1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPSec/VPN from Windows Vista to RV0xx - QuickVPN style

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by aviegas, Mar 25, 2007.

  1. aviegas

    aviegas Network Guru Member

    Has anyone successfully used "static" IPSec policies under Windows Vista? I'm trying to get it to work with a RV042 without success.

    I can setup the policy (the very same policy works for XP and 2003) and yes, I did assigned the policy. But it does not work. It's filter don't show on the list of active Filters (under the IP Security Moninot snap-in), meaning that the filters are not active. As a result, Windows don't attempt to negotiate the IPSec connection with the RV042. No idea why....

    I'm trying to create an alternative to QuickVPN.

    One thing is fact: Microsoft changed the line mode interface to IPSec services
    in Windows Vista. As a result, none of the existing IPSec VPN tools works, including our good "friend" QuickVPN.

    QuickVPN may not be the "smartest" kid on the block, but it's simple and intuitive, something that very few VPN clients can claim. And I can say that's a point for it being quite popular.

    I've decided to create an alternative to QuickVPN that will use the same authentication strategy and yet allow for some missing features in QuickVPN, that will not make it counter intuitive:

    1) Allow DNS control, that is, the user will decide which the DNS service to be used: the locally defined one or the one on the provided by the VPN Server.

    2) Allow some "routing" control. With new multi subnet feature of the RV0xx series as well as it's routing capabilities, one can more than one subnet reacheable on the remote end (I know it's technically not routing under Windows IPSec, but it can be done).

    3) Change from MD5 to SHA1 for better security.

    So far, under Windows XP I can mimic QuickVPN manually, but the for the reason at the beginning of post I can't get it to work under Vista.....
     
  2. Toxic

    Toxic Administrator Staff Member

    afaik no one has ever got the XP or Vista VPN to work with a hardware VPN Router and afaik QuickVPN is not yet compatable with Vista. this is the downfall of New operating systems. It takes 6-12 months for all the rest of the world to follow Microsoft.
     
  3. aviegas

    aviegas Network Guru Member

    Actually QuickVNP is nothing more than Windows 2000/XP VPN code talking to the RV042. What QuickVPN just do is use HTTPS as the router to create tunnel connection on the fly and return the PSK. Then QuickVPN uses Marcus Müller's IPSEC.EXE tool to generate Windows commands that will create the Windows VPN policy. At the disconnect type, QuickVPN uses HTTPS again to ensure that the tunnel definition is removed.

    Using a browser I can retrieve the PSK and setup the policy either manually or using Marcus Müller's tool. And it works.

    That's what I'm trying to do with Vista. I've managed to create the very same policy but for some reason no matter what policy I try, Vista seems to ignore it.
    IF I can get past this, I'm positive I will be able to create an enhanced QuickVPN version for Vista.
     
  4. Toxic

    Toxic Administrator Staff Member

    problem is your not the first to try with vista or XP. no one yet has ever done it. the RV0xx series routers uses SSL port 443/60443 to connect initially for QVPN Clients. I guess Vista or XP are not using this.
     
  5. aviegas

    aviegas Network Guru Member

    Sorry Simon, but that is not acurate. ** I've done it from Windows XP **
    I have created a script that creates a QuickVPN connection!

    The HTTPS part (SSL) is to setup the router for the tunnel and to return the tunnel information to the client. The whole "protocol" can be described as follows:

    1) The client sends a HTTPS (SSL) request to the router to setup the tunnel. The URL for the request is:

    edited to show full URL:

    Code:
    https://*user*:*password*@*router_addr*:*port*/StartConnection.htm?version=1?IP=*client_ip*?PASSWD=*password*?USER=*user*
    
    Where: *user*, *password* are the QuickVPM user and password
    *router_addr* either the IP address of DNS name of the router
    *port* can be either 443 or 60443
    *client_ip* is the LAN IP address of the client

    2) The router will check the passed credentials as well as the *client_ip*. If the credentials are valid and the *client_ip* is not conflicting with the router's network, then the router will set up a dynamic tunnel and return the following information to the client.

    - The preshared key
    - The remote side network
    - The DNS server available on the remote side
    - The DNS domain

    At this time, if one care to look in the VPN information page of the RV0xx, it will show as "online".

    3) With this information, and the *client_ip* that's all that is needed to create a Windows VPN "policy". QuickVPN rely on Marcus Müller's IPSEC.EXE tool (check http://http://vpn.ebootis.de) to setup the Windows policy, but one can easily do it manually.

