configuring an ipsec tunnel between frees/wan 1.x and windows 2000/xp

NOTE: This page applies to the older versions of FreeS/WAN (1.x), and is not recommended any more. It's just here for reference purposes for those of you that really need it. I recommend using the information at: http://www.natecarlson.com/linux/ipsec-x509.php

This document describes how to get FreeS/WAN with the X.509 patches working with both another FreeS/WAN client and a Windows XP / Windows 2000 client with the built in software, along with the IPSec Tool. If you have any difficulties with this process, please e-mail the FreeS/WAN mailing list, or if you can't get help from there, e-mail me at: natecars@natecarlson.com. Also, if you'd like an alternate way of doing this (IPsec with L2TP), see Jacco de Leeuw's page.

IMPORTANT NOTE: On March 1, 2004, the FreeS/WAN maintainers announced that the FreeS/WAN project is ending, for many reasons. The Openswan project is going to be taking over development. Openswan is based on Super FreeS/WAN, and already includes most of the patches that people wanted. Right now, these directions are still based on FreeS/WAN 1.x. All of my examples and such will work fine on Openswan 1.x; the only difference is that you don't have to patch the code with X.509 and such before building. FreeS/WAN/Openswan 2.x have also been out for awhile, and I have not as of yet updated the directions to cover them. All of the basics will work; there are just a few configuration tweaks necessary. Basically, you just need to add 'version 2' to the top of ipsec.conf, and remove the 'plutoload' and 'plutostart' lines. Also, instead of placing host certificates in /etc/ipsec.d/, they need to be in /etc/ipsec.d/certs/.

Contents:
Changes made to this document
Packages you will need to download
Installing FreeS/WAN and X.509 Patches
Setting up a Certificate Authority
Generating a Certificate
Installing the Certificate on your Gateway
Configuring FreeS/WAN on the Gateway Machine
Client Setup: FreeS/WAN
Client Setup: Windows 2000/XP
Some common errors, and resolutions for them
Example configuration for a wireless network
References used to write this document

Changes made to this document
$Id: ipsec-x509-fs1.php,v 1.5 2005/09/21 15:54:10 natecars Exp $
[04/06/04] In 'Common errors', add section on how to get rightca correct.
[04/06/04] Some bugfixes to ipsec.conf examples from Paul of the Openswan team.
[04/06/04] Added note under the cert copy section to make sure you set the pw, for non-newbies.
[03/21/04] Added note about FreeS/WAN going away, and Openswan.
[02/13/04] Added update note, saying it's based on 1.9x, and will be updated to 2.x.
[11/13/03] Fix link to Strongsec site; thanks Jima!
[05/06/03] Remove alternate way to get NAT working; add rightsubnetwithin note.
[01/02/03] Link to Jacco de Leeuw's IPSec/L2TP page
[11/21/02] Add a note for FreeS/WAN configuration files saying indentation is important. Thanks Stephen!
[10/14/02] Updated RootCA.der entry in Client section to match with the Server.
[10/10/02] Updated to new template for my main site. Cleaned things up a bit.
[10/10/02] Put everything in CVS, finally.
[10/09/02] Added paths for RH7.x/RH8.x (thanks for the reminder, Johan!)
[08/08/02] Added note in the CA section to make sure that CA cert is longer than the client cert
[06/19/02] Added color highlights to openssl commands; split into more sections
[06/07/02] Switched from pre to classes to fix scrolling annoyances
[05/30/02] Misc cleanup
[04/30/02] Removed 'roadwarrior' conn from wireless section since it's not necessary; added example ipsec.exe output.
[04/18/02] Added 'common errors' section; fixed some type-o's.
[04/16/02] Added changelog.
[04/15/02] Fixed type-o in Windows config section -- I had 'rightnet='; should be 'rightsubnet='.
[04/01/02] Added section with example wireless setup.

Packages you will need to download
You will need to download a couple of files. First of all, the files needed on the server side:

FreeS/WAN itself (get version 1.9.7 or better): ftp://ftp.xs4all.nl/pub/crypto/freeswan
The X.509 Patch for FreeS/WAN (get version 0.9.12 or better): http://www.strongsec.com/freeswan
Patches to add multiple encryption ciphers, etc. (optional): http://www.irrigacion.gov.ar/juanjo/ipsec
Marcus Müller's Windows 2000 VPN Tool: http://vpn.ebootis.de

Installing FreeS/WAN and X.509 Patches
The first step is to get a working FreeS/WAN installation. You need the X.509 patches to allow FreeS/WAN to work with the native Windows 2000/XP client.

