[Openswan Users] general questions

Scott Spyrison sspyrison at nl.edu
Sun Feb 29 10:22:19 CET 2004


I have some general questions about whether or not openswan is what I
should be looking at, or if what I want to do is even possible. I'm
hoping someone on the list has prior experience with this situation or a
better understanding of all this than I do.

I run linux on my laptop at work.  At home, I have a cheap DLink access
point that turns my DSL into as many NAT'd connections as I need.  I
didn't buy it for that, though, I bought it to be a wireless AP and
ended up using all its features.  So, when I bring the laptop home I
receive a private IP via DHCP from this access point, which falls in the
192.168.0.x range.  The AP itself is connected to a DSL modem which is
assigned a dynamic external IP from my ISP (earthlink).  I believe this
makes me something of a 'roadwarrior' with respect to all this?

At work, I was just told I now have a 'VPN account,' and that's where
all the above comes into play.  At work, they use Checkpoint NG for a
firewall, and they used its VPN features to give me this 'VPN account.' 
I was given a windows client (Checkpoint SecureClient) and told my vpn
server was vpn.foo.com and to logon using my Windows domain username and
password.  I believe they have it configured to authenticate against the
Microsoft AD.  vpn.foo.com has an external IP and behind it is one
protected subnet, to be accessible via the VPN.

I did try the windows client on a spare box, because I was not sure if
it would handle my NAT address either.  It did though, and seems to work
pretty well.  Problem is, I don't run windows at all on my laptop (2.6
kernel, gentoo at the moment) and seeing it work under Windows only
hardened my determination to get it working under Linux :)

I have done quite a bit of reading this weekend with respect to all
this, but things are honestly still a little spotty for me.  I found a
thread on the freeswan users mailing list that seemed to imply I needed
XAUTH in order to do the authentication.  It also implied that XAUTH was
already patched into the super-freeswan/openswan releases and was not
present in base freeswan.

Another thread implied that NAT-T (NAT Traversal) is what I need for
that other part of my question.  It seemed to imply that it was disabled
by default in super-freeswan releases and needed to be enabled in
Makefiles via cflags.  Is this still true for openswan?  I did not see
the same documentation (READMEs) in openswan as I did in
super-freeswan.  Again, I am under the impression this is not present at
all in base freeswan (unless the source is patched, which I believe is
what openswan has already done).

So, I guess my fundamental question is...given this scenario is it
possible using openswan, or am I way off track?  I think what I want to
do looks like this:

internal address of laptop->internal address of AP->external address on
DSL modem->external address of fw->address on protected subnet

Maybe one or more of those hops are not necessary with respect to
ipsec.conf, not sure yet.  Any advice, comments, suggestions are very
much welcomed...

Best Regards,
Scott Spyrison

More information about the Users mailing list