    4) QuickVPN uses HTTPS also to change the password, but I do not have the URLs at hand now

    5) When the user terminates the connection, IPSEC.exe will be used again to "removed" the Windows policy and to again, connect to the router and inform that the session is over and ask for the tunnel to be removed. The URL for the session termination is:

    Code:
    https://*user*:*password*@*router_addr*:*port*/StopConnection.htm?version=1?Status=disable?IP=*client_ip*?PASSWD=*password*?USER=*user*
    
    At this time, the router will remove the tunnel and will flag the user as offline.


    You may try it. It works. QuickVPN is just an "automation" layer on top of several tools. The HTTPS is performed by WGET and the WIndows VPN setup by IPSEC.EXE tool (just an easy interface to Windows VPN policy setup). Both WGET and IPSEC.EXE are available on the QuickVPN directory.


    Now, the problem is with Windows Vista. I can replicate all of the above, but for some reason, the Windows VPN policy I create (the same that works under XP) does not seem to become active. That's the only issue I have right now.
     
  6. aviegas

    aviegas Network Guru Member

    A small progress, that shows that I'm headed in the right direction!

    When I set the "filter" rule in Windows VPN (it's oddly based on "filters"), if I set the destination to the whole subnet that is on the remote side, then it does not get triggered.

    But if I set the filter to a single address on the other side, it does get triggered and guess what, the RV042 accepts the connection in main mode, but barfs in quick mode (because the connection is not for the same network subnet).

    Let me explain: I was trying with 192.168.1.0/24 on the remote end (RV042 protected side). It was not working. When I used 192.168.1.1/32 it triggered.

    Combining with the preshared key retrieved with HTTPS (the SSL part) it got past the main mode authentication.

    Check the attached log. The last line is the RV042 complaining that the connection is not for 192.168.1.1/32 (it's should be 192.168.1.0/24), but that is expected for the experiment. The good part is the success in main mode.

    If I can get it to work with Vista, then the next step is to create a "QuickVPN on steroids", with a Linux port too.

    But first I need to tame this #$@#&^% Windows Vista VPN stack.
     

    Attached Files:

  7. Toxic

    Toxic Administrator Staff Member

    there are a number issues related to vista than XP though the examle of yours I don't think was ever shown like that. I'll contact our friends at linksys to see if they have any feedback on this.

    Thanks for the detailed info btw.
     
  8. aviegas

    aviegas Network Guru Member

    I'm also trying some friends at Microsoft to see why I can't define a subnet type trigger.
     
  9. aviegas

    aviegas Network Guru Member

    I decided to give it another try.

    I've switched from using "netsh ipsec static", that is the mode compatible with the original QuickVPN and moved to "netsh ipsec dynamic". Well, I was able to make the Windows side work, but now I guess the issue is on the RV0xx side...

    The test setup is:

    192.168.1.0/24======192.168.1.1|11.10.10.254.......11.10.10.1

    I can get past phase 1 (main mode) and the main mode SA is properly exchanged. But when it gets to the phase 2 (quick mode) the router barfs stating that it cannot identify the connection.... really wierd. Here is the log.

    Dec 31 17:19:47 2002 VPN Log Received Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000005]
    Dec 31 17:19:47 2002 Connection Accepted UDP 11.10.10.1:500->11.10.10.254:500 on ixp1
    Dec 31 17:19:47 2002 VPN Log Ignoring Vendor ID payload [4a131c8107035845...]
    Dec 31 17:19:47 2002 VPN Log Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    Dec 31 17:19:47 2002 VPN Log Ignoring Vendor ID payload Type = [FRAGMENTATION]
    Dec 31 17:19:47 2002 VPN Log Ignoring Vendor ID payload [fb1de3cdf341b7ea...]
    Dec 31 17:19:47 2002 VPN Log Ignoring Vendor ID payload [26244d38eddb61b3...]
    Dec 31 17:19:47 2002 VPN Log Ignoring Vendor ID payload [e3a5966a76379fe7...]
    Dec 31 17:19:47 2002 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    Dec 31 17:19:47 2002 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    Dec 31 17:19:47 2002 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
    Dec 31 17:19:48 2002 VPN Log Main mode peer ID is ID_IPV4_ADDR: '11.10.10.1'
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] Initiator Cookies = 51cc c280 8e3c f285
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] Responder Cookies = a111 6225 9c8d ef59
    Dec 31 17:19:48 2002 VPN Log [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    Dec 31 17:19:48 2002 VPN Log Cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===11.10.10.254...11.10.10.1

    Any ideas?
     