Follow the instructions included with the X.509 patch to patch your source tree and install FreeS/WAN. These directions are available within the package, or online at http://www.strongsec.com/freeswan/install.htm#section_3. You will want to follow steps 1-4 under 'Section 3: Installation'. If you would like to support extra authentication and encryption methods, be sure to patch your FreeS/WAN installation with Juanjo's patches (in the 'Packages' section above) before building FreeS/WAN. Note that there are also RPM and Debian packages available, but I recommend building it by hand at least once, so you figure out how things work in case something in the packages is broken.

You will need to perform this installation procedure on the machine you are using as the VPN gateway, and each Linux machine you would like to use as a client.

Setting up a Certificate Authority
One of the most confusing yet important parts of this process it to create your own CA (Certificate Authority). If you have trouble understanding what any of what I tell you to do is doing, check the OpenSSL documentation -- it takes awhile to grasp the concepts if you aren't a certificate expert. Of course, you can always just follow the directions and hope it works. You can pick any Linux box you'd like to create certificates on -- it's probably simplest to just create them on the box you are using as the VPN Gateway, though. Whatever machine you decide to do this on will need OpenSSL installed.

Here's what you need to do:

1) Find your openssl.cnf file. Here's a few locations for various distributions:

Debian: /etc/ssl/openssl.cnf
RedHat 6.x: /var/ssl/openssl.cnf
RedHat 7.x/8.0: /usr/share/ssl/openssl.cnf

Open this file in your favorite editor, and change the 'default_bits' setting from 1024 to 2048. Then, change the 'default_days' setting to something other than 365; I recommend 3650 (this way, your certificates will be valid for 10 years.) If you'd like, you can also set default values for things in the section titled '[ req_distinguished_name ]'. I don't recommend doing this if you don't understand what you're doing, though.

2) Create a directory to house your CA. I generally use something like /var/sslca; you can really use whatever you want. Change the permissions of the directory to 700, so that people will not be able to access the private keys who aren't supposed to.

3) Find the command 'CA.sh' (some distributions rename it to just 'CA'; don't ask me why.) Locations on various distributions:

Debian: /usr/lib/ssl/misc/CA.sh
RedHat 6.x: /var/ssl/misc/CA.sh
RedHat 7.x/8.x: /usr/share/ssl/misc/CA

Edit this file, and change the line that says 'DAYS="days 365"' to a very high number (this sets how long the certificate authority's certificate is valid.) Be sure that this number is higher than the number is Step 1; or else Windows may not accept your certificates.

4) Run the command /path/to/CA -newca. Follow the prompts, as below. Example input is in red, and my comments are in blue. Be sure to not use any special characters, such as dashes, plus signs, etc. These characters will mess up Windows's ipsec implementation.

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
(enter)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.............................................................................+++
........................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:(enter password) This is the password you will need to create any other certificates.
Verifying password - Enter PEM pass phrase:(repeat password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US(enter) Enter your country code here
State or Province Name (full name) [Some-State]:State(enter) Enter your state/province here
Locality Name (eg, city) []:City(enter) Enter your city here
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter) Enter your company name here (or leave blank)
Organizational Unit Name (eg, section) []:(enter) OU, if you like. I usually leave it blank.
Common Name (eg, YOUR name) []:CA(enter) The name of your Certificate Authority
Email Address []:ca@example.com(enter) E-Mail Address
nate@example:~/sslca$

That's it, you now have your own certificate authority that you can use to generate certificates.

Generating a Certificate
1) First, you need to generate a certificate for your gateway machine. The steps will be the same for other machines, but you need that one first. To do this, follow the steps below:

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 2048 bit RSA private key
...................................+++
...............................+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:(enter password) Password to encrypt the certificate with
Verifying password - Enter PEM pass phrase:(repeat password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US(enter)
State or Province Name (full name) [Some-State]:State(enter)
Locality Name (eg, city) []:City(enter)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter)
Organizational Unit Name (eg, section) []:(enter)
Common Name (eg, YOUR name) []:host.example.com(enter)This can be a hostname, a real name, an e-mail address, or whatever
Email Address []:user@example.com(enter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(enter)
An optional company name []:(enter)
Request (and private key) is in newreq.pem
nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:(password you entered for the ca certificate)
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'State'
localityName :PRINTABLE:'City'
organizationName :PRINTABLE:'ExampleCo'
commonName :PRINTABLE:'host.example.com'
emailAddress :IA5STRING:'user@example.com'
Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days)
Sign the certificate? [y/n]:y(enter)

