Sign in with
Sign up | Sign in
Your question

What IPSec client to use on WinXP Pro to connect to a Link..

Last response: in Networking
Share
July 14, 2004 12:09:16 AM

Archived from groups: comp.dcom.vpn (More info?)

Hi,

I've been trying and trying to get my WinXP Pro box at home (cable
modem) to connect to my BEFVP41 at the office using a VPN. I don't
think it's possible. Am I wrong?

So what IPSEC client should I use if I can't use the built-in WinXP
IPSEC? Google searches revealed SSH Sentinel, but that doesn't seem to
be available any more. Is there anything else free? If I have to pay,
what's a good and cheap VPN client for WinXP Pro?

John
Anonymous
July 14, 2004 3:58:13 PM

Archived from groups: comp.dcom.vpn (More info?)

"John" <johnfofawn@hotmail.com> wrote:
> I've been trying and trying to get my WinXP Pro box at home
> (cable modem) to connect to my BEFVP41 at the office
> using a VPN. I don't think it's possible. Am I wrong?
>
> So what IPSEC client should I use if I can't use the built-in
> WinXP IPSEC? Google searches revealed SSH Sentinel,
> but that doesn't seem to be available any more. Is there
> anything else free? If I have to pay, what's a good and cheap
> VPN client for WinXP Pro?

John, I'm on the same quest - trying to connect from XP Pro on home
cable to BEFVP41 at office. I've probably been over the same web
searches as you, and after several hours of following google links,
I managed to find a place to download SSH Sentinel 1.3.2. I haven't
got it to work yet, but that may be because I'm still new to VPNs.
Email me (dg1261-at-cs.com) if you want it.
Anonymous
July 15, 2004 9:22:53 PM

Archived from groups: comp.dcom.vpn (More info?)

| > I've been trying and trying to get my WinXP Pro box at home
| > (cable modem) to connect to my BEFVP41 at the office
| > using a VPN. I don't think it's possible. Am I wrong?
| >
|
| John, I'm on the same quest - trying to connect from XP Pro on home
| cable to BEFVP41 at office. I've probably been over the same web
| searches as you, and after several hours of following google links,
| I managed to find a place to download SSH Sentinel 1.3.2. I haven't
| got it to work yet, but that may be because I'm still new to VPNs.
| Email me (dg1261-at-cs.com) if you want it.


Hello

You may also trial TheGreenBow VPN Client.
Configuration document TheGreenbow with Linksys BEFVP41 can be found here :
http://www.thegreenbow.com/vpn_gateway.html

A 30-day trial version of the IPSEC client can be downloaded here :
http://www.thegreenbow.com/vpn_down.html

Have a nice trial !

Message from :
www.thegreenbow.com
Related resources
Anonymous
December 21, 2004 12:56:40 AM

Archived from groups: comp.dcom.vpn (More info?)

The Netgear VPN01L (~$60 retail) client will work with the Linksys
BEFVP41. I have this working with simultaneous tunnels to two Linksys
BEFVP41s using the auto connection feature of the VPN01L. I also have
LAN-LAN vpn tunnels between the BEFVP41s. My next adventure is
getting the VPN01L client to work behind a PIX firewall that has
LAN-LAN tunnels.
Anonymous
January 14, 2005 3:58:55 PM

Archived from groups: comp.dcom.vpn (More info?)

Neveroutoftune wrote:
> The Netgear VPN01L (~$60 retail) client will work with the Linksys
> BEFVP41. I have this working with simultaneous tunnels to two
Linksys
> BEFVP41s using the auto connection feature of the VPN01L. I also
have
> LAN-LAN vpn tunnels between the BEFVP41s. My next adventure is
> getting the VPN01L client to work behind a PIX firewall that has
> LAN-LAN tunnels.

Could you provide specific configuration info for the VPN01L client?
I'm trying to connect to a Linksys BEFVP41 and it's not immediately
obvious as to what settings to use.

Thanks,

--E
Anonymous
January 22, 2005 11:52:03 PM

Archived from groups: comp.dcom.vpn (More info?)

Make sure the VPN01L client loads. You should have a
black/yellow "S" in your tray.

You need to match your Linksys BEFVP41 settings with the Netgear VPN01L
settings. Below are settings I use. You may have different
requirements as these are not the most secure settings but they work
for my environment. I have the BEFVP41 connected to a DSL modem on the
WAN side. The DSL does not guarantee a static IP but I put a battery
backup on it and the BEFVP41 to keep the units always on and never
power down. I also have a LAN-LAN tunnel between this BEFVP41 and
another BEFVP41 which helps keep the IP address from being released.

