IPSEC VPN client configuration

21 April, 2005

The IPSec protocol is fully supported from iNODE starting from version 1.2.3. It can operate either in IPSec Gateway mode or Roadwarrior[1] mode. On how to configure iNODE’s IPSec refer to Configuring iNODE chapter of the manual.

IPSec VPN Clients for Windows

iNODE’s IPSec services have been tested with a number of MS Windows VPN Clients. The following table shows those clients and their offered functionality.

In this appendix we will only refer to the MS Windows 2000/XP Native IPSec Client which comes with MS Windows at no additional cost as opposed to the aforementioned clients.

Installing IPSec Client for Windows 2000 / XP


1) Marcus Müller's Windows 2000 VPN Client Tool : http://vpn.ebootis.de/

2) A Client certificate in P12 format that has been issued by a certificate authority trusted by iNODE[2].

3) The DN of the CA that issued the certificate

4) The IP address of the VPN server to connect to

5) The MS Windows Management console plug-in ipsec.msc.

6) For Windows 2000, you should at least have installed Service Pacj 2 and the MS Internet Protocol Security Policies Tool which can be obtained from: http://agent.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

7) For Windows XP, you should have installed the windows XP support tools from the installation CD of Windows XP.

Setting up the management console plug-in

1) Start->Run…->MMC

2) From the Console (Win 2000) or File (Win XP) menu option click the Add/Remove Snap-in… menu item.

3) From the Add/Remove Snap-in dialogue, in the Standalone tab click the Add button.

4) From the list of the available snap-ins click and select Certificates and then click the Add button.

5) Click the Computer account option and then click Next.

6) In the Select Computer dialogue click the Local Computer and then click the Finish button.

7) In the Add Standalone Snap-In dialogue again click and select the IP Security Policy Management and then click the Add button.

8) In the next dialogue click the Local Computer option and the click the Finish button.

9) Click the Close button and then click the OK button.

10) From the menu option Console or File click on Save As… to save the management console plug-in you just generated.

Installing the VPN CLIENT TOOLS

To install the certificate you need to import it from the Management console plug-in that you just generated.

1) Click and expand the Certificates(Local Computer).

2) Right click Personal and then from All Tasks click Import.

3) Click the Next button

4) Click Browse and then locate and select the .p12 certificate that you have already stored somewhere on your computer. Then click Ďpen.

5) Click Next

6) In the Password box enter the password that you used to issue the certificate and then click Next.

7) From the Certificate Store Screen click and select to automatically select the certificate store based on the type of certificate and click Next and then Finish.

8) If everything is successful click OK on the final dialogue which informs you about that. Finally close the MMC.

Having imported the certificate you should now install and configure the VPN client tool.

1) Create a folder c:\ipsec and unpack the VPN tool.

2) To configure the ipsec utility, you first need to create an ipsec.conf file, which will contain all the parameters for the connection. All the parameters should correspond with the parameters that have been defined and configured in iNODE VPN Server configuration. A typical; ipsec.conf file should look as follows:

conn roadwarrior


conn roadwarrior-net



· The conn parameter refers to the connection name. You can give it any name you want. Make sure that there are no spaces before the conn keyword. The lines following the conn and refer to this specific connection should be indented either by spaces or tabs.

· In the same config file you can define more than one connections as shown in the example above. The first connection roadwarrior refers to the connection to the iNODE VPN Server while the second one refers to the rightsubnet which is behind the iNODE server.

· In the left parameter enter the client IP with which the connection will be established. If you set it to %any, then the client IP will be automatically selected.

· In the right parameter, enter the hostname of the IP address of the VPN server that you wish to connect to.

· In the rightsubnet parameter, enter the subnet to which you wish to have access to after the connection. The subnet can in the form of x.x.x.x or x.x.x.x/bits number.

· In the rightca parameter enter the DN of the Certificate Authority that issued the certificate to be used for the authentication with the server. To find the DN you can refer to the iNODE’s interface in the configuration section under CA management.

· In the PFS parameter enter yes or no depending on the way you have configured the connection in the iNODE server. Please refer to the Configuring an IPSec Connection section of this manual.

3) Having setup the client certificates and configured the ipsec.conf file you can create a shortcut to the C:\IPSEC\ipsec.exe on your desktop. This is because the IPSec utility needs to be executed each time you connect to the internet, to update its parameters with the new IP address that is being assigned every time. From the moment that you execute the ipsec.exe, and as soon as the first ipsec policy traffic that has been defined in the conf file is generated, a negotiation – authentication process is initiated with the server. Sometimes this negotiation process may take a little longer and as a result you may experience timeouts while you try to connect. The parameters that you have setup are kept by the system even between reboots. If you wish to disable the IPSec you can do so by executing C:\IPSEC\ipsec.exe with the –off parameter from the command line. In case you want to reset and delete the parameters all you have to do is to execute the utility with the –delete option which will erase the configuration from your computer.

In case you experience difficulties or you cannot establish a connection, please make sure that the ipsec service is running with the use of the Windows Services console.

The status of the IPSEC Policy Agent entry should be started and the startup type should be set to automatic.


Although the P12 format certificate are password protected you should still pay particular attention when distributing certificates.

For further support or clarifications please contact the Dataways support team.

[1] In IPSec terminology a roadwarrior is the system with dynamic IP that is trying to communicate over IPSec with another system.

[2] Usually this will have been issued by the iNODE’s CA Management interface.