  10. aviegas

    aviegas Network Guru Member

    Great news!

    I was able to get a QuickVPN type session using Windows Vista IPSec stack :)

    Check this log:

    Code:
    May 6 01:26:37 2007	    VPN Log	         Received Vendor ID payload Type = [MS NT5 ISAKMPOAKLEY 00000005]
    May 6 01:26:37 2007	    Connection Accepted	 UDP 11.10.10.1:500->11.10.10.254:500 on ixp1
    May 6 01:26:37 2007	    VPN Log	         Ignoring Vendor ID payload [4a131c8107035845...]
    May 6 01:26:37 2007	    VPN Log	         Received Vendor ID payload Type = [draft-ietf-ipsec-nat-t-ike-02_n]
    May 6 01:26:37 2007	    VPN Log	         Ignoring Vendor ID payload Type = [FRAGMENTATION]
    May 6 01:26:37 2007	    VPN Log	         Ignoring Vendor ID payload [fb1de3cdf341b7ea...]
    May 6 01:26:37 2007	    VPN Log	         Ignoring Vendor ID payload [26244d38eddb61b3...]
    May 6 01:26:37 2007	    VPN Log	         Ignoring Vendor ID payload [e3a5966a76379fe7...]
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] >>> Responder Send Main Mode 2nd packet
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] <<< Responder Received Main Mode 3rd packet
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] >>> Responder send Main Mode 4th packet
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] <<< Responder Received Main Mode 5th packet
    May 6 01:26:37 2007	    VPN Log	         Main mode peer ID is ID_IPV4_ADDR: '11.10.10.1'
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] >>> Responder Send Main Mode 6th packet
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] Initiator Cookies = 5bde 2bb6 8afe 1998
    May 6 01:26:37 2007	    VPN Log	         [Tunnel Negotiation Info] Responder Cookies = 6936 27c6 5fb7 597b
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] Inbound SPI value = 41ef5bbe
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] Outbound SPI value = 6194b232
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
    May 6 01:26:38 2007	    VPN Log	         [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
    
    AND IT WORKS.

    I'm able to ping, telnet and even access the RV042 admin pages thru the connection.

    It was a brute force connection:

    1) Used a web browser to simulate the HTTPS authentication and retrieve the PSK
    2) Added the PSK to a batch file to issue all the Windows Vista IPSEC commands (based on netsh)
    3) try a ping.... and voila! Working!

    Here is the batch file I used:

    Code:
    set PSK=**the retrieved PSK goes here**
    set GW=11.10.10.254
    set ME=11.10.10.1
    set REM_NET=192.168.1.0
    set REM_MASK=24
    
    netsh ipsec dynamic delete all
    
    netsh ipsec dynamic add qmpolicy name=QuickVPN pfsgroup=grp1 qmsecmethods="ESP[3DES,MD5]:50000K/3600S"
    netsh ipsec dynamic add mmpolicy name=QuickVPN mmsecmethods="3DES-SHA1-2 3DES-MD5-2 3DES-SHA1-3"
    
    
    netsh ipsec dynamic add rule mmpolicy=QuickVPN qmpolicy=QuickVPN srcaddr=%ME% dstaddr=%REM_NET% dstmask=%REM_MASK% mirror=no conntype=lan psk=%PSK% tunneldstaddr=%GW%      
    netsh ipsec dynamic add rule mmpolicy=QuickVPN qmpolicy=QuickVPN dstaddr=%ME% srcaddr=%REM_NET% srcmask=%REM_MASK% mirror=no conntype=lan psk=%PSK% tunneldstaddr=%ME%
    
    The main change I made was to reinstall Vista and move from a Home Premium to a Ultimate version. I'm not sure if there was a problem with the IPSec code in the Home Premium version (I will look into that), but I'm glad it's working.

    What I will try next is to hack the original QuickVPN code to allow it to run under vista. I guess I can manually replace one of the modules (the module that actually sets up the policies).

    Next:

    - Keep it running for a few hours to see how resilient it is. I was able to get a Group VPN running to 10 hours! Need to check how it behaves when SAs expire.