1 out of 1 certificate requests certified, commit? [y/n]y(enter)
Write out database with 1 new entries
Data Base Updated
(certificate snipped)
Signed certificate is in newcert.pem

2) Next, move the output files to names that make sense.

nate@example:~/sslca$ mv newcert.pem host.example.com.pem
nate@example:~/sslca$ mv newreq.pem host.example.com.key

3) Edit the .key file, and delete everything down from the line starting with '-----BEGIN CERTIFICATE REQUEST-----'. After you do this, the file should start with '-----BEGIN RSA PRIVATE KEY-----', and end with '-----END RSA PRIVATE KEY-----'.

Installing the Certificate on your Gateway
This discusses how to install the certificate on your gateway machine. Again, the steps will be the same for each Linux box.

1) Install the files in their proper locations (if installing to a remote machine, create a tarball of the required files, and copy it in a secure manner):

$ cp /var/sslca/host.example.com.key /etc/ipsec.d/private
$ cp /var/sslca/host.example.com.pem /etc/ipsec.d
$ cp /var/sslca/demoCA/cacert.pem /etc/ipsec.d/cacerts
$ openssl ca -gencrl -out /etc/ipsec.d/crls/crl.pem

NOTE: If you've already got your gateway configured, please be sure that you have either removed the password from your private key, or set the password in ipsec.secrets. The error message that is returned if you haven't configured this properly isn't all that helpful.

Configuring FreeS/WAN on the Gateway Machine
1) Configure ipsec.secrets:

/etc/ipsec.secrets should contain the following (if you are running FreeS/WAN older than 1.96, check the warning below!):

: RSA host.example.com.key "password"

The password above should be the password you entered while generating the SSL certificate.

Also note that if you are running a version of FreeS/WAN older than 1.96, the syntax used above will not work -- you will need to use fswcert to extract your private key to the ipsec.secrets file.

2) Configuring ipsec.conf

/etc/ipsec.conf should look something like the configuration below (note that the indentation is important; without it, frees/wan will fail):

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-net
leftsubnet=(your_subnet)/(your_netmask)
also=roadwarrior

conn roadwarrior
right=%any
left=%defaultroute
leftcert=host.example.com.pem
auto=add
pfs=yes

This configuration will set things up so anyone with a valid certificate will be able to connect to your host. There are two connection profiles: one for a connection directly to the gateway, and one for the client to connect to the network behind the gateway.

Client Setup: FreeS/WAN

1) Follow the steps under 'Generating a Certificate' to create a new certificate for the client machine, modifying file names and such as needed. (We will refer to the files for this client as 'clienthost.example.com'.)

2) Copy the following files (in a secure fashion) over to your client:

host.example.com.pem (your gateway's certificate file)
clienthost.example.com.key
clienthost.example.com.pem
cacert.pem
crl.pem

3) Copy the files into their proper locations:

$ cp clienthost.example.com.key /etc/ipsec.d/private
$ cp clienthost.example.com.pem /etc/ipsec.d
$ cp host.example.com.pem /etc/ipsec.d
$ cp crl.pem /etc/ipsec.d/crls
$ cp cacert.pem /etc/ipsec.d/cacerts/cacert.pem

4) Configure ipsec:

ipsec.secrets:

: RSA clienthost.example.com.key "password"

ipsec.conf:

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes

conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-net
leftsubnet=(your_subnet)/(your_netmask)
also=roadwarrior

conn roadwarrior
left=(ip.of.host)
leftcert=host.example.com.pem
right=%defaultroute
rightcert=clienthost.example.com.pem
auto=add
pfs=yes

5) Start the VPN link, and make sure everything works:

$ ipsec auto --up roadwarrior
$ ipsec auto --up roadwarrior-net

6) If you would like to have the links start automatically, change 'auto=add' to 'auto=start'.

Client Setup: Windows 2000/XP

NOTE: If you have previously installed SSH Sentinel, and want to use the built-in Windows IPSec stack, you will need to uninstall (or disable) SSH Sentinel, and enable the 'ipsec' service. I know this has tripped a few people up. This also applies for any other IPSec client you may have installed - you *need* to make sure it's disabled before trying to use the built in IPSec service.
NOTE #2: The HTML guy at my previous employer went through and made screenshots of the process of importing a certificate. These screenshots are available at http://support.real-time.com/open-source/ipsec/index.html. Please do NOT e-mail Real Time with any questions related to this; I no longer work there, and don't want them to get a flood of questions about this.

