As I know many here are looking for a VPN Client for Win7 working with
Bordermanager, I spent some time to try something out, and found a
solution that's not perfect (yet), but IMHO good enough to be published.
I've not finished my full documentation yet, but I nevertheless post the
information now.

This is the client that works:


There are some restrictions you will have to live with for now:

1. You have to manually configure the protected Networks in the VPN
Client. It can't (at least I coudln't make it work), pull the protected
network policy from the BM, liek the Novell client does.

2. Currently, the rekeying of the IKE key when it expires doesn't work,
and the client loses the connection when it's time to rekey. *But*, I've
succesfully configured the client to use a key lifetime of 28800
seconds, e.g 8 hours. That should be good for most setups.

So, here are the basics:

The client works in Certificate Mode (and also Prehared Key, but that's
not really a supported setup in Bordermanager for clients, so I'll
concentrate on Cert mode only).

So, the prerequisites are, first of all, Bordermanager 3.9, fully
patched. No way for BM3.8, sorry.

Second, your VPN Server Certificate for the BM Server needs to be in
good shape (which it probable isn't for many here, as the default one
expires after 2 years, which, unless you also run a S2S VPN, goes

Third, you need to create custom User Certificates for every VPN User in
Imanager. *Custom* is important, because the key usage must be manually
specified to include all three options, Digital Signature, Key
Encipheremt and Data Encipherment.

Last but not least, you need to export user certificate (*including
privat key*), and convert it into .pem format. You can use Openssl to do
that. Here's a doc showing the necessary commands:


You also need a *current* copy of your CA root cerificate
(sys:\public\rootcert.der on Netware), and convert that to .pem format too.

This is all, so this is the options you need to set in the client, or
rather the setting that worked for me. Here, for brevity, I'll only list
those, that are non-default:

In the "General" Tab, as Address Method, chose "Use an existing Adapter
and current address"

In the "Client" Tab, disable Ike Fragmentation, and "Enable Client Login

In the "Name Reolution" Tab, for initial testing, disable everything.
You can later configure a potential internal DNS server.

Now the key page: The "Authentication" Tab:

Authentication Method: "Mutual RSA"

Local Identity:

Identification Type: ASN.1 Distinguished Name, and "use the subject in
the client certificate" enabled.

Remote Identity: ANY.

Credentials: You need to fill in the paths to your previously exported
and converted certificates and the key.

"Phase 1" Tab:

Exchange Type: Main

DH Exchange: Auto

Cipher Algorithm: 3des

Hash Algorithm: sha1 (md5 should work too).

"Phase 2" Tab:

Transform Algorithm: esp-3des

HMAC Algorithm: md5 (again, sha1 should work here, may test)

PFS Exchange: disabled (this must be disabled in BM too (Perfect Forward
Secrecy). I didn't test if both sides set to "enabled" works).

Compress Algorithm: disabled.

Key Life Time: 28800 (this is above mentioned setting to avoid the
problem with the failing rekeying).

"Policy" Tab:

Policy Generation Level: Auto.

Maintain persistent SAs: disabled.

Obtain Topology automatically or Tunnel all: disabled. (My CLient
traffic rules include only one subnet. I know many BM setups are
configured to encrypt all Networks, I havent tested if this settign
enabled works in such a setup).

Now you need to manually add every protected ressource (network) exactly
as configured on your BM. You can see the protected Networks in the BM
VPN client when it has a connection.

That should do it. I will hopefully produce a more detailed graphic
documentation for all necessary steps soon, especially the Bordermanager
Setup and configuration for Certificate mode.

Please fel free to post here for comments and questions.

Have fun!

Massimo Rosen
Novell Knowledge Partner
No emails please!