.

IPSEC configuration screenshot #28

Close

IPSEC configuration screenshot #29

Assign to activate the IP Security Policy

IPSEC configuration screenshot #30

It is now active. Test:

IPSEC configuration screenshot #31

Troubleshooting

If you use SSH you may need to activate TCP keepalive. I don't know the specifics but if the link doesn't have any activity the IPSEC connection seems to die off. Setting the TCP keepalive in PuTTY (or any other SSH client) to 30 seconds has fixed the problem at least for me.

Back to the Linux advice portal...