1) Create the certificate, again following the steps under 'Generating a Certificate'. We'll assume that you call the Windows 2000 certificate 'winhost.example.com'.

2) From this certificate, export a .p12 file for the Windows machine. To do this:

$ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12

NOTE: I've had a note that you may also need to add the '-name friendly_name' option to the above command to get some versions of Windows to correctly read the cert.

Also run the following, and make a note of it's output:

$ openssl x509 -in demoCA/cacert.pem -noout -subject

You will need this for your VPN configuration.

3) Copy this file over to the Windows machine in a secure fashion, such as 'scp' or with a floppy disk. Don't use FTP!

4) Unzip Marcus Müller's ipsec.exe utility to some directory on your Windows machine (I generally use c:\ipsec)

5) Create a IPSEC + Certificates MMC

Start/Run/MMC
File (or Console) - Add/Remove Snap-in
Click on 'Add'
Click on 'Certificates', then 'Add'
Select 'Computer Account', and 'Next'.
Select 'Local computer', and 'Finish'.
Click on 'IP Security Policy Management', and 'Add'.
Select 'Local Computer', and 'Finish'
Click 'Close' then 'OK'

6) Add the certificate

Click the plus arrow by 'Certificates (Local Computer)'
Right-click 'Personal', and click 'All Tasks' then 'Import'
Click Next
Type in the path to the .p12 file (or browse and select the file), and click 'Next'
Type the export password, and click Next
Select 'Automatically select the certificate store based on the type of certificate', and click Next
Click Finish, and say yes to any prompts that pop up
Exit the MMC, and save it as a file so you don't have to re-add the Snap Ins each time

7) Set up the IPSec utility

Install ipsecpol.exe (Windows 2000) or ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility
Edit your ipsec.conf (on the windows machine), replacing the "RightCA" with the output of the 'openssl x509 -in demoCA/cacert.pem -noout -subject'; reformatted as below (you need to change the /'s to commas, and change the name of some of the fields -- just follow the example below):

conn roadwarrior
left=%any
right=(ip_of_remote_system)
rightca="C=US,S=State,L=City,O=ExampleCo,CN=CA,Email=host@example.com"
network=auto
auto=start
pfs=yes

conn roadwarrior-net
left=%any
right=(ip_of_remote_system)
rightsubnet=(your_subnet)/(your_netmask)
rightca="C=US,S=State,L=City,O=ExampleCo,CN=CA,Email=host@example.com"
network=auto
auto=start
pfs=yes

8) Start the link

Run the command 'ipsec.exe'. Here's example output:

C:\ipsec>ipsec
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Host name is: (local_hostname)
No RAS connections found.
LAN IP address: (local_ip_address)
Setting up IPSec ...

Deactivating old policy...
Removing old policy...

Connection roadwarrior:
MyTunnel : (local_ip_address)
MyNet : (local_ip_address)/255.255.255.255
PartnerTunnel: (ip_of_remote_system)
PartnerNet : (ip_of_remote_system)/255.255.255.255
CA (ID) : C=US,S=State,L=City,O=ExampleCo,...
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...

Connection roadwarrior-net:
MyTunnel : (local_ip_address)
MyNet : (local_ip_address)/255.255.255.255
PartnerTunnel: (ip_of_remote_system)
PartnerNet : (remote_subnet)/(remote_netmask)
CA (ID) : C=US,S=State,L=City,O=ExampleCo,...
PFS : y
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Activating policy...

C:\ipsec>

Now, ping your gateway host. It should say 'Negotiating IP Security' a few times, and then give you ping responses. Note that this may take a few tries; from a T1 hitting a VPN server on a cable modem, it usually takes 3-4 pings. Do the same for the internal network on the remote end, and you should be up!

Some common errors, and resolutions for them

I've tried to make it as simple as possible to follow the above instructions, but sometimes it just doesn't quite work right. :) If you have trouble, feel free to e-mail me, or join the FreeS/WAN mailing list and ask your questions there (many times, you will get a quicker response there, as there are more people listening at any given time, and most of them are smarter than me!). But, just in case you've got one of the really common problems, here's a few problems and solutions:

1) Logging on the Windows side (helps troubleshoot certificate errors, etc)

Yes, it is actually possible to enable logging on the Windows box! To do this, follow the directions at Microsoft's Basic IPSec Troubleshooting in Windows 2000 page -- look for the section entitled 'Obtaining an Oakley Log'.

