[Openswan Users] FreeSWAN, Wireless Windows 98/ME/2K/XP RoadWarriors, DHCP overIPsec - overview

Jeannot Langlois jlanglois at actares.com
Mon Jun 7 10:26:58 CEST 2004 

Hello guys,


I am trying to evaluate the required work/effort to perform a 
RoadWarrior-to-SUBNET setup.

I'd like to build up numerous IPsec tunnels from one LINUX gateway 
running FreeSWAN (2.05) and kernel 2.4.X to various Windows 98/ME/2K/XP 
RoadWarriors.  The IPsec tunnels will be required as the LAN is actually 
an untrusted wireless 802.11b network.  The LINUX gateway running 
FreeSWAN MUST be able to take the tunnels up/down automatically as WIFI 
clients requests IP address leases are issued/revoked using DHCP over IPsec.


The setup would look like this:


   (ethernet interface)
      [INTERNET SIDE]
    ==================
         FREESWAN
          LINUX
         GATEWAY
    ==================
        [LAN SIDE]
     (wifi interface)
         / | | | \
        /  | | |  \
       /   | | |   \
      /    | | |    \           

     A     B C D     E


A, B, C, D and E are all Windows-based clients (running either 98, ME, 
2K or XP) using 802.11b wireless cards (actually there will be more 
clients, but this is just a basic example).

Let's suppose the LAN uses the 10.1.1.0/24 subnet address space.
There would be NO NAT, as everything would happen within the same 
10.1.1.0/24 subnet.
I'd like the RoadWarriors NOT to be able to see each other, but just the 
gateway, so they can access the internet using secure tunnels.  In this 
case, we consider the INTERNET side to be trusted (I know this might 
sound funny but... :)), so the tunnel ends on the FREESWAN GATEWAY's LAN 
SIDE, and firewall rules on the FREESWAN GATEWAY should not interfere 
with FREESWAN.
A DNS server listening on the wifi interface on the FREESWAN GATEWAY 
will be offering DNS services to the Windows RoadWarriors.


So far I have only established SUBNET-to-SUBNET tunnels in all the 
FreeSWAN experiments I have been attempting to this day.

As this is the first time I am attempting such a RoadWarrior-SUBNET 
setup with FreeSWAN (and I am just starting to read basic/advanced tips 
on the freeswan.ca documentation), I was wondering about the Windows 
side's configuration, and feasability.

According to the interoperability summary I've seen on the freeswan.ca 
site, I believe that RSA keys are NOT possible in the Windows 2K/XP case 
and ONLY the same Pre-Shared Key can be used by all the Windows 
clients?  Is this right?  What about Windows 98 and ME ?

As the windows clients have to emulate some kind of IPsec router, I 
believe that they have to be running some sort of IPsec VPN client 
software (the Nortel IPsec VPN client comes to mind, or would any other 
IPsec-style client do the job)?  Is this assumption correct?

Is this VPN client software required on ALL the different RoadWarriors 
Windows platforms:  98, ME, 2K, XP ?

Most importantly, are there any OpenSource versions of these client 
software available for these Windows versions?  We wouldn't like to buy 
licenses just for experiments...

I've heard that Windows 2K and XP do NOT need such client software, as 
they integrate IPsec functionality already.  Is that true?

The IP addresses will be allocated dynamically to the Windows 
RoadWarriors using a DHCP daemon listening on the FREESWAN GATEWAY's LAN 
interface.  I've seen many people asking for advices about DHCP over 
IPsec.  Is that really a problem?  If yes, what can be done about it ?

Thanks in advance for your help.

Answers and/or pointers to pertinent FreeSWAN documentation will be 
greatly appreciated,

-- 
Jeannot Langlois
Programmeur-Analyste / Software Developer
Administrateur Systeme/Reseau / System/Network Administrator
jlanglois AT actares DOT com


http://www.actares.com

More information about the Users mailing list