We need to establish a few lt2p over ipsec connections between Windows XP systems without NS Remote and an SSG 5, running ScreenOS6
I found bits and pieces on this topic, but nothing explaining the config of both sides for the same approch (i.e e.g. PSK).
KB9756 explains the WinXP-Side with PSK (Step 14), but all Articles I found regarding the SSG-side either require NSRemote or certificates (or both) on the XP-side.
What I would need is the corresponding KB-Artikel to KB9756 for the SSG (ScreenOS 5.4 or 6 doesn't matter) side (i.e. with PSK) or some step by step guide for setting up BOTH ends with Certs and without NSRemote. Especially, how and where to import the .p12-file and Root CA into Windows XP (not W2k, NT or even older versions) and use those certs in the ipsec-part of the l2tpoveripsec-connection.
Creating the certs (with openssl) and importing them into the SSG is no problem / doesn't need to be explained.
I managed to get a plain l2tp working, but traffic encrytion is a MUST.
Just to add to Keith's comments, the Technical Note that he is referring to is based on ScreenOS 4.0. However the information contained is still accurate. In order to use Windows native L2TP over IPSec client, you MUST either have a fixed public IP on each client or you MUST use PKI certificates. This means that unless you can identify the peer with static IP address, you cannot use preshared keys if the Windows clients may be coming from a dynamic IP. This is really a limitation on the Windows client side as the native client does not have a provision to specify an IKE ID with FQDN or u-FQDN.
Furthermore, you need to be aware that if the Windows client is behind a NAT device, there is a chance that you may have problems traversing that NAT device if the device doed not properly forward IP protocol 50 (ESP). Normally if behind a NAT device, you would want to use nat-traversal which encapsulates the ESP packet within a UDP 4500 packet. However with L2TP over IPSec, you MUST use transport mode. Nat-traversal is only supported in tunnel mode (protocol limitation).
Long story short, using Windows native client may not always be feasible for everyone. I generally recommend going with an IPSec client such as NetScreen-Remote due to the many limitations inherent to the Windows native client.
Thanks for the responses. OK - so I do this with certs. Setting up the SSG side is somewhat documented in the C&E-books, but I'm lost with XP. The document mentioned in the reply above deals with W2k, but I assum with XP (pro) you'd do the cert stuff with the mmc and the cert snap-in, right? But how exactly do I use those - starting with the first snap-in question, what certs to manage: user, service or computer??? No idea. How do I tie the (openssl-generated) cert to the ipsec-portion of the l2tp over ipsec-tunnel in xp? Do I still need to fiddle with the XP registry editor like it needed to be done in W2k?
Mmh - my last post was probably a bit premature - I grabbed for xp in the document and didn't find it, but reading thru it, it looks like it could be working on xp too. I'll give it a try tomorrow and will let you know about the outcome. Sorry for the last post.
Thanks for the pointer. I gave it a try but didn't succeed. The document is quite confusing (in section 'Downloading the CA certificates for the WIN2K machine', they saynce you have downloaded the CRL to your machine you must install it onto your machine. You must first right click on the certificate and select install...' - are we talking cert or crl?; "12. To verify that the certificate, Click on certificates then personal.". Sorry?) On top of that, in section 'You must now edit your registry to make a connection for L2TP over IPSEC.': 4. You must go to the PASSWORD registry key for L2TP tunnel authentication:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/4D36E972-E325…/0002/ (On my W2K box, it’s 0002. Should be the one containing minil2tpport)Password/PASSWORD
(An easier way to locate it: find the registry containing key word "l2tp_miniport")
I don't have a key containg the string 'minil2tpport' Giving up. Sniff...