2) NAT Translation

NAT Translation causes no end of trouble for FreeS/WAN tunnels. I have no experience with setting a tunnel up with the server behind a NAT gateway, so if that's what you're trying to do, you'll need to check with the mailing list. But, I've set up a few clients behind a NAT gateway, and you can get it working fine. Here's an example error you will often get for clients behind a NAT box:

Apr 01 00:00:00 testfw Pluto[1234]: "roadwarrior-net" (client_public_ip) #1: cannot respond to IPsec SA request because no connection is known for (local_public_ip)[DSN]...(client_public_ip)[DSN]===(client_internal_ip)/32

To resolve this error, you must assign a static internal address to the client, and then create a separate connection profile for them on the Linux side, as follows (you can name these connections whatever you'd like; I generally use the hostname or something similar):

conn clientNNN
rightcert=(filename_of_client_cert.pem)
rightsubnet=(client_internal_ip)/32

conn clientNNN-net
leftsubnet=(your_subnet)/(your_netmask)
rightcert=(filename_of_client_cert.pem)
rightsubnet=(client_internal_ip)/32

So, if your client's .pem file was 'winhost.example.com' and the internal ip was 192.168.0.1, you would put:

conn host.example.com
rightcert=winhost.example.com.pem
rightsubnet=192.168.0.1/32

conn host.example.com-net
leftsubnet=(your_subnet)/(your_netmask)
rightcert=winhost.example.com.pem
rightsubnet=192.168.0.1/32

And this should resolve the error!

Andreas Steffen (the maintainer of the X.509 patch) has added a better way to do this.. as of X.509 patch v0.9.12, you can specify 'rightsubnetwithin=x/x', and it'll allow any client within that range to connect. With recent versions of FreeS/WAN (and Openswan), NAT-Traversal is also supported, which nicely sidesteps all of these issures.

3) Pinging from the Windows side shows 'Negotiating IP Security', but the tunnel never comes up!

This is one of the most common problems people have, and is usually caused by problems with rightca= on the Windows side. To verify that you have that set properly, follow these instructions:

- Load the IPSec MMC you created earlier
- Click IP Security Policies; double-click on the FreeSwan tunnel
- Double-click roadwarrior-Host filter
- Click on the 'Authentication Methods' tab
- Click 'Add', then 'Use a certificate from this CA'
- Click Browse, find your CA
- Copy/paste the text in the grayed-out box into your ipsec.conf

In many cases, that'll clear up the issues - if it doesn't, check your log for errors.

More troubleshooting tips to come soon, assuming I get time to write them. :)

Example configuration for a wireless network
I have seen a lot of people asking about how to do this configuration for a wireless network, so I figured I'd post an example of what I am using. This example is for a Linux gateway with one wired interface and a wireless interface (in my case, the wireless interface is a ethernet card hooked up to a hub that has all my Access Points connected to it). I'll assume you have ready everything above, and have a reasonable understanding of it.

Gateway configuration file:

conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-allnet
leftsubnet=0.0.0.0/0
also=roadwarrior

conn roadwarrior
right=%any
rightcert=workstation.example.com.pem
left=%defaultroute
leftcert=gateway.example.com.pem
auto=add
pfs=yes

Example firewall rules on the gateway side (eth0 is external, eth1 is internal):

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i ipsec+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ipsec+ -j ACCEPT

If you have trouble with ipsec+ (works fine for me with iptables 1.2.6a), you can just use ipsec0 or ipsec1 (depending on which you use).

Config file for a Linux client:

conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-allnet
leftsubnet=0.0.0.0/0
also=roadwarrior

conn roadwarrior
left=(gateway ip address)
leftcert=gateway.example.com.pem
right=%defaultroute
rightcert=workstation.example.com.pem
auto=start
pfs=yes

Config file for a Windows client:

conn roadwarrior-allnet
left=%any
right=(gateway ip address)
rightca="ca signature"
rightsubnet=*
network=auto
auto=start
pfs=yes

Let me know if the above doesn't make sense, and I'll try to help you out. :)

References
FreeS/WAN Documentation: http://www.freeswan.org
X.509 Patch Documentation: http://www.strongsec.com/freeswan
The Windows 2000 VPN Tool Documentation: http://vpn.ebootis.de
Microsoft's Basic IPSec Troubleshooting page: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225