Ihsan,<br><br>I really appreciate your comments and help. Thank you.<br><br>The reason that I want to go with a Linux solution is that as a company, we are moving towards to an open source OS. <br>I already have W2K3 VPN server at my network and it works fine. I want to test Linux solutions and hopefully migrate our VPN connection to Linux environment eventually.
<br><br>If I don't like using Linux VPN solutions, I will probably go with W2K3 VPN server and make remote Linux clients reach the W2K3 Server by using x509 certificates.<br><br>Again, thank you for your time and comments.
<br><br>Have a good day.<br><br>Best Regards,<br><br>Can Akalin<br><br><br><br><div><span class="gmail_quote">On 6/2/06, <b class="gmail_sendername"><a href="mailto:ihsanturkmen@hedefalliance.com.tr">ihsanturkmen@hedefalliance.com.tr
</a></b> <<a href="mailto:ihsanturkmen@hedefalliance.com.tr">ihsanturkmen@hedefalliance.com.tr</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<br><font face="sans-serif" size="2">Can..</font>
<br>
<br><font face="sans-serif" size="2">Now , I see what you need. You want
anybody outside the corporate network be able to work as if he/she is within
the corporate intranet in a secure manner . Though , it is also possible
to do it with Linux , I do not suggest you use it as a platform for
X509 implemantation, because it's managment is a little bit difficult.</font>
<br>
<br><font face="sans-serif" size="2">The best way of doing it (from my long-term
experience) is to configure a Microsoft 2003 server with latest patches
and service packs with MsVPN service. This will serve as a VPN server,
and allow any L2TP client coming from outside world . Server needs only
one network interface, and a private address, but you need to reserve a
public address and nat it to these VPN server on the firewall. </font>
<br>
<br><font face="sans-serif" size="2">You have two choice.. </font>
<br><font face="sans-serif" size="2">1 ) You can either join resources to
the domain , and gain manegment flexibility,</font>
<br><font face="sans-serif" size="2">2) or you keep away from domain
and design a simple structure .</font>
<br>
<br><font face="sans-serif" size="2">If you keep away from active directory
domain structure ,you need only one server with one network interface on
which you will host VPN and CA services . You will configure Ms RAS server
as and L2TP server, and install CA server service to generate X509 certificates.
Root CA Certificate , and Computer certificates signed by this CA
server will be deployed to each vpn client. After all this tasks are completed,
you need to add a pair of registry entries both to your VPN server, and
vpn clients if your clients are Windows XP with sp2 .This registry values
will make you capable of establishing L2TP/IPSec connections even if both
the server and the clients are behind a nat device.</font>
<br>
<br><font face="sans-serif" size="2">[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]</font>
<br><font face="sans-serif" size="2">"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002</font>
<br>
<br><font face="sans-serif" size="2">[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]</font>
<br><font face="sans-serif" size="2">"NegotiateDH2048"=dword:00000001</font>
<br><font face="sans-serif" size="2">"DisableSavePassword"=dword:00000001</font>
<br><font face="sans-serif" size="2"> </font>
<br><font face="sans-serif" size="2">If you use an active directory domain
as an alternative , you can (if you like) seperate CA and VPN server. and
you don't have to use a x509 certificate for the l2lt/ipsec clients which
are alread a memeber of the domain. Kerbereos authentication between server
and client eliminates the need of use a certificate, but you can still
use install a CA server for the clients which are not a memeber of the
domain.</font>
<br>
<br><font face="sans-serif" size="2">Now, the most important question is
here.. Why did we use a Windows2003 server for a vpn solution.? </font>
<br>
<br><font face="sans-serif" size="2">The answer is as follows ;</font>
<br><font face="sans-serif" size="2">1. Users can assign their own passwords
on their own without the administrators intervention. </font>
<br><font face="sans-serif" size="2">2. You can set password expiry periods
to tighten security. Linux l2tpd deamon does not have this feature. Administrators
can read users passwords,and passwords are clear text.</font>
<br><font face="sans-serif" size="2">3.Certificate generation and deployment
can be automated with policies (in a domian enviroment) , and no administrator
intervention needed here too, because CA server has a web interface. Authernticated
users on the web server, get their own certificates if you granted them
to do it.</font>
<br>
<br><font face="sans-serif" size="2">You can use linux clients to get connected
to your corporate nework too, if you use X509 certificates generated
by this authority. I don't have much experience on such an implementation.