Assumptions:
BEFVP41 outside address is known
BEFVP41 inside network is different from VPN01L clientnetwork. My are:
172.16.9.0 and 192.168.1.0 respectively.
Pre-Shared key: myfavoritekey
DES and SHA for IKE proposal
3DES and SHA for IPSec proposal
Allow connection to BEFVP41 from anywhere
All in between routers/gateways/firewalls allow IPsec passthrough.

--------------------------------
| Setup for LINKSYS VPN Tunnel |
--------------------------------

On the Security - VPN screen:
Select a tunnel # and set it to enable and give it a name
Local Secure Group: The IP address and mask of the local side of the
BEFVP41. My settings 172.16.9.0 255.255.255.0
Remote Secure Group: Any (allow connection from anywhere)
Remote Secure Gateway: Any
Encryption: 3DES
Authentication: SHA
Key Management: Auto. (IKE)
PFS: enabled
Pre-Shared Key: myfavoritekey
Key Lifetime: 1000000

Click on the Advanced Settings button:
Phase 1:
Operation Mode: Main Mode
Proposal:
Encryption: DES (could be 3DES if client set to 3DES)
Authentication: SHA
Group: 768-bit
Key Lifetime: 3600

Phase 2:
Proposal:
Encryption: 3DES
Authentication: SHA
Group: 768-bit
Key Lifetime: 1000000

Other Settings: (these settings are optional)
uncheck NetBIOS broadcast
check: Anti-replay
check: Keepalive
uncheck: if IKE fails ...

----------------------------------
| NETGEAR VPN01L Client Settings |
----------------------------------

Open the "Policy Security Editor"
Right-Click on "My Connections" and select "Add ->

Connection"
Right-Click on the "New Connection" and rename as you see fit.

Connection Security box:
select "Secure"

Remote Party Indentity and Addressing box:
ID Type: IP Subnet
Subnet: The same as the "Local Secure Group" from BEFVP41 setting.
Mask: The same as the "Local Secure Group" from BEFVP41 setting.
Protocol: All
check "Connect Using" and select "Secure Gatewate Tunnel"
ID_Type: IP Address
enter IP Address of the outside interface of the BEFVP41

Click "+" next to connection name under "Network Security Policy" (on
left side) Click "My Identity"

My Identity box:
Select Certificate: none
Click "Pre-Shared Key" button
Click "Enter Key"
enter the same text the BEFVP41 Pre-Shared Key: myfavoritekey from
above. Press Ok.

Virtual Adapter: Disabled

Internet Inteface box:
Name: Any
IP Addr: Any

Click "Security Policy" on left under "My Indentity"

Security Policy box:
Phase 1 Negotiation Mode box:
Select: Main Mode

Check "Enable Perfect Forward Secrecy (PFS)"
PFS Key Group: Diffie-Hellman Group 2
Check "Enable Replay Detection"

Click "Authentication (Phase 1)" on left
Click "Proposal 1"

Authentication Method and Algorithms box:
Authentication Method:
select: Pre-Shared Key
Encryption and Data Integrity Alogrithms:
Encrypt Alg: DES
Hash Alg: SHA-1
SA Life: Seconds 3600
Key Group: Diffie-Hellmand Group 2

click "Key Exchange (Phase 2)" on left
click "Proposal 1"

IPSec Protocols box:
SA Life: Unspecified
Compression: None

check "Encapsulation Protocol (ESP)
Encrypt Alg: Triple DES
Hash Alg: SHA-1
Encapsulation: Tunnel

uncheck "Authentication Protocol(AH)"

click the "Save" icon, 5th icon from left at top.

close the Security Policy Editor

---------------------------------
| Activating the VPN connection |
---------------------------------

The tunnel will be created automatically as soon as traffic is
generated destined for the BEFVP41 Local Secure Group (inside address).
My desktop IP address is 192.168.1.100.

Generate traffic as follows:

Open the "Connection Monitor".
Open a command prompt.
Adjust these windows so that you can see both of them.
In the command prompt window, ping a node on the local group of the
BEFVP41. In my settings, I have a node at 172.16.9.50. As soon I as
start a ping for this address, an entry will appear in the Connection
Monitor as it attemps to create the tunnel in the background. Once the
tunnel is create (2-4 seconds), the ping command will reply
successfully. You can view the status on the BEFVP41 as well.

Your VPN Client will need to be in a different network than the BEFVP41
Local Secure Group. If you have problems, check the log on the
BEFVP41. Look to see if your client attempted to make a connection.
If so, look for red text as a clue for errors.

