From: users-admin@lists.freeswan.org on behalf of Adam Lambert [a@qsec.com]
Sent: Wednesday, October 03, 2001 3:45 PM
To: Axel Thimm; Jean-Francois Nadeau
Cc: Ad Koster; users@lists.freeswan.org
Subject: Re: [Users] Re: Freeswan 1.91 and Windows2000 Professional

i was the original "use cygwin awk" poster. I stopped using freeswan
though shortly after posting the message because I was unable to run
freeswan on my _alpha_ processor gateway with more than 1 tunnel reliably.

I happened to catch this post nonetheless, and went back and found the
script i used to use.  There are two parts - a .cmd file, and a supplimentary
.awk file.  You basically run the .cmd file, which takes 1 parameter - a
minimally unique match string for the name of the network adapter you
are connecting through (ie, which ip address you are known as)
Awk parses the output of ipconfig a line matching this "match string" 
and grabs the ip address 3 lines below to use.  You can probably create a
better regex to find the ip, but this suffices.


To use this, you need minimally:
awk.exe (one is available in the cygnus dist)
cygwin1.dll (assuming your awk needs it)
ipsecpol.exe (from the win2k resource kit)
ipsecutil.dll (needed by ipsecpol.exe)
text2pol.dll (needed by ipsecpol.exe)

Microsoft services for unix might also have awk.. anyone know?

You should be able to dump all the above, and the following two files in
a directory in your PATH and be all set.


separately, DOES ANYONE SUCCESSFULLY USE FREESWAN ON AN ALPHA ?

Anyway, hope it helps.  Files follow.



here's vpnup.cmd:
=-=-=-=-=-=-=-=-=
@echo off
rem vpnhome.cmd
rem   - creates a windows 2000 preshared secret roadwarrior tunnel-mode vpn.
rem   - uses freeswan ipsec.conf-type vars for ease.. we are 'right', 
rem   - the linux freeswan gateway is left'
rem   - specify on the cmd line a specific match pattern for your network card
rem   - specify your PRESHARE'd secret, LEFT, and LEFTSUBNET below

set NICMATCH=%1%
if not defined NICMATCH goto usage
set LEFT=12.34.56.78
set LEFTSUBNET=192.168.1.0/255.255.255.0
set PRESHARE=itsasecret
rem -------
for /f %%i in ('ipconfig^|awk -v nic^=%NICMATCH% -f vpnup.awk') do set MYIP=%%i
echo vpnup: Setting up %MYIP%------%LEFT% (%LEFTSUBNET%)
ipsecpol -u
ipsecpol -f 0=%LEFTSUBNET%:: -n ESP[3DES,MD5]3600SPFS -t %LEFT% -1s 3DES-MD5-2 -1p -a PRESHARE:"%PRESHARE%"
ipsecpol -f %LEFTSUBNET%:=0:: -n ESP[3DES,MD5]3600SPFS -t %MYIP% -1s 3DES-MD5-2 -1p -a PRESHARE:"%PRESHARE%"
goto end
:usage
echo enter a NIC match string.
:end


here's vpnup.awk:
=-=-=-=-=-=-=-=-=

   BEGIN { RS="\n" 
           FS=":" }
$0 ~ nic { getline
           getline
           getline
           print $2 }


On Tue, 2 Oct 2001 20:03:56 +0200, Axel Thimm wrote:

>Hello Jean-Francois, hello users,
>
>On Wed, Sep 05, 2001 at 09:25:12AM -0400, Jean-Francois Nadeau wrote:
>> [...] I was able to create a host to subnet configuration with Win2k on one
>> side and a static IP.  The problem with a roadwarrior configuration is a
>> single parameter that requires a valid IP.  It is the tunnel endpoint
>> defined in the Win2k IPsec filter, or "left" in freeswan.  If I could
>> validate 0.0.0.0 or anything that means "my current ip", a true roadwarrior
>> setup would work.  The Win2k interface to ipsec is the problem.
>
>this is exactly what I am experiencing. W2K can only do "dynamic" IPs with
>transport mode - but this does not work with NAT/PATs on the way, so the IP
>must be an official assigned one, which is usually true for dialup
>connections.
>
>But for private subnets with a masquerading gateway only the tunnel mode is
>applicable. But W2K does not allow dynamic IP, as you write :(
>
>> I read about a workaround on the list....  use the command line ipsecpol
>> program to rewrite the ipsec policy at every boot or ip change on Win2k.  I
>> did not try it yet... but I will.
>
>I am very interested in details - especially in how one could use native
>Windows scripting stuff to get the right IP to stuff in.
>
>I looked up the original post and had to find out, that he was using cygwin
>tools to sed/awk ipconfig output to feed ipsecpol :(
>
>I don't think W2K is sophisticated enough to have its awk/sed equivalent, but
>I'd be glad to hear otherwise.
>
>BTW did anyone try to feed ipsecpol with 0.0.0.0? Maybe some mirracle ...
>
>Regards, Axel.
>-- 
>Axel.Thimm+freeswan@physik.fu-berlin.de
>_______________________________________________
>Users mailing list
>Users@lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>


=-=-=-=-=-=-=-=
Adam Lambert : email- a@qsec.com, ICQ- 22744531