</font>
</div><div><span class="q"><br>
<br>
<br>
<br>
<br><font face="sans-serif" size="2">İhsan Türkmen<br>
Hedef Alliance Holding A.Ş.<br>
Bilgi Sistemleri Direktörlüğü<br>
<br>
Namık Kemal Cad. Göztepe Mah.<br>
Karanfil Sok. No: 62<br>
34550 Bağcılar / İstanbul/TR<br>
Tel : +90 (212) 445 50 95<br>
Fax: +90 (212) 445 97 54<br>
</font>
<br>
<br>
<br>
</span></div><div><table width="100%">
<tbody><tr valign="top">
<td width="40%"><div><span class="q"><font face="sans-serif" size="1"><b>"Can Akalin"
<<a href="mailto:canakalin77@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">canakalin77@gmail.com</a>></b> </font>
</span></div><div><p><font face="sans-serif" size="1">02.06.2006 18:10</font>
</p></div></td><td width="59%">
<table width="100%">
<tbody><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">To</font></div>
</td><td><font face="sans-serif" size="1">"<a href="mailto:ihsanturkmen@hedefalliance.com.tr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">ihsanturkmen@hedefalliance.com.tr</a>"
<<a href="mailto:ihsanturkmen@hedefalliance.com.tr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">ihsanturkmen@hedefalliance.com.tr</a>>, <a href="mailto:users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
users@openswan.org</a></font>
</td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">cc</font></div>
</td><td>
<br></td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Subject</font></div>
</td><td><font face="sans-serif" size="1">Re: [Openswan Users] A quick question</font></td></tr></tbody></table>
<br>
<table>
<tbody><tr valign="top">
<td>
<br></td><td><br></td></tr></tbody></table>
<br></td></tr></tbody></table></div><div><span class="e" id="q_10b959ee3ccc11ba_5">
<br>
<br>
<br><font size="3">Thank you for the quick reply Ihsan, :)<br>
<br>
I think it would be better to tell what I want to do. <br>
<br>
I have a company network behind a firewall router. We have servers and
employees at different physical locations and sometimes these servers and
employees will need to reach the internal company network. <br>
<br>
I want to establish a host-to-network type VPN connection with x509 certificates
so that employees and servers can reach the company resources securely.
<br>
<br>
I have a DHCP Server and different data and file servers in the company
network. I will also have a linux machine in the network (Suse SLES 9 with
SP3 Kernel 2.6.5-7.257.smp - the latest available to the Suse SLES 9 -
) that holds the Openswan. This linux machine is also a CA.<br>
<br>
Now, for the test purposes, I built a linux desktop PC with the above mentioned
features and put it in the company LAN. No DHCP Server is set on this test
machine. This PC has just one Ethernet NIC card. I intend to use
this PC as a VPN server for now. <br>
<br>
Would it be possible to make a host-to-network connection with this configuration?
<br>
<br>
Can anybody give me a clear direction to do this host-to-network VPN connection
with x509 certificates? <br>
<br>
PS: I followed the instructions at </font><a href="http://www.natecarlson.com/linux/ipsec-x509.php" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="3"><u>Nate
Carlson's</u></font></a><font size="3"> web page but I couldn't manage to
make the connection. :(<br>
<br>
Thank you all <br>
<br>
Can Akalin<br>
<br>
<br>
</font>
<br><font size="3">On 6/2/06, </font><a href="mailto:ihsanturkmen@hedefalliance.com.tr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="3"><b><u>ihsanturkmen@hedefalliance.com.tr
</u></b></font></a><font size="3">
<</font><a href="mailto:ihsanturkmen@hedefalliance.com.tr" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="3"><u>
ihsanturkmen@hedefalliance.com.tr</u></font></a><font size="3">> wrote:
</font>
<br><font face="sans-serif" size="2"><br>
Hi..</font><font size="3"> </font><font face="sans-serif" size="2"><br>
There are two VPN types. One is transport mode (host-to-host) and the other
is tunnel mode (network-to-network) . If you want to make a network-to-network
VPN , you need two network interfaces on each side , one for
external network and the other for the internal network.Interfaces do not
have to be ethernet, any other type of interface wellcomes. .,You don't
have to have a public ip address either . It is not a must.</font><font size="3">
<br>
</font><font face="sans-serif" size="2"><br>
If you need to make a host-to-host VPN, you don't need two network interfaces.</font><font size="3">
<br>
<br>
</font><font face="sans-serif" size="2"><br>
İhsan Türkmen<br>
Hedef Alliance Holding A.Ş.<br>
Bilgi Sistemleri Direktörlüğü<br>
<br>
Namık Kemal Cad. Göztepe Mah.<br>
Karanfil Sok. No: 62<br>
34550 Bağcılar / İstanbul/TR<br>
Tel : +90 (212) 445 50 95<br>
Fax: +90 (212) 445 97 54</font><font size="3"><br>
<br>
<br>
</font>
<table width="100%">
<tbody><tr valign="top">
<td width="52%"><font face="sans-serif" size="1"><b>"Can Akalin"
<</b></font><a href="mailto:canakalin77@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" face="sans-serif" size="1"><b><u>canakalin77@gmail.com</u></b></font></a><font face="sans-serif" size="1">