This currently is not working through my PIX firewall but my firewall
is configured with many LAN-LAN tunnels and uses PAT so I have the
usuall passthrough problems. This works fine if I remove my PIX
firewall from the configuration and use a Linksys gateway (non-VPN).

--
NeverOutofTune

--------------

Ether wrote:
> Neveroutoftune wrote:
> > The Netgear VPN01L (~$60 retail) client will work with the Linksys
> > BEFVP41. I have this working with simultaneous tunnels to two
> Linksys
> > BEFVP41s using the auto connection feature of the VPN01L. I also
> have
> > LAN-LAN vpn tunnels between the BEFVP41s. My next adventure is
> > getting the VPN01L client to work behind a PIX firewall that has
> > LAN-LAN tunnels.
>
> Could you provide specific configuration info for the VPN01L client?
> I'm trying to connect to a Linksys BEFVP41 and it's not immediately
> obvious as to what settings to use.
>
> Thanks,
>
> --E
Anonymous
January 24, 2005 2:15:23 AM

Archived from groups: comp.dcom.vpn (More info?)

Neveroutoftune wrote:
[Great info snipped.]

Thanks for the very detailed post! I actually figured it out on my
own--no thanks to Netgear. The main obstacles I ran into were (1) Where
to put the pre-shared key, and (2) How to connect to a dynamically
assigned domain using a fully qualified domain name. The VPN01L manual
did help with the former, fortunately. It also took a little research
to find out that Diffie-Hellmand Group 2 = 1024-bit.

I talked to Netgear support, and they weren't even able to tell me if
the VPN01L client would work with the Linksys BEFVP41. (It does, of
course, once you slog blindly through the configuration options.) Now
the next question: Can you create a desktop icon to connect to a given
VPN, instead of right-clicking the system tray icon?

One other issue: The BEFVP41 wouldn't let me choose SHA and 1024-bit,
for some reason--it kept changing the setting back to MD5. Does the key
have to be a cetrain length to use SHA, or can SHA only be combined
with 768-bit encryption?

Thanks again for your help--it's incredible how little information
there is on the internet about the SafeNet VPN client and using it with
a BEFVP41.

Regards,

--E
Anonymous
January 24, 2005 5:03:00 AM

Archived from groups: comp.dcom.vpn (More info?)

Do you get decent speeds with this setup? I tried SSH with that
rounter and though i could connect...it was so slow it was unusable.
DLS on one end with Cable on the other..same router and SSH Sentinel.
Anonymous
January 24, 2005 11:28:25 AM

Archived from groups: comp.dcom.vpn (More info?)

bschucher wrote:
> Do you get decent speeds with this setup? I tried SSH with that
> rounter and though i could connect...it was so slow it was unusable.
> DLS on one end with Cable on the other..same router and SSH Sentinel.

Yes, the speed with the VPN01l/VPN05L client is quite good--better, in
fact, than using two BEFVP41 boxes connected to each other, for some
reason. (DSL is the connection medium at both ends, and the maximum
upload speed is 128kbps--that's the limiting factor.) If you're using a
modem at one end, then yes, it will be sluggish. You'd have to buy a
Citrix server in that case.

I also tried SSH Sentinel some time ago with the BEFVP41, and it worked
fine but was somewhat slower, as I recall. I also notice that using
3DES encryption is noticeably slower compared to DES, but that's the
price of greater security.

One more note: The client PC I'm using is a Pentium III/500Mhz
notebook, so even a computer that old will work with acceptable
results.

Regards,

--E
September 23, 2009 7:21:22 AM

Hi, can you send me the copy of sentinel?

thanks.




Quote:
Archived from groups: comp.dcom.vpn (More info?)

"John" <johnfofawn@hotmail.com> wrote:
> I've been trying and trying to get my WinXP Pro box at home
> (cable modem) to connect to my BEFVP41 at the office
> using a VPN. I don't think it's possible. Am I wrong?
>
> So what IPSEC client should I use if I can't use the built-in
> WinXP IPSEC? Google searches revealed SSH Sentinel,
> but that doesn't seem to be available any more. Is there
> anything else free? If I have to pay, what's a good and cheap
> VPN client for WinXP Pro?

John, I'm on the same quest - trying to connect from XP Pro on home
cable to BEFVP41 at office. I've probably been over the same web
searches as you, and after several hours of following google links,
I managed to find a place to download SSH Sentinel 1.3.2. I haven't
got it to work yet, but that may be because I'm still new to VPNs.
Email me (dg1261-at-cs.com) if you want it.

!