Starting with Windows 2000, Microsoft has included built-in IPsec VPN clients with its operating systems. Aimed at being user friendly and benefiting from tight integration with the OS and Active Directory, the client is almost as easy to use as Microsoft's earlier VPN incarnations using PPTP (Point-to-Point Tunneling Protocol). Two types of VPNs can be created with Windows XP; we tested and graded both.
Regardless of whether we created a peer-to-peer VPN or a remote-access VPN using DUN (which uses L2TP within IPsec), the process was simple. Microsoft falls behind competitors because there is no easy way to decouple L2TP from IPsec for remote-access VPNs, there is no support for NAT traversal, and support for third-party VPN gateways is limited. However, if you aim to connect to third-party gateways that have been designed to support Windows IPsec, there is no need to go elsewhere.
 Using preshared secret IKE with Windows XP requires the construction of inbound and outbound IPsec policies.
Click here to enlarge
|
For the most part, Microsoft's VPN implementation requires digital certificates to work properly. We did test Windows XP using preshared secret authentication, which was a chore. However, using a preshared secret for authentication generally is not acceptable anyway because of the relative insecurity inherent in distributing and managing preshared keys. Luckily Windows 2000 Server comes with a built-in certificate authority, and Windows XP has built-in certificate support. We used the Microsoft CA for our certificates because, unfortunately, when we tried this with Entrust Authority 6.0 and VPN Connector 5.0, we were unable to create VPNs using certificates for unresolved reasons.
Configuring VPNs for peer-to-peer VPN functionality within the Microsoft product can be done centrally through Active Directory and is a straightforward process. Within a few minutes we had configured a policy that was distributed to our remote clients.
Building a remote-access VPN setup, where a client connects to a host or subnet through a VPN gateway using L2TP secured by IPsec, is a different process. End users can configure DUN connections using a wizard, or preconfigured DUN phonebooks can be distributed using Connection Manager Administration Kit (CMAK). Why DUN connections can't be managed through Active Directory is beyond us -- Microsoft should work on this. The IKE configurations for DUN are preconfigured and, when working with third-party gateways, require no user intervention.
Unfortunately, the logging in Windows XP, though detailed, is cryptic and cannot be enabled without adding a registry key -- and this process is not for the faint of heart. Thankfully, unless something goes wrong (as it did in our case with the digital certificates), you'll likely be spared.
As far as interoperability goes, Windows XP worked fine for products that use L2TP secured by IPsec (RFC 3193). Although very few products support L2TP in IPsec, Nortel's Contivity and Cisco's 3000 Concentrator series do.
Microsoft Windows XP Professional, starts at $199; Windows XP Home Edition, starts at $99. Available: Now. Microsoft Corp., (425) 882-8080; fax (425) 706-7329. www.microsoft.com
SafeNet SoftRemote 6.1 Policy Manager and VPN Client
SoftRemote is a bit of a disappointment considering that SafeNet resells SoftRemote to a number of respectable VPN vendors, including Cylink Corp. and NetScreen Technologies. Frankly, we just weren't that impressed. Besides burdening the user with a complicated interface, the client is lacking NAT traversal, an integrated public-key system, dynamic VPN creation and remote logging. Not surprisingly, it took more work to get SoftRemote running than its rivals.
SoftRemote is deployed by building an installation package that can contain all the components for an end user, including digital certificates and VPN policies. End users must request their own digital certificates because the key generation occurs on the local host, but that is to be expected. We did run into some issues when creating remote-access VPNs with the Cisco 3005 because, as explained by SafeNet, SoftRemote uses set/ack mode config, while the 3005 uses request/reply. In addition, when creating a VPN with Nortel's Contivity, we had to devise a branch-office VPN on the Contivity -- a process that worked but is not very scalable.
SoftRemote 6.1 Policy Manager, $995; SoftRemote VPN client, $99. Available: Now. SafeNet, (410) 931-7500; fax (410) 931-7524. www.safenet-inc.com
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Send your comments on this article to him at mfratto@nwc.com.
RSS