<b>></b>
<br>
Sent by: </font><a href="mailto:users-bounces@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" face="sans-serif" size="1"><u>users-bounces@openswan.org</u></font></a>
<font size="3">
</font>
<p><font face="sans-serif" size="1">02.06.2006 17:01</font><font size="3">
</font>
</p></td><td width="47%">
<br>
<table width="100%">
<tbody><tr valign="top">
<td width="18%">
<div align="right"><font face="sans-serif" size="1">To</font></div>
</td><td width="81%"><a href="mailto:users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" face="sans-serif" size="1"><u>users@openswan.org</u></font></a><font size="3">
</font>
</td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">cc</font></div>
</td><td>
<br></td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Subject</font></div>
</td><td><font face="sans-serif" size="1">[Openswan Users] A quick question</font></td></tr></tbody></table>
<br>
<br>
<table width="100%">
<tbody><tr valign="top">
<td width="49%">
<br></td><td width="50%"><br></td></tr></tbody></table>
<br></td></tr></tbody></table>
<br><font size="3"><br>
<br>
</font>
<br><font size="3">Hello everyone,<br>
<br>
I was reading a book called "Network Administrators Survival Guide"
by Cisco Press. Over there, at the chapter "Linux based VPN",
it says that the Linux machine that holds the Openswan VPN Server should
have a 2 Ethernet NIC cards. One for publicly routed IP address and for
the private network. Is this correct? <br>
<br>
I have a computer in my private network and it has one NIC card. This machine
is a Linux machine, behind a firewall router and has Openswan 2.4.5. So,
can't I use this Linux machine as a VPN Server?<br>
<br>
One other question is that when I make a host-to-server connection from
remote, What IP address the remote host will take? Is there supposed to
be a DHCP server in the private network where the Openswan Server resides,
or perhaps in the machine that holds Openswan VPN server? <br>
<br>
Thank you.<br>
<br>
-- </font>
<br><font size="3">Can Akalin </font><font size="2"><tt>_______________________________________________</tt></font><font color="blue" size="2"><tt><u><br>
</u></tt></font><a href="mailto:Users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="2"><tt><u>Users@openswan.org</u></tt></font></a><font color="blue" size="2">
<tt><u><br>
</u></tt></font><a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="2"><tt><u>http://lists.openswan.org/mailman/listinfo/users
</u></tt></font></a><font size="2"><tt><br>
Building and Integrating Virtual Private Networks with Openswan: </tt></font><font color="blue" size="2"><tt><u><br>
</u></tt></font><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="blue" size="2"><tt><u>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
</u></tt></font></a><font size="3"><br>
</font>
<br><font size="3"><tt>Bu e-posta ve eklerinde verilen bilgiler kisiye ozel
ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.<br>
Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine
ait olup,Hedef Alliance Holding <br>
<br>
A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz
mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun
ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize
verebilecegi herhangi bir zarardan sorumlu tutulamaz.<br>
<br>
<br>
<br>
This message and attachments are confidential and intended solely for the
individual(s) stated in this message. This email is not intended to impose
nor shall it be construed as imposing any legally binding obligation upon
Hedef Alliance Holding <br>
<br>
A.S. and/or any of its subsidiaries or associated companies. Our company
shall have no liability for any changes or late receiving,loss of integrity
and confidentiality,viruses and any damages caused in anyway to your computer
system.<br>
</tt></font>
<br><font size="3"><br>
<br>
<br>
-- <br>
Can Akalin </font>
<br><pre>Bu e-posta ve eklerinde verilen bilgiler kisiye ozel ve gizli olup,yalnizca mesajda belirlenen alici ile ilgilidir.<br>Bu mesajda bulunan tum fikir,gorus ve ekindeki dosyalar sadece adres sahibine ait olup,Hedef Alliance Holding
A.S. ve/veya istirakleri hic bir sekilde sorumlu tutulamaz. Sirketimiz mesajin ve bilgilerin size degisiklige ugrayarak veya gec ulasmasindan,butunlugunun ve gizliliginin korunamamasindan,virus icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan sorumlu tutulamaz.
<br><br>This message and attachments are confidential and intended solely for the individual(s) stated in this message. This email is not intended to impose nor shall it be construed as imposing any legally binding obligation upon Hedef Alliance Holding
A.S. and/or any of its subsidiaries or associated companies. Our company shall have no liability for any changes or late receiving,loss of integrity and confidentiality,viruses and any damages caused in anyway to your computer system.
</pre></span></div></blockquote></div><br><br clear="all"><br>-- <br>Can Akalin