[Vpn-help] FW: Connection before domain login

[Greg Julius]

>gregmail at outtacyte.com wrote:
>> Sounds like the perfect time to steal share from Cisco.  The EasyVPN 
>> doesn't do it either.
>> 
>>  From what I gathered by reading from some Vista SDK documentation the 
>> Credential Provider acquires the credentials from the user @ Logon. 
>> 
>>  From there, I gather that the credential provider could then establish 
>> the vpn connection (Mine is straight PSK) and then any XAuth would be 
>> the credential given by the user.
>> 
>> This would allow the tunnel to be set up and then the CP could pass the 
>> credential to WinLogon finishing the logon.
>> 
>> OK.  I don't really need XAuth in my situation, just a tunnel.  Would it 
>> be possible to have a service start when the system starts and set up 
>> the tunnel before the logon was even attempted?
>> 
>> If that would be possible, then I can see pretty easily (I think) how 
>> the CP could then interact with the service to wake it up and have it do 
>> it's thing.
>> 
>> humm... 
>> 
>> Since I know we can set up the tunnel using the command-line tool, 
>> couldn't I just wrap a service around that?
>> 
>
>The Shrew Soft services should be running before login. However, the UI 
>is designed to pull configuration information from within the context of 
>a user login. In other words, the program configuration is stored in the 
>HK current user branch. Even if it were possible for the UI to interact 
>with you before you are logged in ( highly doubtful ), the registry keys 
>that contain the site configuration wouldn't be available.
>
>-Matthew


Hi Matthew,
I'd certainly be willing to help out in this regard.  I do some programming
(.net stuff) and am currently writing a multi-threaded SFTP client (using
some purchased components - I'm not THAT up on Cryptography).

I have gotten the ipsecc command to start from the command line and am
pretty sure I could get it to work using the srvany functionality of the
admin kit.  The problem I saw is exactly what you mentioned.

My thoughts on that subject were "I wonder if there is a .dll that I could
supply all the needed info to that doesn't have any UI interface at all"

The problem I noted when I started the ipsecc command was that it opened a
small task bar icon and that's a UI element.  I would need a switch that
said "no ui at all".  I suspected that it was also storing stuff in HKCU as
well (I hadn't investigated yet).  The HKCU isn't really a problem because I
can supply a userid to the service and that would place all of the HKCU
stuff under that userid.

The second problem I thought of was how to stop things.  The service detects
the start, stop, and shutdown commands and the service would need to
communicate the stop and shutdown to the ipsecc command (short of just
aborting the thread).  So, the hoped for ".dll" would need a "StartRun" and
a "StopRun" method.

I suspect that there already exists such a .dll and so creating a service
wrapper around it shouldn't be very difficult (my ignorance may be showing
in that statement!).

Once I have a service that can read it's configuration from "pick-a-place",
and start and stop a connection, I would have enough in place to create
something for my users that would work behind the scenes.  A small API to
the service could be created and used by an external UI (or a Credentials
Provider) to supply dynamic parameters (such as user ID and the like).

In any event, if you are willing, I'm willing to help craft such a service.


And thanks to you for creating this software in the first place!  I find
cryptography a bit challenging to understand and I'm sure glad to have
something not written by the big boys!  You (and the rest of the maillist) I
can at least talk to and get decent answers!

Blessings this holiday season,
-greg