[Openswan Users] Looking for windows XP client

Paul Wouters paul at xelerance.com
Thu Feb 26 00:55:10 CET 2004 

On Wed, 25 Feb 2004, tvsjr wrote:

> Can you describe this configuration? I was under the impression you had to 
> be running L2TP to use the native client? I'm currently using FreeS/WAN 
> 2.05, but would be more than happy to transition (planning on it anyway) to 
> Openswan.

This is a "standard" freeswan and client install as described in Nat Carlesson's
x509 HOWTO. The only difference is that for supporting NAT I had to use seperate
conns, (only additions displayed here):

config setup
	nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,!%v4:10.0.2.0/24,%v4:193.110.157.57/32,%v4:220.220.220.0/24,%v4:192.168.2.0/24

(10.0.2.0/24 is the server's LAN range)

conn roadwarrior
        right=%any
        rightsubnet=vhost:%no,%priv
        rightrsasigkey=%cert
        left=myip
        leftnexthop=mynexthop
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/router.XXXXXX.nl.pem
        leftid="C=NL,L=Amsterdam,O=XXXXX,CN=router.XXXXX.nl, E=postmaster at XXXXX.nl"
        auto=add
        pfs=yes
        authby=rsasig

conn roadwarrior-net
        right=%any
        rightsubnetwithin=10.0.0.0/24
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/router.XXXXXX.nl.pem
        left=IP
        leftnexthop=MYNEXTHOP
        leftid="C=NL,L=Amsterdam,O=XXXXX,CN=router.XXXXXX.nl, E=postmaster at XXXXXX.nl"
        leftsubnet=10.0.2.0/24
        auto=ignore
        pfs=yes
        authby=rsasig

conn roadwarrior-net2
        right=%any
        rightsubnetwithin=192.168.0.0/16
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/router.XXXXXX.nl.pem
        left=IP
        leftnexthop=nexthop
        leftid="C=NL,L=Amsterdam,O=XXXXX,CN=router.XXXXXX.nl, E=postmaster at XXXXXX.nl"
        leftsubnet=10.0.2.0/24
        auto=add
        pfs=yes
        authby=rsasig
                                                                                

Note that the only differences here are the rightsubnetwithin= lines in the
different conns. I'm sure Tuomo or Andreas can optimize this configuration, but
this one is straight from a production server here. People using 10/8 and 
192.168/16 behind their NAT router at home can login to the network (except
obviously 10.0.2.0/24, which is the server LAN).

On the Windows boxes I use the vpn.ebootis.de ipsec.exe tool and the following
ipsec.conf:

conn roadwarrior
        left=%any
        right=ip
        rightca="C=NL,L=Amsterdam,O=XXXXXX,CN=XXXXXX CA, E=postmaster at XXXXXX.nl"
        auto=ignore
        pfs=yes
        network=auto
 
conn roadwarrior-net
        left=%any
        right=ip
        rightsubnet=10.0.2.0/24
        rightca="C=NL,L=Amsterdam,O=XXXXXX,CN=XXXXXX CA, E=postmaster at XXXXXX.nl"
        auto=start
        pfs=yes
        network=auto
 
Hope this helps.

Paul, who should finish writing the Quickstart for this.

More information about the Users mailing list