    - See what I need to change in the Marcus Müller's IPSEC.EXE source to allow it to run under Vista with the proper commands (replace ipseccmd with netsh among other changes)

    - Create a temporary package for other to test, if it's not a problem with Linksys. If I can't do it at least I can distribute the hacked IPSEC.EXE module and instructions on how to install QuickVPN under Vista.
     
  11. aviegas

    aviegas Network Guru Member

    Notes on the reliability test: up for more than 6 hours. 7 SAs exchanged without a single error.

    Also, I can consistently turn it on and off.
     
  12. parax

    parax LI Guru Member

    Seems to be a good solution!

    Could you give me a hint what to fill into the following fields?

    set PSK= KEYKEYKEY - pre shared key, right? :)
    set GW= WAN IP OF THE VPN ROUTER - Gateway? WAN IP of the VPN router?
    set ME= 192.168.100.2 - My ip on the computer from where i try to create a tunnel?
    set REM_NET= 192.168.2.0 - The network itself behind the VPN router?
    set REM_MASK=24


    When I use that config it doesn't work. The following errors occure:

    C:\>netsh ipsec dynamic add qmpolicy name=QuickVPN pfsgroup=grp1 qmsecmethods="E
    SP[3DES,MD5]:50000K/3600S"
    FEHLER Win32[01702]: Die Bindungsnummer ist unzulässig.


    C:\>netsh ipsec dynamic add mmpolicy name=QuickVPN mmsecmethods="3DES-SHA1-2 3DE
    S-MD5-2 3DES-SHA1-3"
    FEHLER Win32[01702]: Die Bindungsnummer ist unzulässig.


    C:\>netsh ipsec dynamic add rule mmpolicy=QuickVPN qmpolicy=QuickVPN srcaddr=192
    .168.100.2 dstaddr=192.168.2.0 dstmask=24 mirror=no conntype=lan psk=KEYKEYKEY tunn
    eldstaddr=WAN IP OF THE VPN ROUTER
    FEHLER IPsec[06051]: Angegebene Hauptmodusrichtlinie ist nicht vorhanden.


    C:\>netsh ipsec dynamic add rule mmpolicy=QuickVPN qmpolicy=QuickVPN dstaddr=192
    .168.100.2 srcaddr=192.168.2.0 srcmask=24 mirror=no conntype=lan psk=KEYKEYKEY tunn
    eldstaddr=192.168.100.2
    FEHLER IPsec[06051]: Angegebene Hauptmodusrichtlinie ist nicht vorhanden.


    I would appreciate any help from you. :)
     
  13. aviegas

    aviegas Network Guru Member

    My German is terrible :) Sorry!

    What Windows version are you using? This works only on Windows Vista. Commands for Windows XP and Windows 2000 are different (each version uses a different set of commands).
     
  14. parax

    parax LI Guru Member

    Oh Iam using Windows Vista Ultimate. That's the reason why I tried it because QuickVPN doesn't work (yet) on Vista.
     
  15. darrenwu

    darrenwu LI Guru Member

    aviegas:

    I am using Vista Enterprise. My VPN is down since Quickvpn doesn't support VISTA. Sounds like you make it happen again. Can you post a Guide of how to let vista talks with linksys vpn router? As Detail as possible.

    Please please, Thank you a lot.
     
  16. aviegas

    aviegas Network Guru Member

    Stay tuned for a small tool that will perform the same task as QuickVPN and will work under Vista. The manual process is to complex to be practical (and is already described in detail in this thread).

    Stay tuned....
     
  17. aviegas

    aviegas Network Guru Member

    Check the QuickVPNPlus thread. It's based on the method described here.

    http://www.linksysinfo.org/forums/showthread.php?t=52876

    It should support 2000/2003/XP/Vista, as well as fixes several problems with QuickVPN. Soon there will be a GUI version, but the line mode version works as a charm.
     
  18. hackman777

    hackman777 LI Guru Member

    Thanks for the specs!

    Hey, thanks for listing the inner-workings of that goofy Quick VPN application.

    I was beating my head against the wall trying to figure out why every time I connected it would give me an error in my vpnserver.conf file that said:

    -102 : The remote protected network and local protected network conflict

    After reading your command-line specs I realized my problem...

    My remote client was on a 192.168.1.x network and so was every machine behind the router at the office... Duh.

    I changed my local network (remote client network) to 10.0.0.x and I was in like Flint.

    Have a nice day!:)
     

Share This Page