• Finally, a working,*free* VPN client for Windows7, including 64.

    As I know many here are looking for a VPN Client for Win7 working with
    Bordermanager, I spent some time to try something out, and found a
    solution that's not perfect (yet), but IMHO good enough to be published.
    I've not finished my full documentation yet, but I nevertheless post the
    information now.

    This is the client that works:


    There are some restrictions you will have to live with for now:

    1. You have to manually configure the protected Networks in the VPN
    Client. It can't (at least I coudln't make it work), pull the protected
    network policy from the BM, liek the Novell client does.

    2. Currently, the rekeying of the IKE key when it expires doesn't work,
    and the client loses the connection when it's time to rekey. *But*, I've
    succesfully configured the client to use a key lifetime of 28800
    seconds, e.g 8 hours. That should be good for most setups.

    So, here are the basics:

    The client works in Certificate Mode (and also Prehared Key, but that's
    not really a supported setup in Bordermanager for clients, so I'll
    concentrate on Cert mode only).

    So, the prerequisites are, first of all, Bordermanager 3.9, fully
    patched. No way for BM3.8, sorry.

    Second, your VPN Server Certificate for the BM Server needs to be in
    good shape (which it probable isn't for many here, as the default one
    expires after 2 years, which, unless you also run a S2S VPN, goes

    Third, you need to create custom User Certificates for every VPN User in
    Imanager. *Custom* is important, because the key usage must be manually
    specified to include all three options, Digital Signature, Key
    Encipheremt and Data Encipherment.

    Last but not least, you need to export user certificate (*including
    privat key*), and convert it into .pem format. You can use Openssl to do
    that. Here's a doc showing the necessary commands:


    You also need a *current* copy of your CA root cerificate
    (sys:\public\rootcert.der on Netware), and convert that to .pem format too.

    This is all, so this is the options you need to set in the client, or
    rather the setting that worked for me. Here, for brevity, I'll only list
    those, that are non-default:

    In the "General" Tab, as Address Method, chose "Use an existing Adapter
    and current address"

    In the "Client" Tab, disable Ike Fragmentation, and "Enable Client Login

    In the "Name Reolution" Tab, for initial testing, disable everything.
    You can later configure a potential internal DNS server.

    Now the key page: The "Authentication" Tab:

    Authentication Method: "Mutual RSA"

    Local Identity:

    Identification Type: ASN.1 Distinguished Name, and "use the subject in
    the client certificate" enabled.

    Remote Identity: ANY.

    Credentials: You need to fill in the paths to your previously exported
    and converted certificates and the key.

    "Phase 1" Tab:

    Exchange Type: Main

    DH Exchange: Auto

    Cipher Algorithm: 3des

    Hash Algorithm: sha1 (md5 should work too).

    "Phase 2" Tab:

    Transform Algorithm: esp-3des

    HMAC Algorithm: md5 (again, sha1 should work here, may test)

    PFS Exchange: disabled (this must be disabled in BM too (Perfect Forward
    Secrecy). I didn't test if both sides set to "enabled" works).

    Compress Algorithm: disabled.

    Key Life Time: 28800 (this is above mentioned setting to avoid the
    problem with the failing rekeying).

    "Policy" Tab:

    Policy Generation Level: Auto.

    Maintain persistent SAs: disabled.

    Obtain Topology automatically or Tunnel all: disabled. (My CLient
    traffic rules include only one subnet. I know many BM setups are
    configured to encrypt all Networks, I havent tested if this settign
    enabled works in such a setup).

    Now you need to manually add every protected ressource (network) exactly
    as configured on your BM. You can see the protected Networks in the BM
    VPN client when it has a connection.

    That should do it. I will hopefully produce a more detailed graphic
    documentation for all necessary steps soon, especially the Bordermanager
    Setup and configuration for Certificate mode.

    Please fel free to post here for comments and questions.

    Have fun!

    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    This article was originally published in forum thread: Finally, a working,*free* VPN client for Windows7, including 64. started by mrosen View original post