Archived from groups: comp.dcom.vpn (
More info?)
Doug McIntyre wrote:
> eel@javabox.com writes:
>
>>I'm looking into buying one of Netgear's Prosafe routers. They offer
>>VPN client software in addition to the routers
>>http://www.netgear.com/products/details/VPN01L_VPN05L.php.
>
>
>>Don't Win2k and XP come with IPsec client support? Would I need to
>>purchase the software in addition to the router to tunnel from a client
>>into the network served by the router? I'm asking not just for Windows
>>clients, but I'd also like to set up Linux IPSec clients as well.
>
>
> Win2k and WinXP know about IPsec manual key, and L2TP over IPsec
> manual key (or even PPP auth with L2TP), but they don't know anything
> what-so-ever about IKE keying with pre-shared secrets, or X.509 certifcates.
>
> Most people find entering in your SA, and ESP associations and keys
> all by hand and making sure they match quite a pain. Plus of course,
> that doesn't let you have any sort of re-keying or revokion other
> than shutting down that SA (after you remember which SA is which).
Windows IPSec is very ugly for dial in client style functionality. It
was really designed for setting up a windows server with local LAN using
IPSec all controlled with group policy and a corporate certificate
authority.
It does work with certificates though only in the lan style environment
as I mentioned. For most uses over the internet it is inappropriate. I
have never bothered to do more than a lab implementation just to see how
ugly it was. The built in L2TP method can work but it has trouble with
NAT so I have never been able to deploy it, though I could see where it
might be useful on a restricted basis.
So, yes the windows built in ipsec support could likely be made to work
with the Netgear router but it is so inflexible that it's not a
practical way to implement an IPSEC VPN connection to a desktop PC. You
don't require the client that netgear sells, if you prefer to use
another vendors IPSec client you can probably make it work. I have
heard that support for this client software is not free from Netgear and
the documentation is not great so you may be disappointed with that
experience too. I believe many people are using these routers to make
network to network connections using 2 routers more than the client
"dialing" into the router type of connection. If you are interested in
a solution that is good at making VPN gateway to client software
connections then take a look at the Watchguard X line. They integrate
the router and the client software very nicely.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)